trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

427
Vagrant/resources/malcolm/kibana/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json Normal file
View File

@@ -0,0 +1,427 @@
{
"version": "7.10.0",
"objects": [
{
"id": "024062a6-48d6-498f-a91a-3bf2da3a3cd3",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:41:03.195Z",
"version": "WzM1MzQsMV0=",
"attributes": {
"title": "X.509",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":17,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":46,\"w\":48,\"h\":18,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":25,\"y\":8,\"w\":23,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":28,\"w\":28,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":20,\"h\":18,\"i\":\"aa7075cb-f9ef-4453-8c5f-90eccc6883c7\"},\"panelIndex\":\"aa7075cb-f9ef-4453-8c5f-90eccc6883c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":82,\"w\":48,\"h\":39,\"i\":\"2a9de8ad-b593-4bf3-9fc4-703580b95500\"},\"panelIndex\":\"2a9de8ad-b593-4bf3-9fc4-703580b95500\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "0ce14883-eb54-4b30-aba0-b8b13021da11"
},
{
"name": "panel_2",
"type": "visualization",
"id": "23d08a2e-2fa2-42df-bf75-dc5f3e5a79e7"
},
{
"name": "panel_3",
"type": "visualization",
"id": "d608f7dd-efea-49c4-b61d-a09d2a29148c"
},
{
"name": "panel_4",
"type": "visualization",
"id": "fabba18b-a1ed-4a90-a27c-bdcfed98eae1"
},
{
"name": "panel_5",
"type": "visualization",
"id": "193088ad-5112-435f-9e9f-ec9127ff8665"
},
{
"name": "panel_6",
"type": "visualization",
"id": "34d702ec-63e9-475d-ab0a-07d97ed4bd66"
},
{
"name": "panel_7",
"type": "visualization",
"id": "AWDHGklsxQT5EBNmq4wG"
},
{
"name": "panel_8",
"type": "visualization",
"id": "fa696510-4e9b-11ea-b504-97aa449f6abc"
},
{
"name": "panel_9",
"type": "search",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0ce14883-eb54-4b30-aba0-b8b13021da11",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:05.496Z",
"version": "WzUwLDFd",
"attributes": {
"visState": "{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "X.509 - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "23d08a2e-2fa2-42df-bf75-dc5f3e5a79e7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:05.496Z",
"version": "WzUxLDFd",
"attributes": {
"title": "X.509 - Certificate Signing Algorithm",
"visState": "{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithm\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_x509.certificate_sig_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d608f7dd-efea-49c4-b61d-a09d2a29148c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:05.496Z",
"version": "WzUyLDFd",
"attributes": {
"visState": "{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_x509.certificate_subject_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}",
"description": "",
"title": "X.509 - Certificate Subject",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fabba18b-a1ed-4a90-a27c-bdcfed98eae1",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:05.496Z",
"version": "WzUzLDFd",
"attributes": {
"visState": "{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_x509.certificate_issuer_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}",
"description": "",
"title": "X.509 - Certificate Issuer",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "193088ad-5112-435f-9e9f-ec9127ff8665",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:39:38.720Z",
"version": "WzM1MTYsMV0=",
"attributes": {
"title": "X.509 - Certificate Key Length",
"visState": "{\"title\":\"X.509 - Certificate Key Length\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.certificate_key_length\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Length\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "34d702ec-63e9-475d-ab0a-07d97ed4bd66",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:38:51.067Z",
"version": "WzM0ODcsMV0=",
"attributes": {
"title": "X.509 - Certificate Key Algorithm",
"visState": "{\"title\":\"X.509 - Certificate Key Algorithm\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_x509.certificate_key_alg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":7,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithm\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHGklsxQT5EBNmq4wG",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:05.496Z",
"version": "WzU2LDFd",
"attributes": {
"title": "X.509 - Log Count",
"visState": "{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fa696510-4e9b-11ea-b504-97aa449f6abc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1MywxXQ==",
"attributes": {
"title": "SSL - Relevant Notices",
"visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "858102a3-eec0-4ab3-82bb-a791e4eb364b",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:05.496Z",
"version": "WzU4LDFd",
"attributes": {
"title": "X.509 - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_x509.certificate_issuer.CN",
"zeek_x509.certificate_subject.CN",
"zeek_x509.certificate_sig_alg",
"zeek_x509.certificate_version",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:x509\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0OCwxXQ==",
"attributes": {
"title": "Notices - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_notice.category",
"zeek_notice.sub_category",
"zeek_notice.msg",
"srcIp",
"dstIp",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

479
Vagrant/resources/malcolm/kibana/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json Normal file
View File

@@ -0,0 +1,479 @@
{
"version": "7.10.2",
"objects": [
{
"id": "05e3e000-f118-11e9-acda-83a8e29e1a24",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:57:03.753Z",
"version": "WzE1OTcsMV0=",
"attributes": {
"title": "LDAP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":17,\"y\":0,\"w\":31,\"h\":11,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":11,\"w\":9,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":17,\"y\":11,\"w\":11,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":9,\"h\":11,\"i\":\"4bede953-91ec-4c99-9f5d-3716dae2420b\"},\"panelIndex\":\"4bede953-91ec-4c99-9f5d-3716dae2420b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":28,\"y\":11,\"w\":20,\"h\":19,\"i\":\"85041475-96a1-466e-88fa-44838f41ba39\"},\"panelIndex\":\"85041475-96a1-466e-88fa-44838f41ba39\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":30,\"w\":22,\"h\":19,\"i\":\"8e705c39-f331-4823-a103-51ab06637c62\"},\"panelIndex\":\"8e705c39-f331-4823-a103-51ab06637c62\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":35,\"y\":30,\"w\":13,\"h\":19,\"i\":\"06dfdd5d-7e6c-4733-8533-beef02105563\"},\"panelIndex\":\"06dfdd5d-7e6c-4733-8533-beef02105563\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":22,\"y\":30,\"w\":13,\"h\":19,\"i\":\"36118ee0-160e-49d0-aa2b-410c86021334\"},\"panelIndex\":\"36118ee0-160e-49d0-aa2b-410c86021334\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":22,\"i\":\"146f4860-c9a9-4fa0-a191-accdfd42d318\"},\"panelIndex\":\"146f4860-c9a9-4fa0-a191-accdfd42d318\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "4aa4bc50-f118-11e9-acda-83a8e29e1a24"
},
{
"name": "panel_2",
"type": "search",
"id": "8dd8d390-f117-11e9-acda-83a8e29e1a24"
},
{
"name": "panel_3",
"type": "visualization",
"id": "77ebc500-f118-11e9-acda-83a8e29e1a24"
},
{
"name": "panel_4",
"type": "visualization",
"id": "99ed84e0-f118-11e9-acda-83a8e29e1a24"
},
{
"name": "panel_5",
"type": "visualization",
"id": "5eeb21f0-b25e-11eb-9773-17c6ff2f810d"
},
{
"name": "panel_6",
"type": "visualization",
"id": "86b3d580-b25c-11eb-9773-17c6ff2f810d"
},
{
"name": "panel_7",
"type": "visualization",
"id": "e3b5c5b0-b25f-11eb-9773-17c6ff2f810d"
},
{
"name": "panel_8",
"type": "visualization",
"id": "69d17750-b25d-11eb-9773-17c6ff2f810d"
},
{
"name": "panel_9",
"type": "visualization",
"id": "ef741670-b25c-11eb-9773-17c6ff2f810d"
},
{
"name": "panel_10",
"type": "search",
"id": "039e7090-b213-11eb-91fe-f17fad8dde73"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:25:05.903Z",
"version": "Wzg3OSwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4aa4bc50-f118-11e9-acda-83a8e29e1a24",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:04.271Z",
"version": "WzIwMCwxXQ==",
"attributes": {
"title": "LDAP - Log Count Over Time",
"visState": "{\"title\":\"LDAP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8dd8d390-f117-11e9-acda-83a8e29e1a24"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8dd8d390-f117-11e9-acda-83a8e29e1a24",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:04.271Z",
"version": "WzIwMSwxXQ==",
"attributes": {
"title": "LDAP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_ldap.version",
"zeek_ldap.message_id",
"zeek.action",
"zeek_ldap.object",
"zeek_ldap.argument",
"zeek.result",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"ldap\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "77ebc500-f118-11e9-acda-83a8e29e1a24",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:04.271Z",
"version": "WzIwMiwxXQ==",
"attributes": {
"title": "LDAP - Source IP",
"visState": "{\"title\":\"LDAP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8dd8d390-f117-11e9-acda-83a8e29e1a24"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "99ed84e0-f118-11e9-acda-83a8e29e1a24",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:18:36.574Z",
"version": "WzExNDEsMV0=",
"attributes": {
"title": "LDAP - Destination IP",
"visState": "{\"title\":\"LDAP - Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8dd8d390-f117-11e9-acda-83a8e29e1a24"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5eeb21f0-b25e-11eb-9773-17c6ff2f810d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:39:55.407Z",
"version": "WzE0MTcsMV0=",
"attributes": {
"title": "LDAP - Log Count",
"visState": "{\"title\":\"LDAP - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ldap*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "86b3d580-b25c-11eb-9773-17c6ff2f810d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:53:39.683Z",
"version": "WzE1MzgsMV0=",
"attributes": {
"title": "LDAP - Bind",
"visState": "{\"title\":\"LDAP - Bind\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Version\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ldap.object\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Object/Mechanism\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:bind*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8dd8d390-f117-11e9-acda-83a8e29e1a24"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e3b5c5b0-b25f-11eb-9773-17c6ff2f810d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:56:19.541Z",
"version": "WzE1NzcsMV0=",
"attributes": {
"title": "LDAP - Search Scope",
"visState": "{\"title\":\"LDAP - Search Scope\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Searches\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ldap_search.scope\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Search Scope\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"zeek_ldap_search.result_count\",\"customLabel\":\"Entries Returned\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Searches\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true},{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"id\":\"3\",\"label\":\"Entries Returned\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "039e7090-b213-11eb-91fe-f17fad8dde73"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "69d17750-b25d-11eb-9773-17c6ff2f810d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:33:04.197Z",
"version": "WzEzMzUsMV0=",
"attributes": {
"title": "LDAP - Result Code",
"visState": "{\"title\":\"LDAP - Result Code\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result Code\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ldap*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ef741670-b25c-11eb-9773-17c6ff2f810d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T13:29:38.903Z",
"version": "WzEyOTksMV0=",
"attributes": {
"title": "LDAP - Operation",
"visState": "{\"title\":\"LDAP - Operation\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":199,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ldap*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "039e7090-b213-11eb-91fe-f17fad8dde73",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:04.271Z",
"version": "WzIwNiwxXQ==",
"attributes": {
"title": "LDAP Search - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_ldap_search.message_id",
"zeek.action",
"zeek_ldap_search.base_object",
"zeek_ldap_search.result_count",
"zeek.result",
"zeek.uid"
],
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"ldap_search\\\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:55.802Z",
"version": "Wzc5NCwxXQ==",
"attributes": {
"title": "All Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.service",
"zeek.action",
"zeek.result",
"srcIp",
"dstIp",
"dstPort",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

386
Vagrant/resources/malcolm/kibana/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json Normal file
View File

@@ -0,0 +1,386 @@
{
"version": "7.10.0",
"objects": [
{
"id": "078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:29:57.350Z",
"version": "WzE5MDYsMV0=",
"attributes": {
"title": "FTP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":27,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":14,\"x\":9,\"y\":27},\"panelIndex\":\"6\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"8\",\"w\":23,\"x\":8,\"y\":8},\"panelIndex\":\"8\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9\",\"w\":17,\"x\":31,\"y\":8},\"panelIndex\":\"9\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":11,\"x\":23,\"y\":27},\"panelIndex\":\"10\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"11\",\"w\":14,\"x\":34,\"y\":27},\"panelIndex\":\"11\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"12\",\"w\":9,\"x\":0,\"y\":27},\"panelIndex\":\"12\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"15\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"15\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":37,\"i\":\"8a83e818-c814-4c25-8740-932d60d2457d\",\"w\":48,\"x\":0,\"y\":45},\"panelIndex\":\"8a83e818-c814-4c25-8740-932d60d2457d\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "baba321a-1dff-4c11-a8e3-27a473aa89c2"
},
{
"name": "panel_2",
"type": "visualization",
"id": "f62bf46a-59d2-4e7d-9916-a93b09ffb198"
},
{
"name": "panel_3",
"type": "visualization",
"id": "0c8976ab-d720-43b0-ba40-c5f1abdc86aa"
},
{
"name": "panel_4",
"type": "visualization",
"id": "d77cf99c-45b3-4d2f-b348-dc08331ea6c1"
},
{
"name": "panel_5",
"type": "visualization",
"id": "2c30d743-052f-44bb-847c-dede4126a71d"
},
{
"name": "panel_6",
"type": "visualization",
"id": "cf6a7cf7-0105-42d4-9e0c-c732361a7de9"
},
{
"name": "panel_7",
"type": "visualization",
"id": "9fe8ac77-cf19-473d-81cd-5fde544abed6"
},
{
"name": "panel_8",
"type": "visualization",
"id": "AWDG9sT_xQT5EBNmq4DI"
},
{
"name": "panel_9",
"type": "search",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "baba321a-1dff-4c11-a8e3-27a473aa89c2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "WzgyLDFd",
"attributes": {
"visState": "{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "FTP - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f62bf46a-59d2-4e7d-9916-a93b09ffb198",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "WzgzLDFd",
"attributes": {
"visState": "{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.arg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}",
"description": "",
"title": "FTP - Argument",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0c8976ab-d720-43b0-ba40-c5f1abdc86aa",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "Wzg0LDFd",
"attributes": {
"title": "FTP - Commands and Replies",
"visState": "{\"title\":\"FTP - Commands and Replies\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.action: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_ftp.reply_code: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Reply Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.result: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.reply_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply Code\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ftp.reply_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Reply\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply Message\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d77cf99c-45b3-4d2f-b348-dc08331ea6c1",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:29:36.485Z",
"version": "WzE4ODksMV0=",
"attributes": {
"title": "FTP - Reply",
"visState": "{\"title\":\"FTP - Reply\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Reply\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2c30d743-052f-44bb-847c-dede4126a71d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "Wzg2LDFd",
"attributes": {
"title": "FTP - Source",
"visState": "{\"title\":\"FTP - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cf6a7cf7-0105-42d4-9e0c-c732361a7de9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "Wzg3LDFd",
"attributes": {
"title": "FTP - Destination",
"visState": "{\"title\":\"FTP - Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.resp_p: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.resp_h\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.resp_p\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9fe8ac77-cf19-473d-81cd-5fde544abed6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "Wzg4LDFd",
"attributes": {
"visState": "{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}",
"description": "",
"title": "FTP - Username",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG9sT_xQT5EBNmq4DI",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "Wzg5LDFd",
"attributes": {
"title": "FTP - Log Count",
"visState": "{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "16375cb7-a30d-466c-a936-f0a3651f9adb",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:07.693Z",
"version": "WzkwLDFd",
"attributes": {
"title": "FTP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_ftp.command",
"zeek_ftp.reply_msg",
"zeek.uid",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ftp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

392
Vagrant/resources/malcolm/kibana/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json Normal file
View File

@@ -0,0 +1,392 @@
{
"version": "7.10.0",
"objects": [
{
"id": "0a490422-0ce9-44bf-9a2d-19329ddde8c3",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "WzkxLDFd",
"attributes": {
"title": "PE",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":29,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":11,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":11,\"w\":15,\"h\":18,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":11,\"w\":14,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":27,\"y\":29,\"w\":21,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":37,\"y\":11,\"w\":11,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":11,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":29,\"w\":27,\"h\":18,\"i\":\"9a0a2350-214f-4b64-a6af-9bd8ae70f885\"},\"panelIndex\":\"9a0a2350-214f-4b64-a6af-9bd8ae70f885\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":23,\"i\":\"94f39bcf-aa80-4122-8ef7-62f594e536fb\"},\"panelIndex\":\"94f39bcf-aa80-4122-8ef7-62f594e536fb\",\"embeddableConfig\":{\"title\":\"Executable Capabilities\"},\"title\":\"Executable Capabilities\",\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":39,\"i\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\"},\"panelIndex\":\"7a770e13-2143-46e8-8e54-ae3cf477c4c4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "a44daac6-37e2-4fef-8b78-32232c4f32e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "6b1bf8b4-399b-4ef2-baeb-7f9b1740b657"
},
{
"name": "panel_3",
"type": "visualization",
"id": "59b3dd10-2de5-40d2-88ea-caf2bd3da549"
},
{
"name": "panel_4",
"type": "visualization",
"id": "7c810b56-5297-4aed-abac-cff41dfa5c77"
},
{
"name": "panel_5",
"type": "visualization",
"id": "0b774699-b798-40ae-ae92-2ac2a619eeb9"
},
{
"name": "panel_6",
"type": "visualization",
"id": "AWDHCUeZxQT5EBNmq4Xy"
},
{
"name": "panel_7",
"type": "visualization",
"id": "2d547c90-665f-11eb-b873-19a6007d75dd"
},
{
"name": "panel_8",
"type": "search",
"id": "8555e510-665e-11eb-b873-19a6007d75dd"
},
{
"name": "panel_9",
"type": "search",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a44daac6-37e2-4fef-8b78-32232c4f32e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "WzkzLDFd",
"attributes": {
"visState": "{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "PE - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6b1bf8b4-399b-4ef2-baeb-7f9b1740b657",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "Wzk0LDFd",
"attributes": {
"title": "PE - OS",
"visState": "{\"title\":\"PE - OS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_pe.os: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_pe.os\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "59b3dd10-2de5-40d2-88ea-caf2bd3da549",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "Wzk1LDFd",
"attributes": {
"title": "PE - Subsystem",
"visState": "{\"title\":\"PE - Subsystem\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_pe.subsystem: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_pe.subsystem\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7c810b56-5297-4aed-abac-cff41dfa5c77",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "Wzk2LDFd",
"attributes": {
"visState": "{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_pe.section_names\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "PE - Section Name",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0b774699-b798-40ae-ae92-2ac2a619eeb9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "Wzk3LDFd",
"attributes": {
"visState": "{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_pe.machine\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}",
"description": "",
"title": "PE - Machine",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHCUeZxQT5EBNmq4Xy",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "Wzk4LDFd",
"attributes": {
"title": "PE - Log Count",
"visState": "{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2d547c90-665f-11eb-b873-19a6007d75dd",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "Wzk5LDFd",
"attributes": {
"title": "Capa Signatures",
"visState": "{\"title\":\"Capa Signatures\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_signatures.signature_id: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8555e510-665e-11eb-b873-19a6007d75dd"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8555e510-665e-11eb-b873-19a6007d75dd",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "WzEwMCwxXQ==",
"attributes": {
"title": "Signatures (Capa) - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_signatures.signature_id",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:signatures AND zeek_signatures.engine:Capa\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "13f6cda1-6b4d-4a7d-b72e-25eeabec8768",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:08.721Z",
"version": "WzEwMSwxXQ==",
"attributes": {
"title": "PE - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_pe.machine",
"zeek_pe.os",
"zeek_pe.subsystem",
"zeek.fuid"
],
"sort": [
[
"@timestamp",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:pe\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

435
Vagrant/resources/malcolm/kibana/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json Normal file
View File

@@ -0,0 +1,435 @@
{
"version": "7.10.0",
"objects": [
{
"id": "0ad3d7c2-3441-485e-9dfe-dbb22e84e576",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzEwOSwxXQ==",
"attributes": {
"title": "Overview",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":26,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":26,\"w\":36,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":9,\"h\":18,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":8,\"i\":\"32\"},\"panelIndex\":\"32\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":26,\"w\":12,\"h\":18,\"i\":\"43\"},\"panelIndex\":\"43\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":17,\"y\":8,\"w\":11,\"h\":18,\"i\":\"2aab2ae5-2520-4b78-9735-04c32b22b71e\"},\"panelIndex\":\"2aab2ae5-2520-4b78-9735-04c32b22b71e\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":18,\"i\":\"f92ea81f-8f7e-4a79-abde-e5d8aaf7a39a\"},\"panelIndex\":\"f92ea81f-8f7e-4a79-abde-e5d8aaf7a39a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":27,\"i\":\"4c077648-488a-4fd8-9fcd-3042ec1bfa4d\"},\"panelIndex\":\"4c077648-488a-4fd8-9fcd-3042ec1bfa4d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "470c6648-d66f-4fae-99af-061cab27065a"
},
{
"name": "panel_2",
"type": "visualization",
"id": "3da52536-9455-4f8f-931a-14f4c04c636b"
},
{
"name": "panel_3",
"type": "visualization",
"id": "f7aba7a6-4b09-4efe-ae42-68d5637212ce"
},
{
"name": "panel_4",
"type": "visualization",
"id": "AWDGyaGxxQT5EBNmq3K9"
},
{
"name": "panel_5",
"type": "visualization",
"id": "6ec2abe4-c3b1-4cc1-8674-e80f8aee7ec5"
},
{
"name": "panel_6",
"type": "visualization",
"id": "750367f0-41f2-11ea-88fa-7151df485405"
},
{
"name": "panel_7",
"type": "visualization",
"id": "f38b3bd0-afd3-11ea-adcf-8bc6d9c94a96"
},
{
"name": "panel_8",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "470c6648-d66f-4fae-99af-061cab27065a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzExMSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Total Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Total Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3da52536-9455-4f8f-931a-14f4c04c636b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzExMiwxXQ==",
"attributes": {
"title": "Connections - Service By Destination Country",
"visState": "{\"title\":\"Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"row\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f7aba7a6-4b09-4efe-ae42-68d5637212ce",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzExMywxXQ==",
"attributes": {
"title": "Log Type",
"visState": "{\"title\":\"Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.logType\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDGyaGxxQT5EBNmq3K9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:48.278Z",
"version": "WzY1NywxXQ==",
"attributes": {
"title": "Total Number of Logs",
"visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6ec2abe4-c3b1-4cc1-8674-e80f8aee7ec5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzExNSwxXQ==",
"attributes": {
"title": "DNS - Queries",
"visState": "{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "750367f0-41f2-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzExNiwxXQ==",
"attributes": {
"title": "Application Protocol",
"visState": "{\"title\":\"Application Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f38b3bd0-afd3-11ea-adcf-8bc6d9c94a96",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:09.796Z",
"version": "WzExNywxXQ==",
"attributes": {
"title": "Actions and Results",
"visState": "{\"title\":\"Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:* OR zeek.result:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4NiwxXQ==",
"attributes": {
"title": "All Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.service",
"zeek.action",
"zeek.result",
"srcIp",
"dstIp",
"dstPort",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:45.233Z",
"version": "WzYzNSwxXQ==",
"attributes": {
"title": "DNS - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_dns.query",
"zeek_dns.answers",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:10.810Z",
"version": "WzEzMSwxXQ==",
"attributes": {
"title": "Connections - Destination - Top Connection Duration",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"2e33c0bf-ffb8-408b-ab32-0c6539074ea6\"},\"panelIndex\":\"2e33c0bf-ffb8-408b-ab32-0c6539074ea6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"92ba4d29-ba43-4806-b545-79f60788c795\"},\"panelIndex\":\"92ba4d29-ba43-4806-b545-79f60788c795\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "53854a54-2b8b-474e-a36c-bce80276004e"
},
{
"name": "panel_1",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "53854a54-2b8b-474e-a36c-bce80276004e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:10.810Z",
"version": "WzEzMiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Connections - Destination - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}",
"description": "",
"title": "Connections - Destination - Top Connection Duration",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

527
Vagrant/resources/malcolm/kibana/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json Normal file
View File

@@ -0,0 +1,527 @@
{
"version": "7.10.0",
"objects": [
{
"id": "0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:02:01.961Z",
"version": "WzMxNDEsMV0=",
"attributes": {
"title": "SIP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":42,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":17,\"x\":0,\"y\":60},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":17,\"x\":17,\"y\":60},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":12,\"x\":20,\"y\":8},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"11\",\"w\":23,\"x\":0,\"y\":42},\"panelIndex\":\"11\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"13\",\"w\":25,\"x\":23,\"y\":42},\"panelIndex\":\"13\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":23,\"x\":25,\"y\":24},\"panelIndex\":\"14\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":16,\"i\":\"16\",\"w\":12,\"x\":8,\"y\":8},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"19\",\"w\":14,\"x\":34,\"y\":60},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"21\",\"w\":17,\"x\":8,\"y\":24},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":32,\"i\":\"986e38d3-b2fb-44cb-b4b3-efaa2d46ff62\",\"w\":48,\"x\":0,\"y\":78},\"panelIndex\":\"986e38d3-b2fb-44cb-b4b3-efaa2d46ff62\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "00051443-ad3a-4c91-81a8-928096b8d5c2"
},
{
"name": "panel_2",
"type": "visualization",
"id": "2a9cf114-30d2-4b27-a71b-cde90dc26c9a"
},
{
"name": "panel_3",
"type": "visualization",
"id": "d5c39a42-e7c1-447c-afce-53fea7e5d971"
},
{
"name": "panel_4",
"type": "visualization",
"id": "72cf657f-b027-4d0b-814d-9bb3ebada4f6"
},
{
"name": "panel_5",
"type": "visualization",
"id": "1968f84a-1b85-44ea-b9ba-c6af98aeb8bb"
},
{
"name": "panel_6",
"type": "visualization",
"id": "7eb073ce-5c1f-4319-9eb8-1bf25399dcd9"
},
{
"name": "panel_7",
"type": "visualization",
"id": "f39d0316-33cd-4dc3-ad9d-bdf488f4e80c"
},
{
"name": "panel_8",
"type": "visualization",
"id": "068db209-7174-4082-a758-68c6b09224c6"
},
{
"name": "panel_9",
"type": "visualization",
"id": "07d161d5-c6b3-4a51-bef7-d53a325e945a"
},
{
"name": "panel_10",
"type": "visualization",
"id": "46d7e33f-ec02-41ab-977c-7e164c80f6ef"
},
{
"name": "panel_11",
"type": "visualization",
"id": "AWDHDNS4xQT5EBNmq4dF"
},
{
"name": "panel_12",
"type": "visualization",
"id": "fff2c100-32e4-402c-98cc-4a977010a427"
},
{
"name": "panel_13",
"type": "search",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "00051443-ad3a-4c91-81a8-928096b8d5c2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE0NywxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "SIP - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2a9cf114-30d2-4b27-a71b-cde90dc26c9a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE0OCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d5c39a42-e7c1-447c-afce-53fea7e5d971",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE0OSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "72cf657f-b027-4d0b-814d-9bb3ebada4f6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1MCwxXQ==",
"attributes": {
"title": "SIP - Destination Country",
"visState": "{\"title\":\"SIP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.destination_geo.country_name: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1968f84a-1b85-44ea-b9ba-c6af98aeb8bb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.request_path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - Request Path",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7eb073ce-5c1f-4319-9eb8-1bf25399dcd9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - URI",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f39d0316-33cd-4dc3-ad9d-bdf488f4e80c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1MywxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - User Agent",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "068db209-7174-4082-a758-68c6b09224c6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1NCwxXQ==",
"attributes": {
"title": "SIP - Content Type",
"visState": "{\"title\":\"SIP - Content Type\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_sip.content_type: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_sip.content_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Content Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "07d161d5-c6b3-4a51-bef7-d53a325e945a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - Method\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_sip.method\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - Method",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "46d7e33f-ec02-41ab-977c-7e164c80f6ef",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "SIP - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHDNS4xQT5EBNmq4dF",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1NywxXQ==",
"attributes": {
"title": "SIP - Log Count",
"visState": "{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fff2c100-32e4-402c-98cc-4a977010a427",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1OCwxXQ==",
"attributes": {
"title": "SIP - Status",
"visState": "{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_sip.status_msg\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "78fb078f-c0fe-4462-b72c-bccfd8329ca3",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:11.908Z",
"version": "WzE1OSwxXQ==",
"attributes": {
"title": "SIP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_sip.method",
"zeek_sip.content_type",
"zeek_sip.status_msg",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:sip\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

352
Vagrant/resources/malcolm/kibana/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json Normal file
View File

@@ -0,0 +1,352 @@
{
"version": "7.10.0",
"objects": [
{
"id": "11be6381-beef-40a7-bdce-88c5398392fc",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T19:07:48.772Z",
"version": "WzM4MjQsMV0=",
"attributes": {
"title": "Tunnels",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":30,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":10,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":13,\"x\":8,\"y\":10},\"panelIndex\":\"7\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"8\",\"w\":16,\"x\":32,\"y\":30},\"panelIndex\":\"8\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"9\",\"w\":13,\"x\":19,\"y\":30},\"panelIndex\":\"9\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"11\",\"w\":27,\"x\":21,\"y\":10},\"panelIndex\":\"11\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"12\",\"w\":19,\"x\":0,\"y\":30},\"panelIndex\":\"12\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"14\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"14\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":36,\"i\":\"4c91cf0e-8f00-4682-88e9-e7a4da9cb818\",\"w\":48,\"x\":0,\"y\":49},\"panelIndex\":\"4c91cf0e-8f00-4682-88e9-e7a4da9cb818\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "ea729cd0-2c77-4c5a-8ffa-11ff19d1e369"
},
{
"name": "panel_2",
"type": "visualization",
"id": "ab721f9e-240e-4343-b71c-9c04d2d704f5"
},
{
"name": "panel_3",
"type": "visualization",
"id": "018337e2-9178-4021-a36f-a1e7098b9b86"
},
{
"name": "panel_4",
"type": "visualization",
"id": "8eb2b344-150b-4163-b6c1-e686bb7027d5"
},
{
"name": "panel_5",
"type": "visualization",
"id": "7b5a1e84-eb4d-4a4f-9b8b-e325ff81d89a"
},
{
"name": "panel_6",
"type": "visualization",
"id": "56a5dece-0790-4acc-b166-6628cf10a596"
},
{
"name": "panel_7",
"type": "visualization",
"id": "AWDHFYrqxQT5EBNmq4qT"
},
{
"name": "panel_8",
"type": "search",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ea729cd0-2c77-4c5a-8ffa-11ff19d1e369",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:12.938Z",
"version": "WzE3MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Tunnels - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Tunnels - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ab721f9e-240e-4343-b71c-9c04d2d704f5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T19:07:00.533Z",
"version": "WzM3OTIsMV0=",
"attributes": {
"title": "Tunnels - Type",
"visState": "{\"title\":\"Tunnels - Type\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_tunnel.tunnel_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "018337e2-9178-4021-a36f-a1e7098b9b86",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T19:06:33.679Z",
"version": "WzM3ODAsMV0=",
"attributes": {
"title": "Tunnels - Destination Address",
"visState": "{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8eb2b344-150b-4163-b6c1-e686bb7027d5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:12.938Z",
"version": "WzE3NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Tunnels - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7b5a1e84-eb4d-4a4f-9b8b-e325ff81d89a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T19:07:29.104Z",
"version": "WzM4MTEsMV0=",
"attributes": {
"title": "Tunnels - Country",
"visState": "{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "56a5dece-0790-4acc-b166-6628cf10a596",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T19:04:29.612Z",
"version": "WzM3NjAsMV0=",
"attributes": {
"title": "Tunnels - Action",
"visState": "{\"title\":\"Tunnels - Action\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_tunnel.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHFYrqxQT5EBNmq4qT",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:12.938Z",
"version": "WzE3OCwxXQ==",
"attributes": {
"title": "Tunnels - Log Count",
"visState": "{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f166f708-f838-4c50-84cc-1fb99f7d7060",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:12.938Z",
"version": "WzE4MCwxXQ==",
"attributes": {
"title": "Tunnels - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek_tunnel.action",
"zeek_tunnel.tunnel_type",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:tunnel\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

386
Vagrant/resources/malcolm/kibana/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json Normal file
View File

@@ -0,0 +1,386 @@
{
"version": "7.10.0",
"objects": [
{
"id": "11ddd980-e388-11e9-b568-cf17de8e860c",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:02:59.762Z",
"version": "WzIzNjUsMV0=",
"attributes": {
"title": "QUIC",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":32,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"15\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"15\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":66},\"panelIndex\":\"16\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":11,\"i\":\"17\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"17\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"18\",\"w\":20,\"x\":8,\"y\":11},\"panelIndex\":\"18\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"19\",\"w\":20,\"x\":28,\"y\":11},\"panelIndex\":\"19\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"20\",\"w\":20,\"x\":8,\"y\":29},\"panelIndex\":\"20\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"21\",\"w\":20,\"x\":28,\"y\":29},\"panelIndex\":\"21\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":19,\"i\":\"22\",\"w\":48,\"x\":0,\"y\":47},\"panelIndex\":\"22\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"23\",\"w\":8,\"x\":0,\"y\":32},\"panelIndex\":\"23\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "a9a94150-e388-11e9-b568-cf17de8e860c"
},
{
"name": "panel_2",
"type": "search",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
},
{
"name": "panel_3",
"type": "visualization",
"id": "42fea480-e389-11e9-b568-cf17de8e860c"
},
{
"name": "panel_4",
"type": "visualization",
"id": "2648ad80-e38a-11e9-b568-cf17de8e860c"
},
{
"name": "panel_5",
"type": "visualization",
"id": "49d13470-e38a-11e9-b568-cf17de8e860c"
},
{
"name": "panel_6",
"type": "visualization",
"id": "919cb8b0-e38a-11e9-b568-cf17de8e860c"
},
{
"name": "panel_7",
"type": "visualization",
"id": "be8b4120-e38a-11e9-b568-cf17de8e860c"
},
{
"name": "panel_8",
"type": "visualization",
"id": "2e6549a0-e38b-11e9-b568-cf17de8e860c"
},
{
"name": "panel_9",
"type": "visualization",
"id": "7a6b6a50-e38b-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a9a94150-e388-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzE5MywxXQ==",
"attributes": {
"title": "QUIC - Log Count",
"visState": "{\"title\":\"QUIC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "69939d90-e388-11e9-b568-cf17de8e860c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzE5NCwxXQ==",
"attributes": {
"title": "QUIC - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"quic.useragent",
"dstIp",
"quic.host",
"quic.version",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:gquic\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "42fea480-e389-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:00:51.994Z",
"version": "WzIzNTAsMV0=",
"attributes": {
"title": "QUIC - Log Count Over Time",
"visState": "{\"title\":\"QUIC - Log Count Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"quic.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"QUIC Version\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2648ad80-e38a-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzE5NiwxXQ==",
"attributes": {
"title": "QUIC - Source IP Address",
"visState": "{\"title\":\"QUIC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "49d13470-e38a-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzE5NywxXQ==",
"attributes": {
"title": "QUIC - Destination IP Address",
"visState": "{\"title\":\"QUIC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "919cb8b0-e38a-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzE5OCwxXQ==",
"attributes": {
"title": "QUIC - User Agent",
"visState": "{\"title\":\"QUIC - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"quic.useragent\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "be8b4120-e38a-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzE5OSwxXQ==",
"attributes": {
"title": "QUIC - Server Name",
"visState": "{\"title\":\"QUIC - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"quic.host\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2e6549a0-e38b-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzIwMCwxXQ==",
"attributes": {
"title": "QUIC - CYU Fingerprint",
"visState": "{\"title\":\"QUIC - CYU Fingerprint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_gquic.cyutags\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint Tags\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_gquic.cyu\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CYU Fingerprint MD5\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7a6b6a50-e38b-11e9-b568-cf17de8e860c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:13.961Z",
"version": "WzIwMSwxXQ==",
"attributes": {
"title": "QUIC - Version",
"visState": "{\"title\":\"QUIC - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"quic.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"QUIC Version\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "69939d90-e388-11e9-b568-cf17de8e860c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

341
Vagrant/resources/malcolm/kibana/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json Normal file
View File

@@ -0,0 +1,341 @@
{
"version": "7.10.2",
"objects": [
{
"id": "12e3a130-d83b-11eb-a0b0-f328ce09b0b7",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:53:13.184Z",
"version": "WzEwNTksMV0=",
"attributes": {
"title": "ICS Best Guess",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":34,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"bcd8c686-5d1e-493c-a9b3-4ff46e43c430\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"bcd8c686-5d1e-493c-a9b3-4ff46e43c430\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"8ea78bf3-d28f-4e64-9300-acc4974b48ab\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"8ea78bf3-d28f-4e64-9300-acc4974b48ab\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"hidePanelTitles\":true},\"gridData\":{\"h\":6,\"i\":\"8b261ab9-bc3e-431f-9661-7130a3691e59\",\"w\":17,\"x\":8,\"y\":10},\"panelIndex\":\"8b261ab9-bc3e-431f-9661-7130a3691e59\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":26,\"i\":\"d12b6bb3-e89e-4a92-8234-91bb7e55c20d\",\"w\":23,\"x\":25,\"y\":10},\"panelIndex\":\"d12b6bb3-e89e-4a92-8234-91bb7e55c20d\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"a77da3f0-fda3-4638-bc9e-a492ab4f9999\",\"w\":17,\"x\":8,\"y\":16},\"panelIndex\":\"a77da3f0-fda3-4638-bc9e-a492ab4f9999\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":26,\"i\":\"ed874588-65d2-458f-a7f5-88e6f7031b80\",\"w\":23,\"x\":25,\"y\":36},\"panelIndex\":\"ed874588-65d2-458f-a7f5-88e6f7031b80\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"a90fa9be-54ba-4f25-ab7b-bf484557a89d\",\"w\":25,\"x\":0,\"y\":34},\"panelIndex\":\"a90fa9be-54ba-4f25-ab7b-bf484557a89d\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":33,\"i\":\"2000008c-f74f-40c3-bbfd-ec6a9acf864c\",\"w\":48,\"x\":0,\"y\":62},\"panelIndex\":\"2000008c-f74f-40c3-bbfd-ec6a9acf864c\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "9f878160-d83b-11eb-a0b0-f328ce09b0b7"
},
{
"name": "panel_2",
"type": "visualization",
"id": "e51375e0-d83b-11eb-a0b0-f328ce09b0b7"
},
{
"name": "panel_3",
"type": "visualization",
"id": "2a3ce150-d8e7-11eb-8448-8f6f257e0b34"
},
{
"name": "panel_4",
"type": "visualization",
"id": "d3ec8b90-d8e4-11eb-8448-8f6f257e0b34"
},
{
"name": "panel_5",
"type": "visualization",
"id": "129f16c0-d83e-11eb-a0b0-f328ce09b0b7"
},
{
"name": "panel_6",
"type": "visualization",
"id": "8c3695b0-d8e5-11eb-8448-8f6f257e0b34"
},
{
"name": "panel_7",
"type": "visualization",
"id": "054c4020-d83d-11eb-a0b0-f328ce09b0b7"
},
{
"name": "panel_8",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:35:08.455Z",
"version": "WzkwMiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9f878160-d83b-11eb-a0b0-f328ce09b0b7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:34:12.354Z",
"version": "WzI4OCwxXQ==",
"attributes": {
"title": "Best Guess - Log Count",
"visState": "{\"title\":\"Best Guess - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e51375e0-d83b-11eb-a0b0-f328ce09b0b7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:34:12.354Z",
"version": "WzI4OSwxXQ==",
"attributes": {
"title": "Best Guess - Log Count Over Time",
"visState": "{\"title\":\"Best Guess - Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-26y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2a3ce150-d8e7-11eb-8448-8f6f257e0b34",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:34:12.354Z",
"version": "WzI5MCwxXQ==",
"attributes": {
"title": "Best Guess - Disclaimer",
"visState": "{\"title\":\"Best Guess - Disclaimer\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"Note: This dashboard categorizes potential industrial control system traffic using transport protocol, responding port and/or originating port instead of packet payload inspection. As such, these results should be viewed as a \\\"best guess\\\" and are likely to have more false positives than other protocol dashboards.\"}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d3ec8b90-d8e4-11eb-8448-8f6f257e0b34",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:50:13.473Z",
"version": "Wzk4MCwxXQ==",
"attributes": {
"title": "Best Guess Protocol - Destination",
"visState": "{\"title\":\"Best Guess Protocol - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":18,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "129f16c0-d83e-11eb-a0b0-f328ce09b0b7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:51:22.706Z",
"version": "WzEwMDksMV0=",
"attributes": {
"title": "Best Guess - Summary",
"visState": "{\"title\":\"Best Guess - Summary\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Details\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8c3695b0-d8e5-11eb-8448-8f6f257e0b34",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:52:21.391Z",
"version": "WzEwMzcsMV0=",
"attributes": {
"title": "Best Guess Protocol - Source",
"visState": "{\"title\":\"Best Guess Protocol - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tranport\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":18,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "054c4020-d83d-11eb-a0b0-f328ce09b0b7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:34:12.354Z",
"version": "WzI5NCwxXQ==",
"attributes": {
"title": "Best Guess - Category",
"visState": "{\"title\":\"Best Guess - Category\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_bestguess.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a4db0f40-d838-11eb-a0b0-f328ce09b0b7",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-07-06T15:34:12.354Z",
"version": "WzI5NSwxXQ==",
"attributes": {
"title": "Best Guess - Logs",
"description": "",
"hits": 0,
"columns": [
"protocol",
"zeek_bestguess.category",
"zeek_bestguess.name",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek.uid"
],
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:bestguess\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

718
Vagrant/resources/malcolm/kibana/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json Normal file
View File

@@ -0,0 +1,718 @@
{
"version": "7.10.0",
"objects": [
{
"id": "152f29dc-51a2-4f53-93e9-6e92765567b8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T14:57:58.862Z",
"version": "WzE3MDMsMV0=",
"attributes": {
"title": "Modbus",
"hits": 0,
"description": "Dashboard for the Modbus Protocol",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":27,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"11\",\"w\":18,\"x\":8,\"y\":22},\"panelIndex\":\"11\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":48,\"x\":0,\"y\":96},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"15\",\"w\":10,\"x\":0,\"y\":58},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"16\",\"w\":11,\"x\":10,\"y\":58},\"panelIndex\":\"16\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"18\",\"w\":21,\"x\":0,\"y\":40},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":13,\"i\":\"19\",\"w\":8,\"x\":0,\"y\":27},\"panelIndex\":\"19\",\"embeddableConfig\":{\"legendOpen\":true,\"vis\":{\"legendOpen\":true},\"table\":null},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":22,\"i\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"90799aa8-a1f5-4f22-8ebd-fcc89d16f6de\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":22,\"i\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"218010cf-a0d9-4864-815b-f562bb67949d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"94289b59-62a3-49ac-9847-de4b42858ae6\",\"w\":22,\"x\":26,\"y\":22},\"panelIndex\":\"94289b59-62a3-49ac-9847-de4b42858ae6\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":37,\"i\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"w\":27,\"x\":21,\"y\":40},\"panelIndex\":\"f8941a7d-be4b-4782-b72b-808645d02139\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"w\":24,\"x\":24,\"y\":77},\"panelIndex\":\"502f22a6-2e5c-44dd-afa8-39309464f3f2\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"w\":24,\"x\":0,\"y\":77},\"panelIndex\":\"c0d7fb2c-a651-4054-b4cd-026d9f34ad44\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"w\":48,\"x\":0,\"y\":114},\"panelIndex\":\"1d1b2b12-c510-4b9e-9fbe-b65a2946fe13\",\"embeddableConfig\":{\"sort\":[[\"firstPacket\",\"asc\"]]},\"panelRefName\":\"panel_13\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"w\":48,\"x\":0,\"y\":133},\"panelIndex\":\"99311c07-fbae-4197-ab3f-f8ddf89deefc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":20,\"i\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"w\":48,\"x\":0,\"y\":152},\"panelIndex\":\"f50e3c18-31ce-482f-b6a0-c99215b5b5e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_15\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "e8463b80-6e08-48c2-8101-33739452d61b"
},
{
"name": "panel_2",
"type": "search",
"id": "6dd45620-ef5d-11e9-974e-9d600036d105"
},
{
"name": "panel_3",
"type": "visualization",
"id": "9b9be400-ef5e-11e9-974e-9d600036d105"
},
{
"name": "panel_4",
"type": "visualization",
"id": "b84b7cf0-ef5e-11e9-974e-9d600036d105"
},
{
"name": "panel_5",
"type": "visualization",
"id": "3e847130-ef75-11e9-91bd-23d686ac8389"
},
{
"name": "panel_6",
"type": "visualization",
"id": "b66427e0-ef75-11e9-91bd-23d686ac8389"
},
{
"name": "panel_7",
"type": "visualization",
"id": "39dd5680-e3c9-11ea-b05f-2302f75ab2c8"
},
{
"name": "panel_8",
"type": "visualization",
"id": "9d53fc00-e3c9-11ea-b05f-2302f75ab2c8"
},
{
"name": "panel_9",
"type": "visualization",
"id": "54a9c5a0-e3cb-11ea-b05f-2302f75ab2c8"
},
{
"name": "panel_10",
"type": "visualization",
"id": "a8851d60-5684-11eb-a702-bff6ecd13bea"
},
{
"name": "panel_11",
"type": "visualization",
"id": "94118e70-e3d1-11ea-8def-e34cb979819b"
},
{
"name": "panel_12",
"type": "visualization",
"id": "d0dc3070-e3d2-11ea-8def-e34cb979819b"
},
{
"name": "panel_13",
"type": "search",
"id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681"
},
{
"name": "panel_14",
"type": "search",
"id": "10e72aa0-0816-11eb-987d-c591a71f172b"
},
{
"name": "panel_15",
"type": "search",
"id": "3ac0f900-0816-11eb-987d-c591a71f172b"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e8463b80-6e08-48c2-8101-33739452d61b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIwNCwxXQ==",
"attributes": {
"title": "Modbus - Functions",
"visState": "{\"title\":\"Modbus - Functions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Function\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Function\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Modbus Function Codes",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "126f6846-e50a-4cae-9703-80ac172a2098"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6dd45620-ef5d-11e9-974e-9d600036d105",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIwNSwxXQ==",
"attributes": {
"title": "Modbus - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_modbus.func",
"zeek_modbus.exception",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"modbus\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "9b9be400-ef5e-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIwNiwxXQ==",
"attributes": {
"title": "Modbus - Source IP",
"visState": "{\"title\":\"Modbus - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Source IP Addresses from modbus.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "6dd45620-ef5d-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b84b7cf0-ef5e-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIwNywxXQ==",
"attributes": {
"title": "Modbus - Destination IP",
"visState": "{\"title\":\"Modbus - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "Destination IP Addresses from modbus.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "6dd45620-ef5d-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3e847130-ef75-11e9-91bd-23d686ac8389",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIwOCwxXQ==",
"attributes": {
"title": "Modbus - Observed Masters and Slaves",
"visState": "{\"title\":\"Modbus - Observed Masters and Slaves\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Times Observed\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_known_modbus.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Device Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "Modbus observed master and slave devices",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "da7d99a0-ef74-11e9-91bd-23d686ac8389"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b66427e0-ef75-11e9-91bd-23d686ac8389",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIwOSwxXQ==",
"attributes": {
"title": "Modbus - Observed Master/Slave Ratio",
"visState": "{\"title\":\"Modbus - Observed Master/Slave Ratio\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Modbus Role\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_known_modbus.device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Modbus Role\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "Modbus Observed Masters and Slaves Chart",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "da7d99a0-ef74-11e9-91bd-23d686ac8389"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "39dd5680-e3c9-11ea-b05f-2302f75ab2c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxMCwxXQ==",
"attributes": {
"title": "Modbus - Log Count",
"visState": "{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "Count of Modbus logs including Modbus Detailed and Modbus Register Change",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*modbus*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9d53fc00-e3c9-11ea-b05f-2302f75ab2c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxMSwxXQ==",
"attributes": {
"title": "Modbus - Logs Over Time",
"visState": "{\"title\":\"Modbus - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:33:54.363Z\",\"max\":\"2021-01-14T16:33:54.363Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "Modbus Logs over Time",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*modbus*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "54a9c5a0-e3cb-11ea-b05f-2302f75ab2c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxMiwxXQ==",
"attributes": {
"title": "Modbus - Exceptions",
"visState": "{\"title\":\"Modbus - Exceptions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Modbus Exception\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus.exception\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Modbus Exception Codes",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "126f6846-e50a-4cae-9703-80ac172a2098"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a8851d60-5684-11eb-a702-bff6ecd13bea",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxMywxXQ==",
"attributes": {
"title": "Modbus Detailed - Request and Response",
"visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek_modbus_detailed.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_modbus_detailed.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "94118e70-e3d1-11ea-8def-e34cb979819b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxNCwxXQ==",
"attributes": {
"title": "Modbus - Writes",
"visState": "{\"title\":\"Modbus - Writes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Modbus write register and write coil overview from modbus_detailed.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek_modbus_detailed.network_direction:(\\\"request\\\")\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d0dc3070-e3d2-11ea-8def-e34cb979819b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxNSwxXQ==",
"attributes": {
"title": "Modbus - Reads",
"visState": "{\"title\":\"Modbus - Reads\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Values\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.func\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.unit_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Unit ID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_modbus_detailed.values\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"-\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Values\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Modbus read holding registers, input registers, discrete inputs, and coils overview from modbus_detailed.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek_modbus_detailed.network_direction:(\\\"response\\\") AND zeek_modbus_detailed.func:(\\\"READ_DISCRETE_INPUTS\\\" OR \\\"READ_COILS\\\" OR \\\"READ_HOLDING_REGISTERS\\\" OR \\\"READ_INPUT_REGISTERS\\\")\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1cfb4e10-e0b7-11ea-8a49-0d5868b09681",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxNiwxXQ==",
"attributes": {
"title": "Modbus - Detailed",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_modbus_detailed.func",
"zeek_modbus_detailed.network_direction",
"zeek_modbus_detailed.unit_id",
"zeek_modbus_detailed.address",
"zeek_modbus_detailed.quantity",
"zeek_modbus_detailed.values"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_detailed\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "10e72aa0-0816-11eb-987d-c591a71f172b",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxNywxXQ==",
"attributes": {
"title": "Modbus - Mask Write",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_modbus_mask_write_register.network_direction",
"zeek_modbus_mask_write_register.func",
"zeek_modbus_mask_write_register.unit_id",
"zeek_modbus_mask_write_register.address",
"zeek_modbus_mask_write_register.and_mask",
"zeek_modbus_mask_write_register.or_mask"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_mask_write_register\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "3ac0f900-0816-11eb-987d-c591a71f172b",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxOCwxXQ==",
"attributes": {
"title": "Modbus - Read Write Multiple",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_modbus_read_write_multiple_registers.network_direction",
"zeek_modbus_read_write_multiple_registers.func",
"zeek_modbus_read_write_multiple_registers.unit_id",
"zeek_modbus_read_write_multiple_registers.write_start_address",
"zeek_modbus_read_write_multiple_registers.write_registers",
"zeek_modbus_read_write_multiple_registers.read_start_address",
"zeek_modbus_read_write_multiple_registers.read_registers"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"modbus_read_write_multiple_registers\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "126f6846-e50a-4cae-9703-80ac172a2098",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIxOSwxXQ==",
"attributes": {
"title": "Modbus - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_modbus.func",
"zeek_modbus.exception",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:modbus\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "da7d99a0-ef74-11e9-91bd-23d686ac8389",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:15.000Z",
"version": "WzIyMCwxXQ==",
"attributes": {
"title": "Modbus - Known Masters and Slaves Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"zeek_known_modbus.device_type",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"known_modbus\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "1ce42250-3f99-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:16.017Z",
"version": "WzIzOCwxXQ==",
"attributes": {
"title": "Connections - Source - Sum of Total Bytes (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"5cf06729-4907-4824-a561-a3c50a23136c\"},\"panelIndex\":\"5cf06729-4907-4824-a561-a3c50a23136c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"b397c221-819d-4fdd-b3e1-3a424d643ef0\"},\"panelIndex\":\"b397c221-819d-4fdd-b3e1-3a424d643ef0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "997269c0-3f95-11e9-a58e-8bdedb0915e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "997269c0-3f95-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:16.017Z",
"version": "WzI0MCwxXQ==",
"attributes": {
"title": "Connections - Source - Sum of Total Bytes (region map)",
"visState": "{\"title\":\"Connections - Source - Sum of Total Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a>\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"sum\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[37.87063517566466,16.347656250000004],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

386
Vagrant/resources/malcolm/kibana/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json Normal file
View File

@@ -0,0 +1,386 @@
{
"version": "7.10.0",
"objects": [
{
"id": "1fff49f6-0199-4a0f-820b-721aff9ff1f1",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI0OSwxXQ==",
"attributes": {
"title": "Weird",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":66,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":14,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":22,\"y\":27,\"w\":14,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":47,\"w\":40,\"h\":19,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":66,\"w\":48,\"h\":35,\"i\":\"781c60c8-791a-4f33-9f08-85820f16f4d1\"},\"panelIndex\":\"781c60c8-791a-4f33-9f08-85820f16f4d1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "2789890f-3187-449c-b0d7-a351975cbe13"
},
{
"name": "panel_2",
"type": "visualization",
"id": "259fa46e-2fde-41bb-b028-063a12cb4621"
},
{
"name": "panel_3",
"type": "visualization",
"id": "84786f08-b68a-4524-8d2d-d44221f99060"
},
{
"name": "panel_4",
"type": "visualization",
"id": "c7fbd190-02fa-4eb5-ac5a-a4ad421a6a3b"
},
{
"name": "panel_5",
"type": "visualization",
"id": "a827f658-2190-4ec4-b330-96cdb93d97ed"
},
{
"name": "panel_6",
"type": "visualization",
"id": "64ffd0d9-a0d7-4db6-bce0-c69b48ff0da6"
},
{
"name": "panel_7",
"type": "visualization",
"id": "AWDHGXk-xQT5EBNmq4uf"
},
{
"name": "panel_8",
"type": "visualization",
"id": "429d2522-67c6-44f5-aae8-f464d5815195"
},
{
"name": "panel_9",
"type": "search",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2789890f-3187-449c-b0d7-a351975cbe13",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1MSwxXQ==",
"attributes": {
"visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over Time\",\"type\":\"line\"}",
"description": "",
"title": "Weird - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "259fa46e-2fde-41bb-b028-063a12cb4621",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Weird - Source IP Address",
"uiStateJSON": "{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "84786f08-b68a-4524-8d2d-d44221f99060",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1MywxXQ==",
"attributes": {
"visState": "{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Weird - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c7fbd190-02fa-4eb5-ac5a-a4ad421a6a3b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1NCwxXQ==",
"attributes": {
"title": "Weird - Notice Generated",
"visState": "{\"title\":\"Weird - Notice Generated\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_weird.notice: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_weird.notice\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a827f658-2190-4ec4-b330-96cdb93d97ed",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Weird - Summary",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "64ffd0d9-a0d7-4db6-bce0-c69b48ff0da6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}",
"description": "",
"title": "Weird - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHGXk-xQT5EBNmq4uf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1NywxXQ==",
"attributes": {
"title": "Weird - Log Count",
"visState": "{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "429d2522-67c6-44f5-aae8-f464d5815195",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1OCwxXQ==",
"attributes": {
"title": "Weird - Name",
"visState": "{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_weird.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "17236484-ab93-4497-8b85-bc7dfaeb2d71",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:17.046Z",
"version": "WzI1OSwxXQ==",
"attributes": {
"title": "Weird - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek_weird.name",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:weird\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

564
Vagrant/resources/malcolm/kibana/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json Normal file
View File

@@ -0,0 +1,564 @@
{
"version": "7.10.0",
"objects": [
{
"id": "29a1b290-eb98-11e9-a384-0fcf32210194",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T14:51:43.748Z",
"version": "WzE2NzksMV0=",
"attributes": {
"title": "EtherNet/IP",
"hits": 0,
"description": "Dashboard for Ethernet/IP and CIP Protocols",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":37,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"2\",\"w\":9,\"x\":8,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"5bbd48d6-a3e7-4b7e-9c1d-9883d519dc76\",\"w\":15,\"x\":8,\"y\":19},\"panelIndex\":\"5bbd48d6-a3e7-4b7e-9c1d-9883d519dc76\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"a38de599-91bf-4ce0-9ba1-fcdacb57c943\",\"w\":25,\"x\":23,\"y\":19},\"panelIndex\":\"a38de599-91bf-4ce0-9ba1-fcdacb57c943\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":19,\"i\":\"a73b04d1-99ec-42e7-858d-5edd5c8ae15a\",\"w\":12,\"x\":11,\"y\":37},\"panelIndex\":\"a73b04d1-99ec-42e7-858d-5edd5c8ae15a\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":19,\"i\":\"c25cc903-12d2-43af-9841-89bba26a32a9\",\"w\":11,\"x\":0,\"y\":37},\"panelIndex\":\"c25cc903-12d2-43af-9841-89bba26a32a9\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":19,\"i\":\"7ccb6ae1-5068-4a2d-b147-2baa12a7ac92\",\"w\":25,\"x\":23,\"y\":37},\"panelIndex\":\"7ccb6ae1-5068-4a2d-b147-2baa12a7ac92\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":16,\"i\":\"dcd19ab8-f6f7-403f-ac14-c02ccc7128fe\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"dcd19ab8-f6f7-403f-ac14-c02ccc7128fe\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":16,\"i\":\"a66a1ab3-eeaf-4c7b-a56e-b8663be6ab9f\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"a66a1ab3-eeaf-4c7b-a56e-b8663be6ab9f\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"bb66342b-bad1-4592-b5cf-18fbe68ec1a2\",\"w\":48,\"x\":0,\"y\":72},\"panelIndex\":\"bb66342b-bad1-4592-b5cf-18fbe68ec1a2\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"faa4d891-2c11-4393-acec-cea800f017e7\",\"w\":48,\"x\":0,\"y\":91},\"panelIndex\":\"faa4d891-2c11-4393-acec-cea800f017e7\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"4608eca0-796d-4482-b62a-887c799e423f\",\"w\":48,\"x\":0,\"y\":104},\"panelIndex\":\"4608eca0-796d-4482-b62a-887c799e423f\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"9d193b0a-a8d1-48ad-88cc-16a325686f91\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"9d193b0a-a8d1-48ad-88cc-16a325686f91\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_13\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "b2548270-eb98-11e9-a384-0fcf32210194"
},
{
"name": "panel_2",
"type": "visualization",
"id": "3c2b11d0-eb99-11e9-a384-0fcf32210194"
},
{
"name": "panel_3",
"type": "visualization",
"id": "c3b30a40-5682-11eb-a702-bff6ecd13bea"
},
{
"name": "panel_4",
"type": "visualization",
"id": "fa86bb10-cab0-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_5",
"type": "visualization",
"id": "4ce6e380-cab6-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_6",
"type": "visualization",
"id": "378fefe0-cab6-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_7",
"type": "visualization",
"id": "5f626310-ca96-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_8",
"type": "visualization",
"id": "3612d370-cb7f-11ea-b8b9-778c41cae039"
},
{
"name": "panel_9",
"type": "visualization",
"id": "6f73cf80-cb7e-11ea-b8b9-778c41cae039"
},
{
"name": "panel_10",
"type": "search",
"id": "ca878ac0-c790-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_11",
"type": "search",
"id": "f75bfb80-c790-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_12",
"type": "search",
"id": "972f9f00-c790-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_13",
"type": "search",
"id": "a2d6d220-caaa-11ea-84cd-4f7b1f416f80"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b2548270-eb98-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2MiwxXQ==",
"attributes": {
"title": "EtherNet/IP - Log Count",
"visState": "{\"title\":\"EtherNet/IP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(enip* OR cip*)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3c2b11d0-eb99-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2MywxXQ==",
"attributes": {
"title": "EtherNet/IP - Logs Over Time",
"visState": "{\"title\":\"EtherNet/IP - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:48:06.557Z\",\"max\":\"2021-01-14T16:48:06.557Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(enip* OR cip*)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c3b30a40-5682-11eb-a702-bff6ecd13bea",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2NCwxXQ==",
"attributes": {
"title": "Ethernet/IP - Commands",
"visState": "{\"title\":\"Ethernet/IP - Commands\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_enip.enip_command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Command\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "972f9f00-c790-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fa86bb10-cab0-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2NSwxXQ==",
"attributes": {
"title": "CIP - Services",
"visState": "{\"title\":\"CIP - Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Request/Response\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.cip_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"CIP Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.cip_status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Status\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request/Response\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "CIP Services and Status",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "ca878ac0-c790-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4ce6e380-cab6-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2NiwxXQ==",
"attributes": {
"title": "EtherNet/IP - Destination IP",
"visState": "{\"title\":\"EtherNet/IP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"enip\\\" OR \\\"cip\\\" OR \\\"cip_io\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "378fefe0-cab6-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2NywxXQ==",
"attributes": {
"title": "EtherNet/IP - Source IP",
"visState": "{\"title\":\"EtherNet/IP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"enip\\\" OR \\\"cip\\\" OR \\\"cip_io\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5f626310-ca96-11ea-8578-f3ff6bdd82b2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2OCwxXQ==",
"attributes": {
"title": "EtherNet/IP - Detailed Information",
"visState": "{\"title\":\"EtherNet/IP - Detailed Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Data Length\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.session_handle\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Session Identifier\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.sender_context\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sender Context\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.enip_command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"EtherNet/IP Command\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.length\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Data Length\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_enip.enip_status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Includes: Session Identifier, Sender Context, EtherNet/IP Command, Data Length, and Status",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "972f9f00-c790-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3612d370-cb7f-11ea-b8b9-778c41cae039",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI2OSwxXQ==",
"attributes": {
"title": "CIP - Request Path",
"visState": "{\"title\":\"CIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Data ID\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.class_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class ID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.class_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Class Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.instance_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Instance ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.attribute_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Attribute ID\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.data_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Data ID\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip.other_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Other ID\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}",
"description": "CIP Request Path data",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "ca878ac0-c790-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6f73cf80-cb7e-11ea-b8b9-778c41cae039",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI3MCwxXQ==",
"attributes": {
"title": "CIP - Device Identity",
"visState": "{\"title\":\"CIP - Device Identity\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"N/A\"}},\"params\":{},\"label\":\"Serial Number\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.product_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Product Name\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.device_type_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Device Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.vendor_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Vendor Name\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.serial_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Serial Number\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_cip_identity.revision\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"N/A\",\"customLabel\":\"Revision Number\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "CIP Identity Results",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f75bfb80-c790-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ca878ac0-c790-11ea-8578-f3ff6bdd82b2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI3MSwxXQ==",
"attributes": {
"title": "CIP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_cip.cip_service",
"zeek_cip.cip_status",
"zeek_cip.direction",
"zeek_cip.cip_sequence_count",
"zeek_cip.class_id",
"zeek_cip.class_name",
"zeek_cip.instance_id"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "f75bfb80-c790-11ea-8578-f3ff6bdd82b2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI3MiwxXQ==",
"attributes": {
"title": "CIP - Identity Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_cip_identity.device_type_name",
"zeek_cip_identity.product_name",
"zeek_cip_identity.vendor_name",
"zeek_cip_identity.revision",
"zeek_cip_identity.serial_number"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip_identity\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "972f9f00-c790-11ea-8578-f3ff6bdd82b2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI3MywxXQ==",
"attributes": {
"title": "Ethernet/IP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_enip.enip_command",
"zeek_enip.enip_status",
"zeek_enip.options",
"zeek_enip.sender_context",
"zeek_enip.session_handle",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:enip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "a2d6d220-caaa-11ea-84cd-4f7b1f416f80",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:18.060Z",
"version": "WzI3NCwxXQ==",
"attributes": {
"title": "CIP - IO Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_cip_io.connection_id",
"zeek_cip_io.sequence_number",
"zeek_cip_io.data_length",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:cip_io\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

547
Vagrant/resources/malcolm/kibana/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json Normal file
View File

@@ -0,0 +1,547 @@
{
"version": "7.10.0",
"objects": [
{
"id": "2bec1490-eb94-11e9-a384-0fcf32210194",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T14:45:42.395Z",
"version": "WzE2MDQsMV0=",
"attributes": {
"title": "BACnet",
"hits": 0,
"description": "Dashboard for the BACnet (Building Automation and Control Networks) Protocol",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":35,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":17,\"i\":\"f59d8cf5-80a3-48b9-be05-d6801203e9e4\",\"w\":7,\"x\":8,\"y\":0},\"panelIndex\":\"f59d8cf5-80a3-48b9-be05-d6801203e9e4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":17,\"i\":\"bcc1cb9c-a8c4-4e3d-9d43-db85a009dd3a\",\"w\":33,\"x\":15,\"y\":0},\"panelIndex\":\"bcc1cb9c-a8c4-4e3d-9d43-db85a009dd3a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"1d52698a-869a-4b09-ae6a-0508a4d66c05\",\"w\":13,\"x\":8,\"y\":17},\"panelIndex\":\"1d52698a-869a-4b09-ae6a-0508a4d66c05\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"7459b87c-93ee-44aa-b6c3-eb30948fee2a\",\"w\":13,\"x\":21,\"y\":17},\"panelIndex\":\"7459b87c-93ee-44aa-b6c3-eb30948fee2a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"fd4e394a-eadf-4ec0-ac28-06e36a9891b2\",\"w\":14,\"x\":34,\"y\":17},\"panelIndex\":\"fd4e394a-eadf-4ec0-ac28-06e36a9891b2\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"8ec8d974-809f-41c4-8039-6f738ee27e82\",\"w\":11,\"x\":0,\"y\":35},\"panelIndex\":\"8ec8d974-809f-41c4-8039-6f738ee27e82\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"62a15e29-78d4-4e05-a742-83ab72f69bef\",\"w\":11,\"x\":11,\"y\":35},\"panelIndex\":\"62a15e29-78d4-4e05-a742-83ab72f69bef\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"113b15fe-a59c-466a-b8cd-f3c7879b592c\",\"w\":26,\"x\":22,\"y\":35},\"panelIndex\":\"113b15fe-a59c-466a-b8cd-f3c7879b592c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"2376eb03-4a0c-42cd-8adc-3f65cfb9eefd\",\"w\":25,\"x\":0,\"y\":53},\"panelIndex\":\"2376eb03-4a0c-42cd-8adc-3f65cfb9eefd\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"fb3d3f83-5b6b-4f0c-aad7-1182604cfa2a\",\"w\":23,\"x\":25,\"y\":53},\"panelIndex\":\"fb3d3f83-5b6b-4f0c-aad7-1182604cfa2a\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"773ed96f-8933-4f9c-b52f-02fd2398b4bc\",\"w\":48,\"x\":0,\"y\":71},\"panelIndex\":\"773ed96f-8933-4f9c-b52f-02fd2398b4bc\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":16,\"i\":\"9ee45ae2-d182-4fac-9ac5-cae0aaabd552\",\"w\":48,\"x\":0,\"y\":89},\"panelIndex\":\"9ee45ae2-d182-4fac-9ac5-cae0aaabd552\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":15,\"i\":\"a0050292-4d09-4c60-93cd-45f9516d1664\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"a0050292-4d09-4c60-93cd-45f9516d1664\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "7fcb8b90-c7b7-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_2",
"type": "visualization",
"id": "0d0cbd30-c7b8-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_3",
"type": "visualization",
"id": "6eb9b2f0-c77b-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_4",
"type": "visualization",
"id": "5cd45d10-c794-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_5",
"type": "visualization",
"id": "e548ad00-cab8-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_6",
"type": "visualization",
"id": "543975b0-cab3-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_7",
"type": "visualization",
"id": "98b559c0-cab3-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_8",
"type": "visualization",
"id": "1be7a440-dc0e-11ea-82b5-4506a254a95f"
},
{
"name": "panel_9",
"type": "visualization",
"id": "bfc334f0-ca05-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_10",
"type": "visualization",
"id": "cc0501c0-caab-11ea-84cd-4f7b1f416f80"
},
{
"name": "panel_11",
"type": "search",
"id": "00294170-c77b-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_12",
"type": "search",
"id": "ccfe3ca0-c77b-11ea-8578-f3ff6bdd82b2"
},
{
"name": "panel_13",
"type": "search",
"id": "b5300770-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7fcb8b90-c7b7-11ea-8578-f3ff6bdd82b2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5MywxXQ==",
"attributes": {
"title": "BACnet - Log Count",
"visState": "{\"title\":\"BACnet - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "Count of BACnet logs including BACnet Discovery and Property logs",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*bacnet*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0d0cbd30-c7b8-11ea-8578-f3ff6bdd82b2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5NCwxXQ==",
"attributes": {
"title": "BACnet - Logs Over Time",
"visState": "{\"title\":\"BACnet - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:39:09.309Z\",\"max\":\"2021-01-14T16:39:09.309Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "BACnet Logs over Time",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*bacnet*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6eb9b2f0-c77b-11ea-8578-f3ff6bdd82b2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5NSwxXQ==",
"attributes": {
"title": "BACnet - BVLC Functions",
"visState": "{\"title\":\"BACnet - BVLC Functions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.bvlc_function\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"BVLC Function\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "BACnet Virtual Link Control Functions (Link-Layer Control)",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "00294170-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5cd45d10-c794-11ea-8578-f3ff6bdd82b2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5NiwxXQ==",
"attributes": {
"title": "BACnet - Protocol Data Units (PDUs)",
"visState": "{\"title\":\"BACnet - Protocol Data Units (PDUs)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"PDU Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "BACnet Application Layer Protocol Data Unit types and services",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "00294170-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e548ad00-cab8-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5NywxXQ==",
"attributes": {
"title": "BACnet - Errors",
"visState": "{\"title\":\"BACnet - Errors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"PDU Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.result_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result Code\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet.pdu_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "BACnet Result Codes for Abort, Reject or Error",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "00294170-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "543975b0-cab3-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5OCwxXQ==",
"attributes": {
"title": "BACnet - Source IP",
"visState": "{\"title\":\"BACnet - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Source IP Addresses from bacnet.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"bacnet\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "98b559c0-cab3-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzI5OSwxXQ==",
"attributes": {
"title": "BACnet - Destination IP",
"visState": "{\"title\":\"BACnet - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Destination IP Addresses from bacnet.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:(\\\"bacnet\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1be7a440-dc0e-11ea-82b5-4506a254a95f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzMwMCwxXQ==",
"attributes": {
"title": "BACnet - Device Vendors",
"visState": "{\"title\":\"BACnet - Device Vendors\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Unique count of zeek_bacnet_discovery.instance_number\",\"aggType\":\"cardinality\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Device Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_bacnet_discovery.instance_number\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Vendor\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "BACnet Device Vendors from i-am messages",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b5300770-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "bfc334f0-ca05-11ea-8578-f3ff6bdd82b2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzMwMSwxXQ==",
"attributes": {
"title": "BACnet - Read and Write Property ",
"visState": "{\"title\":\"BACnet - Read and Write Property \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":6,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Property Value\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Identifier\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.property\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_property.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Property Value\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}}}",
"description": "Results from BACnet Read-Property and Write-Property Commands",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "ccfe3ca0-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cc0501c0-caab-11ea-84cd-4f7b1f416f80",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzMwMiwxXQ==",
"attributes": {
"title": "BACnet - Device Discovery",
"visState": "{\"title\":\"BACnet - Device Discovery\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Vendor\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.instance_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Identifier\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.pdu_service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Service\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bacnet_discovery.vendor\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Vendor\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "Results from BACnet i-am and i-have commands",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b5300770-c77b-11ea-8578-f3ff6bdd82b2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "00294170-c77b-11ea-8578-f3ff6bdd82b2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzMwMywxXQ==",
"attributes": {
"title": "BACnet - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_bacnet.bvlc_function",
"zeek_bacnet.pdu_type",
"zeek_bacnet.pdu_service",
"zeek_bacnet.invoke_id"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "ccfe3ca0-c77b-11ea-8578-f3ff6bdd82b2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzMwNCwxXQ==",
"attributes": {
"title": "BACnet - Property Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_bacnet_property.pdu_service",
"zeek_bacnet_property.object_type",
"zeek_bacnet_property.instance_number",
"zeek_bacnet_property.property",
"zeek_bacnet_property.value"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet_property\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "b5300770-c77b-11ea-8578-f3ff6bdd82b2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:19.112Z",
"version": "WzMwNSwxXQ==",
"attributes": {
"title": "BACnet - Discovery Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_bacnet_discovery.pdu_service",
"zeek_bacnet_discovery.object_type",
"zeek_bacnet_discovery.instance_number",
"zeek_bacnet_discovery.vendor"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:bacnet_discovery\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

525
Vagrant/resources/malcolm/kibana/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json Normal file
View File

@@ -0,0 +1,525 @@
{
"version": "7.10.2",
"objects": [
{
"id": "2cf94cd0-ecab-40a5-95a7-8419f3a39cd9",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T14:11:53.521Z",
"version": "WzE3OTQsMV0=",
"attributes": {
"title": "DNS",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":31,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":18,\"y\":10,\"w\":10,\"h\":18,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":10,\"w\":10,\"h\":18,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":28,\"w\":20,\"h\":13,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":28,\"y\":28,\"w\":20,\"h\":15,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":28,\"y\":10,\"w\":20,\"h\":18,\"i\":\"25\"},\"panelIndex\":\"25\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":38,\"y\":43,\"w\":10,\"h\":17,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":28,\"y\":43,\"w\":10,\"h\":17,\"i\":\"27\"},\"panelIndex\":\"27\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":31,\"w\":8,\"h\":10,\"i\":\"28\"},\"panelIndex\":\"28\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":41,\"w\":28,\"h\":19,\"i\":\"df0ca665-47a8-45ea-b2a1-739badb538dc\"},\"panelIndex\":\"df0ca665-47a8-45ea-b2a1-739badb538dc\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}}}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":84,\"w\":48,\"h\":41,\"i\":\"0b6ca6c5-38c1-4811-b40d-d1cd8229bb1f\"},\"panelIndex\":\"0b6ca6c5-38c1-4811-b40d-d1cd8229bb1f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "a3d7ae56-264b-4e8f-9c45-242bff74179d"
},
{
"name": "panel_2",
"type": "visualization",
"id": "6d4ea29d-53c8-472b-acc3-c9257a7f0e91"
},
{
"name": "panel_3",
"type": "visualization",
"id": "727d7b36-4153-4c51-b723-2700a3c815f1"
},
{
"name": "panel_4",
"type": "visualization",
"id": "8a3a0bd6-555d-45c6-bf3d-d2b8598e9926"
},
{
"name": "panel_5",
"type": "visualization",
"id": "adb769dc-8ac5-46fa-abb3-d16c638d8279"
},
{
"name": "panel_6",
"type": "visualization",
"id": "2699477d-e158-4174-97ee-e1438fed0fee"
},
{
"name": "panel_7",
"type": "visualization",
"id": "AWDG9Qx0xQT5EBNmq3_2"
},
{
"name": "panel_8",
"type": "visualization",
"id": "240930b9-d4ad-40b6-ae9f-f7c64ea9d0f7"
},
{
"name": "panel_9",
"type": "visualization",
"id": "4b82b26a-3ceb-41a0-b0b5-6fb6e876b1c8"
},
{
"name": "panel_10",
"type": "visualization",
"id": "9d1204c9-7e26-44d3-a9be-eff725bf3f5b"
},
{
"name": "panel_11",
"type": "visualization",
"id": "7dbb6c65-f197-4237-825c-fd102163a3bf"
},
{
"name": "panel_12",
"type": "visualization",
"id": "69241a80-421d-11ea-9084-41ab7c5fff2e"
},
{
"name": "panel_13",
"type": "search",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:25:05.903Z",
"version": "Wzg3OSwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a3d7ae56-264b-4e8f-9c45-242bff74179d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1MSwxXQ==",
"attributes": {
"title": "DNS - Server",
"visState": "{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6d4ea29d-53c8-472b-acc3-c9257a7f0e91",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}",
"description": "",
"title": "DNS - Client",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "727d7b36-4153-4c51-b723-2700a3c815f1",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1MywxXQ==",
"attributes": {
"title": "DNS - Query Class",
"visState": "{\"title\":\"DNS - Query Class\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Query Class\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dns.qclass_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Class\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8a3a0bd6-555d-45c6-bf3d-d2b8598e9926",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.query\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}",
"description": "",
"title": "DNS - Query/Answer",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "adb769dc-8ac5-46fa-abb3-d16c638d8279",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "DNS - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2699477d-e158-4174-97ee-e1438fed0fee",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"DNS - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}",
"description": "",
"title": "DNS - Destination Port",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG9Qx0xQT5EBNmq3_2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1NywxXQ==",
"attributes": {
"title": "DNS - Log Count",
"visState": "{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "240930b9-d4ad-40b6-ae9f-f7c64ea9d0f7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1OCwxXQ==",
"attributes": {
"title": "DNS - Answers",
"visState": "{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.answers\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4b82b26a-3ceb-41a0-b0b5-6fb6e876b1c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM1OSwxXQ==",
"attributes": {
"title": "DNS - Response Code (Name)",
"visState": "{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.rcode_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9d1204c9-7e26-44d3-a9be-eff725bf3f5b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM2MCwxXQ==",
"attributes": {
"title": "DNS - Query Type",
"visState": "{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dns.qtype_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7dbb6c65-f197-4237-825c-fd102163a3bf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:17.423Z",
"version": "WzM2MSwxXQ==",
"attributes": {
"title": "DNS - Protocol",
"visState": "{\"title\":\"DNS - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "69241a80-421d-11ea-9084-41ab7c5fff2e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:41.694Z",
"version": "WzYzMSwxXQ==",
"attributes": {
"title": "DNS Queries by Randomness",
"visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T12:24:41.694Z",
"version": "WzYzNywxXQ==",
"attributes": {
"title": "DNS - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_dns.query",
"zeek_dns.answers",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

389
Vagrant/resources/malcolm/kibana/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json Normal file
View File

@@ -0,0 +1,389 @@
{
"version": "7.10.0",
"objects": [
{
"id": "2d98bb8e-214c-4374-837b-20e1bcd63a5e",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMyOCwxXQ==",
"attributes": {
"title": "DHCP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":36,\"y\":28,\"w\":12,\"h\":18,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":28,\"w\":12,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":40,\"y\":10,\"w\":8,\"h\":18,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":10,\"w\":32,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":12,\"h\":18,\"i\":\"3bf94579-f6ba-4a29-a969-27a3d095271e\"},\"panelIndex\":\"3bf94579-f6ba-4a29-a969-27a3d095271e\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":12,\"y\":28,\"w\":12,\"h\":18,\"i\":\"b5afee68-07b2-416c-a5a5-d913efd76095\"},\"panelIndex\":\"b5afee68-07b2-416c-a5a5-d913efd76095\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":46,\"w\":48,\"h\":32,\"i\":\"6c78964f-d1c8-4790-bda7-8802a7ea8986\"},\"panelIndex\":\"6c78964f-d1c8-4790-bda7-8802a7ea8986\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "1c337cf4-8030-4760-9828-7c0f5305c5bb"
},
{
"name": "panel_1",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "82fff513-b971-452e-a0fb-492c3091b771"
},
{
"name": "panel_3",
"type": "visualization",
"id": "78b8c460-7dc9-4b76-9bc4-ea831c0d7802"
},
{
"name": "panel_4",
"type": "visualization",
"id": "23975603-24ed-40f6-bb45-0780f4645d92"
},
{
"name": "panel_5",
"type": "visualization",
"id": "AWDG80RwxQT5EBNmq38x"
},
{
"name": "panel_6",
"type": "visualization",
"id": "1d178ca4-f067-4f46-bbc7-777a3fd69d47"
},
{
"name": "panel_7",
"type": "visualization",
"id": "5ac2f8e0-a0ea-11ea-9a51-fddbbdf2f26e"
},
{
"name": "panel_8",
"type": "visualization",
"id": "6ced64b0-a0ea-11ea-9a51-fddbbdf2f26e"
},
{
"name": "panel_9",
"type": "search",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "1c337cf4-8030-4760-9828-7c0f5305c5bb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMyOSwxXQ==",
"attributes": {
"visState": "{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "DHCP - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "82fff513-b971-452e-a0fb-492c3091b771",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzMSwxXQ==",
"attributes": {
"visState": "{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "DHCP - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "78b8c460-7dc9-4b76-9bc4-ea831c0d7802",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzMiwxXQ==",
"attributes": {
"visState": "{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "DHCP - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "23975603-24ed-40f6-bb45-0780f4645d92",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzMywxXQ==",
"attributes": {
"visState": "{\"title\":\"DHCP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}",
"description": "",
"title": "DHCP - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG80RwxQT5EBNmq38x",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzNCwxXQ==",
"attributes": {
"title": "DHCP - Log Count",
"visState": "{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1d178ca4-f067-4f46-bbc7-777a3fd69d47",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzNSwxXQ==",
"attributes": {
"title": "DHCP - IP to MAC Assignment",
"visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.assigned_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5ac2f8e0-a0ea-11ea-9a51-fddbbdf2f26e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzNiwxXQ==",
"attributes": {
"title": "DHCP - Client Software",
"visState": "{\"title\":\"DHCP - Client Software\",\"type\":\"table\",\"params\":{\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client Software\",\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Server Software\",\"aggType\":\"terms\"}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.client_software\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client Software\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6ced64b0-a0ea-11ea-9a51-fddbbdf2f26e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzNywxXQ==",
"attributes": {
"title": "DHCP - Server Software",
"visState": "{\"title\":\"DHCP - Server Software\",\"type\":\"table\",\"params\":{\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client Software\",\"aggType\":\"terms\"}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dhcp.server_software\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Server Software\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "20ff62a1-06d6-4738-b611-945628d80305"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "20ff62a1-06d6-4738-b611-945628d80305",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:21.144Z",
"version": "WzMzOCwxXQ==",
"attributes": {
"title": "DHCP - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_dhcp.mac",
"zeek_dhcp.assigned_ip",
"dstIp",
"zeek_dhcp.host_name",
"zeek_dhcp.domain",
"zeek_dhcp.msg_types",
"zeek_dhcp.client_software",
"zeek_dhcp.server_software",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dhcp\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

281
Vagrant/resources/malcolm/kibana/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json Normal file
View File

@@ -0,0 +1,281 @@
{
"version": "7.10.0",
"objects": [
{
"id": "32587740-ef88-11e9-b38a-2db3ee640e88",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:52:27.963Z",
"version": "WzM2NDEsMV0=",
"attributes": {
"title": "Tabular Data Stream - RPC",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":30,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":29,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":22,\"i\":\"5\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":8,\"x\":8,\"y\":8},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":22,\"i\":\"7\",\"w\":11,\"x\":16,\"y\":8},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "search",
"id": "11884140-ef82-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_2",
"type": "visualization",
"id": "a0e195c0-ef88-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_3",
"type": "visualization",
"id": "cf812990-ef88-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_4",
"type": "visualization",
"id": "ab081a60-ef83-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_5",
"type": "visualization",
"id": "7b819a40-ef89-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_6",
"type": "visualization",
"id": "b38de650-ef89-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "11884140-ef82-11e9-b38a-2db3ee640e88",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:22.188Z",
"version": "WzM1NCwxXQ==",
"attributes": {
"title": "Tabular Data Stream - RPC Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_tds_rpc.procedure_name",
"zeek_tds_rpc.parameter",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"tds_rpc\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "a0e195c0-ef88-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:22.188Z",
"version": "WzM1NSwxXQ==",
"attributes": {
"title": "Tabular Data Stream - RPC Log Count",
"visState": "{\"title\":\"Tabular Data Stream - RPC Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "11884140-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cf812990-ef88-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:22.188Z",
"version": "WzM1NiwxXQ==",
"attributes": {
"title": "Tabular Data Stream - RPC Log Count Over Time",
"visState": "{\"title\":\"Tabular Data Stream - RPC Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "11884140-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ab081a60-ef83-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:22.188Z",
"version": "WzM1NywxXQ==",
"attributes": {
"title": "Tabular Data Stream - RPC Procedure",
"visState": "{\"title\":\"Tabular Data Stream - RPC Procedure\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_tds_rpc.procedure_name\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Procedure\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "11884140-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7b819a40-ef89-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:22.188Z",
"version": "WzM1OCwxXQ==",
"attributes": {
"title": "Tabular Data Stream - RPC Source IP",
"visState": "{\"title\":\"Tabular Data Stream - RPC Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "11884140-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b38de650-ef89-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:22.188Z",
"version": "WzM1OSwxXQ==",
"attributes": {
"title": "Tabular Data Stream - RPC Destination IP",
"visState": "{\"title\":\"Tabular Data Stream - RPC Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "11884140-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

491
Vagrant/resources/malcolm/kibana/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json Normal file
View File

@@ -0,0 +1,491 @@
{
"version": "7.10.0",
"objects": [
{
"id": "36ed695f-edcc-47c1-b0ec-50d20c93ce0f",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM2OCwxXQ==",
"attributes": {
"title": "Intel",
"hits": 0,
"description": "",
"panelsJSON": "[{\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_8\"},{\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_9\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek.uid\",\"zeek.fuid\",\"_id\"],\"sort\":[\"firstPacket\",\"desc\"]}},{\"embeddableConfig\":{},\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_10\"},{\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_11\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_12\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "2721f49d-4e64-4145-9e81-85e856c20b37"
},
{
"name": "panel_2",
"type": "visualization",
"id": "ee52f4a1-4232-4c49-abee-accc05ea91aa"
},
{
"name": "panel_3",
"type": "visualization",
"id": "80cabf50-a849-4e24-a9c7-130cba1a8141"
},
{
"name": "panel_4",
"type": "visualization",
"id": "cd5ecdc5-e74d-469f-a772-f03562fa2e33"
},
{
"name": "panel_5",
"type": "visualization",
"id": "8296467e-ce1d-493c-a46c-948ec4fd7c83"
},
{
"name": "panel_6",
"type": "visualization",
"id": "a2d0a8bb-a6a2-4a1e-826c-0ce3ea8ff074"
},
{
"name": "panel_7",
"type": "visualization",
"id": "a27464ba-582d-405f-931d-003d8252ff4a"
},
{
"name": "panel_8",
"type": "visualization",
"id": "2d2f90e4-cac7-47c5-b63d-077b596ba45b"
},
{
"name": "panel_9",
"type": "search",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
},
{
"name": "panel_10",
"type": "visualization",
"id": "d23ba78a-f080-4bc1-bdcf-114cb081773f"
},
{
"name": "panel_11",
"type": "visualization",
"id": "fa56cc7f-fb00-47fb-becb-1b1fdfea908e"
},
{
"name": "panel_12",
"type": "visualization",
"id": "AWDG-Qf8xQT5EBNmq4G5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2721f49d-4e64-4145-9e81-85e856c20b37",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3MCwxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ee52f4a1-4232-4c49-abee-accc05ea91aa",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3MSwxXQ==",
"attributes": {
"title": "Intel - Seen",
"visState": "{\"title\":\"Intel - Seen\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_intel.seen_where\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "80cabf50-a849-4e24-a9c7-130cba1a8141",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.sources\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Source",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cd5ecdc5-e74d-469f-a772-f03562fa2e33",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3MywxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8296467e-ce1d-493c-a46c-948ec4fd7c83",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a2d0a8bb-a6a2-4a1e-826c-0ce3ea8ff074",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.indicator\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Indicator",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a27464ba-582d-405f-931d-003d8252ff4a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - MIME Type",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2d2f90e4-cac7-47c5-b63d-077b596ba45b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3NywxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_intel.matched\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Matched",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3OCwxXQ==",
"attributes": {
"sort": [
[
"firstPacket",
"desc"
]
],
"hits": 0,
"description": "",
"title": "Intel - Logs",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"zeek.logType:intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek.uid",
"zeek.fuid",
"_id"
]
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "d23ba78a-f080-4bc1-bdcf-114cb081773f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM3OSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}",
"description": "",
"title": "Intel - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fa56cc7f-fb00-47fb-becb-1b1fdfea908e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM4MCwxXQ==",
"attributes": {
"title": "Intel - Indicator Type",
"visState": "{\"title\":\"Intel - Indicator Type\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_intel.indicator_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG-Qf8xQT5EBNmq4G5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:23.239Z",
"version": "WzM4MSwxXQ==",
"attributes": {
"title": "Intel - Log Count",
"visState": "{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5154d8e9-c83e-4d42-bde3-33ad0c7d1798"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

667
Vagrant/resources/malcolm/kibana/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json Normal file
View File

@@ -0,0 +1,667 @@
{
"version": "7.10.2",
"objects": [
{
"id": "37041ee1-79c0-4684-a436-3173b0e89876",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:45:04.554Z",
"version": "WzE3OTMsMV0=",
"attributes": {
"title": "HTTP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":30,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":19,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"5\",\"w\":14,\"x\":20,\"y\":48},\"panelIndex\":\"5\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":14,\"x\":34,\"y\":48},\"panelIndex\":\"6\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":117},\"panelIndex\":\"8\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":10,\"x\":10,\"y\":48},\"panelIndex\":\"14\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":10,\"x\":0,\"y\":48},\"panelIndex\":\"15\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"16\",\"w\":48,\"x\":0,\"y\":99},\"panelIndex\":\"16\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":117},\"panelIndex\":\"17\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"20\",\"w\":24,\"x\":24,\"y\":66},\"panelIndex\":\"20\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}}},\"gridData\":{\"h\":20,\"i\":\"21\",\"w\":24,\"x\":0,\"y\":66},\"panelIndex\":\"21\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":7,\"i\":\"23\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"23\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"24\",\"w\":16,\"x\":32,\"y\":19},\"panelIndex\":\"24\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"w\":8,\"x\":8,\"y\":7},\"panelIndex\":\"70661228-52d4-4ecf-a5a4-139d0ecdd662\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"e2ba3677-11c6-4cd9-87f3-fb3473718d10\",\"w\":24,\"x\":8,\"y\":19},\"panelIndex\":\"e2ba3677-11c6-4cd9-87f3-fb3473718d10\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_14\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"w\":8,\"x\":0,\"y\":30},\"panelIndex\":\"128a48be-397e-4c27-a8a1-bc6cb280d6b1\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_15\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"b6166133-469b-41cd-8396-cb2db18eb8b9\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_16\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":42,\"i\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"w\":48,\"x\":0,\"y\":135},\"panelIndex\":\"7337ff11-23e0-4f6e-981f-a043f15e60cf\",\"version\":\"7.10.2\",\"panelRefName\":\"panel_17\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "3b8fee79-8f9d-450a-8362-024c84656efb"
},
{
"name": "panel_2",
"type": "visualization",
"id": "c3c266ad-58c5-45f4-a463-180b531bd96e"
},
{
"name": "panel_3",
"type": "visualization",
"id": "be7d9516-7555-407f-9971-0394c7e822e4"
},
{
"name": "panel_4",
"type": "visualization",
"id": "9197cd63-7fe4-4c87-8fab-f7eaa8ca6252"
},
{
"name": "panel_5",
"type": "visualization",
"id": "2c18f5be-4023-40fb-8de6-7b490045520b"
},
{
"name": "panel_6",
"type": "visualization",
"id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa"
},
{
"name": "panel_7",
"type": "visualization",
"id": "3c7d9915-8fea-4423-82b6-44499820de71"
},
{
"name": "panel_8",
"type": "visualization",
"id": "30bb6fc3-d33e-4aaf-b805-b8e10008e98b"
},
{
"name": "panel_9",
"type": "visualization",
"id": "a6cacf2a-7cf5-4991-be10-474429651b51"
},
{
"name": "panel_10",
"type": "visualization",
"id": "054326f5-92f3-4202-a7cf-cc0d3eb92ad4"
},
{
"name": "panel_11",
"type": "visualization",
"id": "AWDG97t7xQT5EBNmq4E1"
},
{
"name": "panel_12",
"type": "visualization",
"id": "eedbcaaf-1713-4ec2-acbd-b1e32a34579a"
},
{
"name": "panel_13",
"type": "visualization",
"id": "aa4a78f0-4db8-11ea-8336-d3388483188b"
},
{
"name": "panel_14",
"type": "visualization",
"id": "db357c20-760d-11eb-8496-3528afc64ddb"
},
{
"name": "panel_15",
"type": "visualization",
"id": "6efd67a0-760f-11eb-8496-3528afc64ddb"
},
{
"name": "panel_16",
"type": "visualization",
"id": "7b56ed70-6faa-11eb-958c-51e33b5cae2a"
},
{
"name": "panel_17",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:47:06.069Z",
"version": "Wzg3NCwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3b8fee79-8f9d-450a-8362-024c84656efb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzM5OCwxXQ==",
"attributes": {
"title": "HTTP - Status Over Time",
"visState": "{\"title\":\"HTTP - Status Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status Code\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"firstPacket per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T16:47:29.688Z\",\"max\":\"2020-02-12T16:47:29.689Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Status Code\",\"aggType\":\"terms\"}]},\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"line\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c3c266ad-58c5-45f4-a463-180b531bd96e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzM5OSwxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - Sites",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "be7d9516-7555-407f-9971-0394c7e822e4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwMCwxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - Sites Hosting EXEs",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9197cd63-7fe4-4c87-8fab-f7eaa8ca6252",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwMSwxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.uri\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - URIs",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2c18f5be-4023-40fb-8de6-7b490045520b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwMiwxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "44d6d5ce-bdf6-46d3-ad97-a30ebda437fa",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwMywxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3c7d9915-8fea-4423-82b6-44499820de71",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwNCwxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - User Agent",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "30bb6fc3-d33e-4aaf-b805-b8e10008e98b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwNSwxXQ==",
"attributes": {
"visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_http.referrer\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "HTTP - Referrer",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a6cacf2a-7cf5-4991-be10-474429651b51",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwNiwxXQ==",
"attributes": {
"title": "HTTP - Destination Port",
"visState": "{\"title\":\"HTTP - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "054326f5-92f3-4202-a7cf-cc0d3eb92ad4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwNywxXQ==",
"attributes": {
"title": "HTTP - Destination Country",
"visState": "{\"title\":\"HTTP - Destination Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":false,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG97t7xQT5EBNmq4E1",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQwOCwxXQ==",
"attributes": {
"title": "HTTP - Log Count",
"visState": "{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "eedbcaaf-1713-4ec2-acbd-b1e32a34579a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:39:48.451Z",
"version": "WzE2NzAsMV0=",
"attributes": {
"title": "HTTP - Status and Method",
"visState": "{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_http.status_msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status Message\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_http.method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "aa4a78f0-4db8-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQxMCwxXQ==",
"attributes": {
"title": "HTTP - Unique Usernames and Passwords",
"visState": "{\"title\":\"HTTP - Unique Usernames and Passwords\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":48}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}},{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.user\",\"customLabel\":\"Unique Usernames\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek.password\",\"customLabel\":\"Unique Cleartext Passwords\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "db357c20-760d-11eb-8496-3528afc64ddb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:32:24.930Z",
"version": "WzE1NzgsMV0=",
"attributes": {
"title": "HTTP - Method and Status",
"visState": "{\"title\":\"HTTP - Method and Status\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":40,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6efd67a0-760f-11eb-8496-3528afc64ddb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:44:37.021Z",
"version": "WzE3NzAsMV0=",
"attributes": {
"title": "HTTP - Version",
"visState": "{\"title\":\"HTTP - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HTTP Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek.service_version:\\\"0.0\\\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7b56ed70-6faa-11eb-958c-51e33b5cae2a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQxMSwxXQ==",
"attributes": {
"title": "HTTP - File Type",
"visState": "{\"title\":\"HTTP - File Type\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":false}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1762ad89-2039-4d70-8c2d-60b3e5a2c381",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:21.647Z",
"version": "WzQxMiwxXQ==",
"attributes": {
"title": "HTTP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_http.host",
"zeek_http.method",
"zeek_http.status_msg",
"zeek.uid",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:http\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "39abfe30-3f99-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:25.340Z",
"version": "WzQxNCwxXQ==",
"attributes": {
"title": "Connections - Source - Top Connection Duration (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"2ed3d708-31cc-4504-87da-63a315c76e76\"},\"panelIndex\":\"2ed3d708-31cc-4504-87da-63a315c76e76\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"35ff09b6-1039-4b4e-9469-296245630598\"},\"panelIndex\":\"35ff09b6-1039-4b4e-9469-296245630598\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "af00a490-3f96-11e9-a58e-8bdedb0915e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "af00a490-3f96-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:25.340Z",
"version": "WzQxNiwxXQ==",
"attributes": {
"title": "Connections - Source - Top Connection Duration (region map)",
"visState": "{\"title\":\"Connections - Source - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a>\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[37.17328344112096,15.644531250000002],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

534
Vagrant/resources/malcolm/kibana/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json Normal file
View File

@@ -0,0 +1,534 @@
{
"version": "7.10.0",
"objects": [
{
"id": "42e831b9-41a9-4f35-8b7d-e1566d368773",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:04:53.082Z",
"version": "WzMxNjAsMV0=",
"attributes": {
"title": "SMB",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":13,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":50,\"w\":20,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":50,\"w\":20,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":21,\"y\":13,\"w\":12,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":32,\"w\":23,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":23,\"y\":32,\"w\":25,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":13,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":40,\"y\":50,\"w\":8,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":13,\"w\":13,\"h\":19,\"i\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\"},\"panelIndex\":\"c9b45e56-7e2e-4949-ad5f-05504515cc70\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":33,\"y\":13,\"w\":15,\"h\":19,\"i\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\"},\"panelIndex\":\"67e0e34e-49ae-46da-a9a3-83ca7676bee0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":87,\"w\":48,\"h\":42,\"i\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\"},\"panelIndex\":\"cf75e7f0-cce1-449c-a40d-15e8fa40325d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "c4829cb4-ed05-4154-ab6c-9240f0ea0b04"
},
{
"name": "panel_2",
"type": "visualization",
"id": "3b82d24e-d3dd-48fa-a539-98a46ccbfd49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "974779e2-ab49-4fe8-88db-bf5321664f1a"
},
{
"name": "panel_4",
"type": "visualization",
"id": "3282a033-fff4-41cb-abe6-d896b4a2e03d"
},
{
"name": "panel_5",
"type": "visualization",
"id": "02359f84-0114-4d9d-8731-2b6820722e32"
},
{
"name": "panel_6",
"type": "visualization",
"id": "c8f1ff18-93e9-4ce9-a188-c947f7dadc05"
},
{
"name": "panel_7",
"type": "visualization",
"id": "24b9dbff-7362-4982-9ce7-660001594ff9"
},
{
"name": "panel_8",
"type": "visualization",
"id": "AWDHDfDkxQT5EBNmq4fQ"
},
{
"name": "panel_9",
"type": "visualization",
"id": "0fa8205d-717f-4385-a031-d15e5f1b6c08"
},
{
"name": "panel_10",
"type": "visualization",
"id": "b9aaa580-4e9a-11ea-b504-97aa449f6abc"
},
{
"name": "panel_11",
"type": "visualization",
"id": "b74e39c0-49ca-11ea-812f-2bc51df4ea1e"
},
{
"name": "panel_12",
"type": "search",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c4829cb4-ed05-4154-ab6c-9240f0ea0b04",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyMiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "SMB - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3b82d24e-d3dd-48fa-a539-98a46ccbfd49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyMywxXQ==",
"attributes": {
"visState": "{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMB - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "974779e2-ab49-4fe8-88db-bf5321664f1a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyNCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMB - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3282a033-fff4-41cb-abe6-d896b4a2e03d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyNSwxXQ==",
"attributes": {
"title": "SMB - Version",
"visState": "{\"title\":\"SMB - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"SMB Version\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Version\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "02359f84-0114-4d9d-8731-2b6820722e32",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyNiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMB - File Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}",
"description": "",
"title": "SMB - FIle Path",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c8f1ff18-93e9-4ce9-a188-c947f7dadc05",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyNywxXQ==",
"attributes": {
"visState": "{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}",
"description": "",
"title": "SMB - File Name",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "24b9dbff-7362-4982-9ce7-660001594ff9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyOCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.path\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smb_files.name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMB - File/Path Summary",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHDfDkxQT5EBNmq4fQ",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQyOSwxXQ==",
"attributes": {
"title": "SMB - Log Count",
"visState": "{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SMB Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0fa8205d-717f-4385-a031-d15e5f1b6c08",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQzMCwxXQ==",
"attributes": {
"title": "SMB - Destination Port",
"visState": "{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b9aaa580-4e9a-11ea-b504-97aa449f6abc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQzMSwxXQ==",
"attributes": {
"title": "SMB - Relevant Notices",
"visState": "{\"title\":\"SMB - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(EternalSafety OR SMB OR ATTACK)\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b74e39c0-49ca-11ea-812f-2bc51df4ea1e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQzMiwxXQ==",
"attributes": {
"title": "SMB Action",
"visState": "{\"title\":\"SMB Action\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.action: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e0cefef5-911e-4e38-a1ea-e67c982cb7c7",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:26.351Z",
"version": "WzQzMywxXQ==",
"attributes": {
"title": "SMB - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"srcIp",
"dstIp",
"dstPort",
"zeek.service_version",
"zeek.action",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:smb*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0OCwxXQ==",
"attributes": {
"title": "Notices - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_notice.category",
"zeek_notice.sub_category",
"zeek_notice.msg",
"srcIp",
"dstIp",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

457
Vagrant/resources/malcolm/kibana/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json Normal file
View File

@@ -0,0 +1,457 @@
{
"version": "7.10.0",
"objects": [
{
"id": "432af556-c5c0-4cc3-8166-b274b4e3a406",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:16:14.488Z",
"version": "WzE4MjcsMV0=",
"attributes": {
"title": "DCE/RPC",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":48,\"i\":\"3\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":20,\"x\":8,\"y\":28},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":20,\"x\":28,\"y\":28},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":21,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":48},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":21,\"i\":\"9\",\"w\":24,\"x\":24,\"y\":48},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":20,\"i\":\"10\",\"w\":20,\"x\":8,\"y\":8},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":21,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":69},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"14\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":20,\"i\":\"16\",\"w\":20,\"x\":28,\"y\":8},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":21,\"i\":\"17\",\"w\":24,\"x\":0,\"y\":69},\"panelIndex\":\"17\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":41,\"i\":\"b3cbd28a-4659-4e23-bf69-106fad9d565c\",\"w\":48,\"x\":0,\"y\":90},\"panelIndex\":\"b3cbd28a-4659-4e23-bf69-106fad9d565c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "64e82156-689a-41fc-974f-efe021d73dc0"
},
{
"name": "panel_2",
"type": "visualization",
"id": "ea6fd4c1-04f0-450a-9b4b-ecb9db0117dc"
},
{
"name": "panel_3",
"type": "visualization",
"id": "6f4a3352-abb1-4a5e-8665-ab86954aed7d"
},
{
"name": "panel_4",
"type": "visualization",
"id": "8d57876a-ee4d-4843-8148-9ac644ce5b45"
},
{
"name": "panel_5",
"type": "visualization",
"id": "d3858962-fc17-4d6f-b933-e94f7ffc9ae3"
},
{
"name": "panel_6",
"type": "visualization",
"id": "52727beb-0e12-4ee5-a3d4-eebd93ee2dd3"
},
{
"name": "panel_7",
"type": "visualization",
"id": "b57e74bf-8024-44cd-b755-7d73e19588c2"
},
{
"name": "panel_8",
"type": "visualization",
"id": "AWDG8k4OxQT5EBNmq37a"
},
{
"name": "panel_9",
"type": "visualization",
"id": "30c677f4-d593-440c-b420-56532602853b"
},
{
"name": "panel_10",
"type": "visualization",
"id": "6b6bcbc1-6753-409f-86dd-f552195ccf03"
},
{
"name": "panel_11",
"type": "search",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "64e82156-689a-41fc-974f-efe021d73dc0",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQzNywxXQ==",
"attributes": {
"visState": "{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "DCE/RPC - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ea6fd4c1-04f0-450a-9b4b-ecb9db0117dc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQzOCwxXQ==",
"attributes": {
"visState": "{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "DCE/RPC - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6f4a3352-abb1-4a5e-8665-ab86954aed7d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQzOSwxXQ==",
"attributes": {
"visState": "{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "DCE/RPC - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8d57876a-ee4d-4843-8148-9ac644ce5b45",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0MCwxXQ==",
"attributes": {
"visState": "{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}",
"description": "",
"title": "DCE/RPC - Endpoint",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d3858962-fc17-4d6f-b933-e94f7ffc9ae3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}",
"description": "",
"title": "DCE/RPC - Named Pipe",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52727beb-0e12-4ee5-a3d4-eebd93ee2dd3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}",
"description": "",
"title": "DCE/RPC - Operation",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b57e74bf-8024-44cd-b755-7d73e19588c2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0MywxXQ==",
"attributes": {
"title": "DCE/RPC - Round Trip Time",
"visState": "{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG8k4OxQT5EBNmq37a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0NCwxXQ==",
"attributes": {
"title": "DCE/RPC - Log Count",
"visState": "{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "30c677f4-d593-440c-b420-56532602853b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0NSwxXQ==",
"attributes": {
"title": "DCE/RPC - Destination Port",
"visState": "{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6b6bcbc1-6753-409f-86dd-f552195ccf03",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0NiwxXQ==",
"attributes": {
"title": "DCE/RPC - Summary",
"visState": "{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.endpoint\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.operation\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dce_rpc.named_pipe\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "bc940221-83d5-416e-a353-dc8fc2f84141"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "bc940221-83d5-416e-a353-dc8fc2f84141",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:27.443Z",
"version": "WzQ0NywxXQ==",
"attributes": {
"title": "DCE/RPC - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek_dce_rpc.operation",
"zeek_dce_rpc.endpoint",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:dce_rpc\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

355
Vagrant/resources/malcolm/kibana/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json Normal file
View File

@@ -0,0 +1,355 @@
{
"version": "7.10.2",
"objects": [
{
"id": "4a073440-b286-11eb-a4d4-09fa12a6ebd4",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T19:19:14.565Z",
"version": "WzE1OTcsMV0=",
"attributes": {
"title": "EtherCAT",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":33,\"i\":\"93f9befa-ff74-4dd7-893d-831006bfe274\"},\"panelIndex\":\"93f9befa-ff74-4dd7-893d-831006bfe274\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":15,\"i\":\"1e68e631-2943-466f-b7f8-fac05fc4669a\"},\"panelIndex\":\"1e68e631-2943-466f-b7f8-fac05fc4669a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":15,\"w\":16,\"h\":18,\"i\":\"2affeb62-eb87-488b-b550-fc19f54af3a4\"},\"panelIndex\":\"2affeb62-eb87-488b-b550-fc19f54af3a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":32,\"y\":15,\"w\":16,\"h\":18,\"i\":\"abf49196-e719-4cbd-bd61-60552e21c011\"},\"panelIndex\":\"abf49196-e719-4cbd-bd61-60552e21c011\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":33,\"w\":19,\"h\":23,\"i\":\"ef345857-8c3c-4440-936e-4a110dd35cf3\"},\"panelIndex\":\"ef345857-8c3c-4440-936e-4a110dd35cf3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":19,\"y\":33,\"w\":29,\"h\":23,\"i\":\"2a854e26-54da-4437-93d3-fb13e9374e54\"},\"panelIndex\":\"2a854e26-54da-4437-93d3-fb13e9374e54\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":25,\"i\":\"84724642-17c1-4933-bf72-3cb539a47d56\"},\"panelIndex\":\"84724642-17c1-4933-bf72-3cb539a47d56\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":81,\"w\":48,\"h\":23,\"i\":\"d6124943-9598-45b9-a785-dbe4592ad132\"},\"panelIndex\":\"d6124943-9598-45b9-a785-dbe4592ad132\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "a5327000-b286-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_2",
"type": "visualization",
"id": "47a55a00-b287-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_3",
"type": "visualization",
"id": "fbee9c60-b287-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_4",
"type": "visualization",
"id": "162d0e40-b288-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_5",
"type": "visualization",
"id": "94900e50-b287-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_6",
"type": "visualization",
"id": "b5f51c30-b28b-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_7",
"type": "search",
"id": "aaa50880-b28c-11eb-a4d4-09fa12a6ebd4"
},
{
"name": "panel_8",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T17:59:04.924Z",
"version": "Wzg4MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a5327000-b286-11eb-a4d4-09fa12a6ebd4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T18:28:47.735Z",
"version": "WzExNzgsMV0=",
"attributes": {
"title": "EtherCAT - Log Count",
"visState": "{\"title\":\"EtherCAT - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "47a55a00-b287-11eb-a4d4-09fa12a6ebd4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T18:32:45.728Z",
"version": "WzEyNDcsMV0=",
"attributes": {
"title": "EtherCAT - Log Count Over Time",
"visState": "{\"title\":\"EtherCAT - Log Count Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2021-03-01T05:59:58.120Z\",\"to\":\"2021-03-01T06:00:51.365Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"},\"schema\":\"group\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"bottom\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fbee9c60-b287-11eb-a4d4-09fa12a6ebd4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T18:37:48.198Z",
"version": "WzEyODcsMV0=",
"attributes": {
"title": "EtherCAT - Source",
"visState": "{\"title\":\"EtherCAT - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"srcMac\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source MAC\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"srcOui\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Source OUI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "162d0e40-b288-11eb-a4d4-09fa12a6ebd4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T18:38:32.228Z",
"version": "WzEzMDYsMV0=",
"attributes": {
"title": "EtherCAT - Destination",
"visState": "{\"title\":\"EtherCAT - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstMac\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination MAC\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstOui\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Destination OUI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "94900e50-b287-11eb-a4d4-09fa12a6ebd4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T19:05:57.548Z",
"version": "WzE0ODgsMV0=",
"attributes": {
"title": "EtherCAT - Commands",
"visState": "{\"title\":\"EtherCAT - Commands\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b5f51c30-b28b-11eb-a4d4-09fa12a6ebd4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T19:15:02.736Z",
"version": "WzE1NzcsMV0=",
"attributes": {
"title": "EtherCAT - Register Types and Commands",
"visState": "{\"title\":\"EtherCAT - Register Types and Commands\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ecat_registers.register_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Register Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:ecat_registers\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "aaa50880-b28c-11eb-a4d4-09fa12a6ebd4",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T19:11:38.623Z",
"version": "WzE1MzEsMV0=",
"attributes": {
"title": "EtherCAT Registers - Logs",
"description": "",
"hits": 0,
"columns": [
"srcMac",
"srcOui",
"dstMac",
"dstOui",
"zeek.action",
"zeek_ecat_registers.register_type",
"zeek_ecat_registers.slave_addr",
"zeek_ecat_registers.register_addr"
],
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:ecat_registers\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "39562200-b286-11eb-a4d4-09fa12a6ebd4",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-05-11T18:25:12.224Z",
"version": "WzExMDAsMV0=",
"attributes": {
"title": "Logs - EtherCAT",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.action",
"srcMac",
"srcOui",
"dstMac",
"dstOui"
],
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"zeek.logType:ecat*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

508
Vagrant/resources/malcolm/kibana/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json Normal file
View File

@@ -0,0 +1,508 @@
{
"version": "7.10.0",
"objects": [
{
"id": "4a4bde20-4760-11ea-949c-bbb5a9feecbf",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ0OCwxXQ==",
"attributes": {
"title": "ICS/IoT Security Overview",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":25,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":36,\"i\":\"02fde066-221d-4262-ae35-742f7bb8933c\",\"w\":9,\"x\":8,\"y\":0},\"panelIndex\":\"02fde066-221d-4262-ae35-742f7bb8933c\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"d94eb348-e32a-4aa9-a987-4c5b39b4b08a\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"d94eb348-e32a-4aa9-a987-4c5b39b4b08a\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"ed7f0280-cb4d-4c30-95e0-e160269de2fb\",\"w\":31,\"x\":17,\"y\":18},\"panelIndex\":\"ed7f0280-cb4d-4c30-95e0-e160269de2fb\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"7077f7b2-0f10-4d3d-ad63-9611144c1edb\",\"w\":8,\"x\":0,\"y\":25},\"panelIndex\":\"7077f7b2-0f10-4d3d-ad63-9611144c1edb\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":39,\"i\":\"ab1a666c-19f2-4954-81b7-18554a95818f\",\"w\":19,\"x\":17,\"y\":36},\"panelIndex\":\"ab1a666c-19f2-4954-81b7-18554a95818f\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"a56f7751-0030-44e1-8e62-3fb1018f4a7e\",\"w\":12,\"x\":36,\"y\":36},\"panelIndex\":\"a56f7751-0030-44e1-8e62-3fb1018f4a7e\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"f339fb9a-7660-4b97-9245-14116c969ec9\",\"w\":17,\"x\":0,\"y\":36},\"panelIndex\":\"f339fb9a-7660-4b97-9245-14116c969ec9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"14a8b2bb-ca81-42a5-90aa-e70b5bd81d89\",\"w\":12,\"x\":36,\"y\":55},\"panelIndex\":\"14a8b2bb-ca81-42a5-90aa-e70b5bd81d89\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"218c8873-ec71-4a2c-9c8d-5fa62afa2de1\",\"w\":17,\"x\":0,\"y\":55},\"panelIndex\":\"218c8873-ec71-4a2c-9c8d-5fa62afa2de1\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":27,\"i\":\"26e11cb0-ce55-4980-9fba-be104eda38a7\",\"w\":48,\"x\":0,\"y\":75},\"panelIndex\":\"26e11cb0-ce55-4980-9fba-be104eda38a7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "31e06210-4761-11ea-949c-bbb5a9feecbf"
},
{
"name": "panel_2",
"type": "visualization",
"id": "b614fcd0-4761-11ea-949c-bbb5a9feecbf"
},
{
"name": "panel_3",
"type": "visualization",
"id": "71d832b0-4763-11ea-949c-bbb5a9feecbf"
},
{
"name": "panel_4",
"type": "visualization",
"id": "adc09360-49c7-11ea-812f-2bc51df4ea1e"
},
{
"name": "panel_5",
"type": "visualization",
"id": "0db533e0-47a0-11ea-86b0-e3b81eb90684"
},
{
"name": "panel_6",
"type": "visualization",
"id": "60e83820-4762-11ea-949c-bbb5a9feecbf"
},
{
"name": "panel_7",
"type": "visualization",
"id": "f17fab90-4760-11ea-949c-bbb5a9feecbf"
},
{
"name": "panel_8",
"type": "visualization",
"id": "8253ab70-4762-11ea-949c-bbb5a9feecbf"
},
{
"name": "panel_9",
"type": "visualization",
"id": "1c681a40-47a2-11ea-86b0-e3b81eb90684"
},
{
"name": "panel_10",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "31e06210-4761-11ea-949c-bbb5a9feecbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1MCwxXQ==",
"attributes": {
"title": "ICS/IoT Log Counts",
"visState": "{\"title\":\"ICS/IoT Log Counts\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b614fcd0-4761-11ea-949c-bbb5a9feecbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1MSwxXQ==",
"attributes": {
"title": "ICS/IoT Traffic Over Time",
"visState": "{\"title\":\"ICS/IoT Traffic Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-04T15:18:33.141Z\",\"max\":\"2020-02-04T15:18:33.141Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "71d832b0-4763-11ea-949c-bbb5a9feecbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1MiwxXQ==",
"attributes": {
"title": "ICS/IoT External Traffic",
"visState": "{\"title\":\"ICS/IoT External Traffic\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Destination Country\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":499,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Country\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Destination Country\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Country\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "adc09360-49c7-11ea-812f-2bc51df4ea1e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:50.357Z",
"version": "WzY5OSwxXQ==",
"attributes": {
"title": "Network Layer",
"visState": "{\"title\":\"Network Layer\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Network Layer\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Layer\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0db533e0-47a0-11ea-86b0-e3b81eb90684",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1NCwxXQ==",
"attributes": {
"title": "Non-ICS/IoT Protocols Observed",
"visState": "{\"title\":\"Non-ICS/IoT Protocols Observed\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":true,\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"NOT zeek.service:(bacnet* OR bestguess OR bsap* OR cip* OR dnp3* OR ecat* OR enip* OR cotp OR *modbus* OR mqtt OR profinet* OR s7comm)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "60e83820-4762-11ea-949c-bbb5a9feecbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1NSwxXQ==",
"attributes": {
"title": "ICS/IoT Source IP",
"visState": "{\"title\":\"ICS/IoT Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f17fab90-4760-11ea-949c-bbb5a9feecbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1NiwxXQ==",
"attributes": {
"title": "ICS/IoT Actions and Results",
"visState": "{\"title\":\"ICS/IoT Actions and Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.action:* OR zeek.result:*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8253ab70-4762-11ea-949c-bbb5a9feecbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1NywxXQ==",
"attributes": {
"title": "ICS/IoT Destination IP",
"visState": "{\"title\":\"ICS/IoT Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1c681a40-47a2-11ea-86b0-e3b81eb90684",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1OCwxXQ==",
"attributes": {
"title": "File Types by Transport",
"visState": "{\"title\":\"File Types by Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Transport\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1dc3dfb0-4760-11ea-949c-bbb5a9feecbf",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:28.484Z",
"version": "WzQ1OSwxXQ==",
"attributes": {
"title": "ICS/IoT Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek.action",
"zeek.result",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(bacnet* OR bestguess OR bsap* OR cip* OR dnp3* OR ecat* OR enip OR iso_cotp OR modbus* OR mqtt* OR profinet OR s7comm)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0NiwxXQ==",
"attributes": {
"title": "Files - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_files.tx_hosts",
"dstIp",
"zeek_files.source",
"zeek_files.mime_type",
"zeek.uid",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

387
Vagrant/resources/malcolm/kibana/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json Normal file
View File

@@ -0,0 +1,387 @@
{
"version": "7.10.2",
"objects": [
{
"id": "4e5f106e-c60a-4226-8f64-d534abb912ab",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:22:09.074Z",
"version": "WzExNzEsMV0=",
"attributes": {
"title": "SNMP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":33,\"w\":10,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":10,\"y\":33,\"w\":12,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":20,\"y\":14,\"w\":9,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":14,\"w\":12,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":29,\"y\":14,\"w\":19,\"h\":19,\"i\":\"21d58bff-8812-458a-9c96-ad6bff972ead\"},\"panelIndex\":\"21d58bff-8812-458a-9c96-ad6bff972ead\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":22,\"y\":33,\"w\":26,\"h\":19,\"i\":\"71465d94-06a3-4a70-8cb8-ad4036300379\"},\"panelIndex\":\"71465d94-06a3-4a70-8cb8-ad4036300379\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":52,\"w\":48,\"h\":32,\"i\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\"},\"panelIndex\":\"3c17aeed-cffb-4aaf-a3b3-710de42d206c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "96dc7277-2123-4a0d-9311-571a6dd9bb0a"
},
{
"name": "panel_2",
"type": "visualization",
"id": "272670ef-2b43-45dc-b8ae-c7f2ead10348"
},
{
"name": "panel_3",
"type": "visualization",
"id": "cf0c69f3-7cc6-4c70-a33a-154e77ca547a"
},
{
"name": "panel_4",
"type": "visualization",
"id": "f95dd65c-c240-4144-bd27-ff5692843e25"
},
{
"name": "panel_5",
"type": "visualization",
"id": "AWDHD-LfxQT5EBNmq4iB"
},
{
"name": "panel_6",
"type": "visualization",
"id": "72341dff-ce1a-4f9c-bf4b-5675409476a1"
},
{
"name": "panel_7",
"type": "visualization",
"id": "2969b5e0-6c96-11eb-b775-c574dc643cbb"
},
{
"name": "panel_8",
"type": "visualization",
"id": "f0bd55b0-760b-11eb-8496-3528afc64ddb"
},
{
"name": "panel_9",
"type": "search",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:47:06.069Z",
"version": "Wzg3NCwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "96dc7277-2123-4a0d-9311-571a6dd9bb0a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2MywxXQ==",
"attributes": {
"visState": "{\"title\":\"SNMP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "SNMP - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "272670ef-2b43-45dc-b8ae-c7f2ead10348",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SNMP - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cf0c69f3-7cc6-4c70-a33a-154e77ca547a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2NSwxXQ==",
"attributes": {
"title": "SNMP - Destination IP Address",
"visState": "{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f95dd65c-c240-4144-bd27-ff5692843e25",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_snmp.duration\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}",
"description": "",
"title": "SNMP - Session Duration",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHD-LfxQT5EBNmq4iB",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2NywxXQ==",
"attributes": {
"title": "SNMP - Log Count",
"visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":100}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#FB9E00\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":30}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"}}]}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "72341dff-ce1a-4f9c-bf4b-5675409476a1",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2OCwxXQ==",
"attributes": {
"title": "SNMP - Community String",
"visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_snmp.community\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2969b5e0-6c96-11eb-b775-c574dc643cbb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ2OSwxXQ==",
"attributes": {
"title": "SNMP - PDU Type",
"visState": "{\"title\":\"SNMP - PDU Type\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true,\"orderBucketsBySum\":false}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f0bd55b0-760b-11eb-8496-3528afc64ddb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:18:42.059Z",
"version": "WzEwOTcsMV0=",
"attributes": {
"title": "SNMP - Version and PDU Type",
"visState": "{\"title\":\"SNMP - Version and PDU Type\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SNMP Version\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a7b5dae1-2f35-47c9-91ba-c8e8e66d10c8",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:26.687Z",
"version": "WzQ3MCwxXQ==",
"attributes": {
"title": "SNMP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_snmp.version",
"zeek.action",
"zeek_snmp.community",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:snmp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

246
Vagrant/resources/malcolm/kibana/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json Normal file
View File

@@ -0,0 +1,246 @@
{
"version": "7.10.0",
"objects": [
{
"id": "50ced171-1b10-4c3f-8b67-2db9635661a6",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:59:01.107Z",
"version": "WzIzMTEsMV0=",
"attributes": {
"title": "MySQL",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":11,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":26,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":11,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":8,\"h\":11,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":26,\"i\":\"04e96790-2a76-4656-956b-bdf780792c40\"},\"panelIndex\":\"04e96790-2a76-4656-956b-bdf780792c40\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":37,\"w\":48,\"h\":26,\"i\":\"27a5666b-5633-4982-b276-ecafa4a38b74\"},\"panelIndex\":\"27a5666b-5633-4982-b276-ecafa4a38b74\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "a2e900c8-9dd9-490b-9043-a9b5034424b5"
},
{
"name": "panel_1",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "AWDHBRrrxQT5EBNmq4TI"
},
{
"name": "panel_3",
"type": "visualization",
"id": "3bfe2a4c-d202-49e0-8ebc-484e542f910f"
},
{
"name": "panel_4",
"type": "visualization",
"id": "f82136c0-4dbf-11ea-8336-d3388483188b"
},
{
"name": "panel_5",
"type": "search",
"id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "a2e900c8-9dd9-490b-9043-a9b5034424b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:56:27.547Z",
"version": "WzIyNjEsMV0=",
"attributes": {
"title": "MySQL - Log Count Over Time",
"visState": "{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"},\"schema\":\"group\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-02-12T17:52:43.825Z\",\"max\":\"2020-02-12T17:52:43.825Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHBRrrxQT5EBNmq4TI",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:30.578Z",
"version": "WzQ3NSwxXQ==",
"attributes": {
"title": "MySQL - Log Count",
"visState": "{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3bfe2a4c-d202-49e0-8ebc-484e542f910f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:58:25.684Z",
"version": "WzIyNzgsMV0=",
"attributes": {
"title": "MySQL - Success",
"visState": "{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_mysql.success: Descending\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f82136c0-4dbf-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:30.578Z",
"version": "WzQ3NywxXQ==",
"attributes": {
"title": "MySQL - Commands",
"visState": "{\"title\":\"MySQL - Commands\",\"type\":\"table\",\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Command\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Argument\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Response\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.cmd\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.arg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Argument\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.response\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Response\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Success\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f4ad663c-8222-4f64-9f66-d4fa8b04c20a",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:30.578Z",
"version": "WzQ3OCwxXQ==",
"attributes": {
"title": "MySQL - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_mysql.cmd",
"zeek_mysql.success",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:mysql\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

459
Vagrant/resources/malcolm/kibana/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json Normal file
View File

@@ -0,0 +1,459 @@
{
"version": "7.10.0",
"objects": [
{
"id": "543118a9-02d7-43fe-b669-b8652177fc37",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:55:44.537Z",
"version": "WzIyNDcsMV0=",
"attributes": {
"title": "NTLM",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":23,\"w\":16,\"h\":21,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":26,\"w\":12,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":26,\"w\":12,\"h\":18,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":44,\"w\":16,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":44,\"w\":16,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":44,\"w\":16,\"h\":18,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":24,\"h\":18,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":15,\"i\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\"},\"panelIndex\":\"810e5272-b5cd-4e76-b0cf-32cc7a3f57e8\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":62,\"w\":48,\"h\":40,\"i\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\"},\"panelIndex\":\"cac38fd6-65a1-4041-83e4-f95e0d136537\",\"embeddableConfig\":{\"columns\":[\"srcIp\",\"dstIp\",\"dstPort\",\"zeek_ntlm.host\",\"zeek_ntlm.domain\",\"zeek_ntlm.server_nb_computer\",\"zeek_ntlm.server_dns_computer\",\"zeek_ntlm.server_tree\",\"zeek.uid\"]},\"panelRefName\":\"panel_11\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "7be3afad-a0db-466b-8dd1-3e04d5acea6b"
},
{
"name": "panel_2",
"type": "visualization",
"id": "9500b522-519f-4219-8ba3-8f5fa5bc1452"
},
{
"name": "panel_3",
"type": "visualization",
"id": "cc045686-66be-4450-8d8a-90927323968d"
},
{
"name": "panel_4",
"type": "visualization",
"id": "9e559bef-866f-4934-b1b5-4db5bf213664"
},
{
"name": "panel_5",
"type": "visualization",
"id": "706e217b-6d5c-4c74-b340-a34c9801e2dc"
},
{
"name": "panel_6",
"type": "visualization",
"id": "97f78ed5-c786-4e8d-924e-3c69f09cd79f"
},
{
"name": "panel_7",
"type": "visualization",
"id": "03592efa-6618-4b50-8071-21accd137e30"
},
{
"name": "panel_8",
"type": "visualization",
"id": "AWDHCEx7xQT5EBNmq4Vf"
},
{
"name": "panel_9",
"type": "visualization",
"id": "319e9e0b-b12e-4401-8833-3c62de2df7da"
},
{
"name": "panel_10",
"type": "visualization",
"id": "110b46c0-4dc1-11ea-8336-d3388483188b"
},
{
"name": "panel_11",
"type": "search",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7be3afad-a0db-466b-8dd1-3e04d5acea6b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "NTLM - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9500b522-519f-4219-8ba3-8f5fa5bc1452",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4MiwxXQ==",
"attributes": {
"title": "NTLM - Hostname",
"visState": "{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Hostname\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cc045686-66be-4450-8d8a-90927323968d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4MywxXQ==",
"attributes": {
"visState": "{\"title\":\"NTLM - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}",
"description": "",
"title": "NTLM - Domain Name",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9e559bef-866f-4934-b1b5-4db5bf213664",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}",
"description": "",
"title": "NTLM - Username",
"uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "706e217b-6d5c-4c74-b340-a34c9801e2dc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "NTLM - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "97f78ed5-c786-4e8d-924e-3c69f09cd79f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "NTLM - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "03592efa-6618-4b50-8071-21accd137e30",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4NywxXQ==",
"attributes": {
"visState": "{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}",
"description": "",
"title": "NTLM - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHCEx7xQT5EBNmq4Vf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4OCwxXQ==",
"attributes": {
"title": "NTLM - Log Count",
"visState": "{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "319e9e0b-b12e-4401-8833-3c62de2df7da",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ4OSwxXQ==",
"attributes": {
"title": "NTLM - Hostname to Username",
"visState": "{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.host\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ntlm.domain\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "110b46c0-4dc1-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ5MCwxXQ==",
"attributes": {
"title": "NTLM - Success",
"visState": "{\"title\":\"NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Success\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "40c651a5-3e02-47b4-8d6b-8628a351007c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:31.603Z",
"version": "WzQ5MSwxXQ==",
"attributes": {
"title": "NTLM - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_ntlm.host",
"zeek_ntlm.domain",
"zeek_ntlm.server_nb_computer",
"zeek_ntlm.server_dns_computer",
"zeek_ntlm.server_tree",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:ntlm\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

138
Vagrant/resources/malcolm/kibana/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,138 @@
{
"version": "7.10.0",
"objects": [
{
"id": "55e332d0-3f99-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:32.623Z",
"version": "WzQ5MiwxXQ==",
"attributes": {
"title": "Connections - Destination - Originator Bytes (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.6.2\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "3cbd1620-3f96-11e9-a58e-8bdedb0915e8"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3cbd1620-3f96-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:32.623Z",
"version": "WzQ5NCwxXQ==",
"attributes": {
"title": "Connections - Destination - Originator Bytes (region map)",
"visState": "{\"title\":\"Connections - Destination - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "60d78fbd-471c-4f59-a9e3-189b33a13644",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:33.654Z",
"version": "WzQ5NiwxXQ==",
"attributes": {
"title": "Connections - Destination - Sum of Total Bytes",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":39,\"h\":50,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"185e3f31-3f18-4df8-93c1-617c0323f051\"},\"panelIndex\":\"185e3f31-3f18-4df8-93c1-617c0323f051\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"887a57e9-3078-4fe1-9ea9-0ee63abe554f\"},\"panelIndex\":\"887a57e9-3078-4fe1-9ea9-0ee63abe554f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "7fe0a885-b172-48b9-ac34-0c8e8d5c2f82"
},
{
"name": "panel_1",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "7fe0a885-b172-48b9-ac34-0c8e8d5c2f82",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:33.654Z",
"version": "WzQ5NywxXQ==",
"attributes": {
"visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}",
"description": "",
"title": "Connections - Destination - Sum of Total Bytes",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

243
Vagrant/resources/malcolm/kibana/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json Normal file
View File

@@ -0,0 +1,243 @@
{
"version": "7.10.0",
"objects": [
{
"id": "665d1610-523d-11e9-a30e-e3576242f3ed",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:35.042Z",
"version": "WzUwMiwxXQ==",
"attributes": {
"title": "Signatures",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":32,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":48,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "0927a2fa-f94e-4f68-a23b-5054ed2e171a"
},
{
"name": "panel_2",
"type": "visualization",
"id": "8356c570-523f-11e9-a30e-e3576242f3ed"
},
{
"name": "panel_3",
"type": "search",
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed"
},
{
"name": "panel_4",
"type": "visualization",
"id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75"
},
{
"name": "panel_5",
"type": "visualization",
"id": "39073d50-525e-11e9-9bd7-13d6d1bafa75"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0927a2fa-f94e-4f68-a23b-5054ed2e171a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:35.042Z",
"version": "WzUwNCwxXQ==",
"attributes": {
"title": "Signatures - Log Count Over Time",
"visState": "{\"title\":\"Signatures - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"zeek.logType:signatures\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8356c570-523f-11e9-a30e-e3576242f3ed",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:35.042Z",
"version": "WzUwNSwxXQ==",
"attributes": {
"title": "Signatures - Log Count",
"visState": "{\"title\":\"Signatures - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:45.233Z",
"version": "WzYzMywxXQ==",
"attributes": {
"title": "Signatures - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_signatures.note",
"zeek_signatures.signature_id",
"zeek_signatures.signature_count",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:45.233Z",
"version": "WzYyMywxXQ==",
"attributes": {
"title": "Signatures - Signature IDs",
"visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":20},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Signature ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "39073d50-525e-11e9-9bd7-13d6d1bafa75",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:35.042Z",
"version": "WzUwOCwxXQ==",
"attributes": {
"title": "Signatures - Engines",
"visState": "{\"title\":\"Signatures - Engines\",\"type\":\"horizontal_bar\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"bottom\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.engine\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Engines\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

352
Vagrant/resources/malcolm/kibana/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json Normal file
View File

@@ -0,0 +1,352 @@
{
"version": "7.10.0",
"objects": [
{
"id": "76f2f912-80da-44cd-ab66-6a73c8344cc3",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUwOSwxXQ==",
"attributes": {
"title": "IRC",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":47,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":27,\"w\":12,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":27,\"w\":12,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":27,\"w\":16,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":37,\"i\":\"d32001ad-b1a2-4fde-8feb-c06e3a7b1f91\"},\"panelIndex\":\"d32001ad-b1a2-4fde-8feb-c06e3a7b1f91\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "97e59b5d-86f2-42e6-9dbb-67336dd6c38a"
},
{
"name": "panel_2",
"type": "visualization",
"id": "46ada5c4-3522-4a0c-a2dd-279d59e23160"
},
{
"name": "panel_3",
"type": "visualization",
"id": "3e7fcb65-15e8-4a05-92de-ee924c08d85c"
},
{
"name": "panel_4",
"type": "visualization",
"id": "6544edd6-ae35-4e10-be83-ede9cb2a5fa2"
},
{
"name": "panel_5",
"type": "visualization",
"id": "AWDG_HoKxQT5EBNmq4KN"
},
{
"name": "panel_6",
"type": "visualization",
"id": "7a04aa5c-8e7f-4405-9291-2fa3ce1b6c7a"
},
{
"name": "panel_7",
"type": "visualization",
"id": "91a1e5ab-35e4-4a8a-a26f-4b4c1b9bb8ec"
},
{
"name": "panel_8",
"type": "search",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "97e59b5d-86f2-42e6-9dbb-67336dd6c38a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxMSwxXQ==",
"attributes": {
"visState": "{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "IRC - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "46ada5c4-3522-4a0c-a2dd-279d59e23160",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxMiwxXQ==",
"attributes": {
"visState": "{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "IRC - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3e7fcb65-15e8-4a05-92de-ee924c08d85c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxMywxXQ==",
"attributes": {
"visState": "{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "IRC - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6544edd6-ae35-4e10-be83-ede9cb2a5fa2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxNCwxXQ==",
"attributes": {
"title": "IRC - Destination Port",
"visState": "{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG_HoKxQT5EBNmq4KN",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxNSwxXQ==",
"attributes": {
"title": "IRC - Log Count",
"visState": "{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7a04aa5c-8e7f-4405-9291-2fa3ce1b6c7a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxNiwxXQ==",
"attributes": {
"title": "IRC - Destination Country",
"visState": "{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.city_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "91a1e5ab-35e4-4a8a-a26f-4b4c1b9bb8ec",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxNywxXQ==",
"attributes": {
"title": "IRC - Command",
"visState": "{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_irc.command\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5486b4b2-714d-45d1-b347-ab274894de1f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5486b4b2-714d-45d1-b347-ab274894de1f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:36.060Z",
"version": "WzUxOCwxXQ==",
"attributes": {
"title": "IRC - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_irc.nick",
"zeek_irc.command",
"zeek_irc.value",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:irc\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "77fc9960-3f99-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:37.074Z",
"version": "WzUxOSwxXQ==",
"attributes": {
"title": "Connections - Destination - Responder Bytes (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"18ef74a3-0457-4cdd-acdc-2c0d967c4b7c\"},\"panelIndex\":\"18ef74a3-0457-4cdd-acdc-2c0d967c4b7c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"bf8d1e0a-e6dd-4ea2-8466-220565d99081\"},\"panelIndex\":\"bf8d1e0a-e6dd-4ea2-8466-220565d99081\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "54431ec0-3f96-11e9-a58e-8bdedb0915e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "54431ec0-3f96-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:37.074Z",
"version": "WzUyMSwxXQ==",
"attributes": {
"title": "Connections - Destination - Responder Bytes (region map)",
"visState": "{\"title\":\"Connections - Destination - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

424
Vagrant/resources/malcolm/kibana/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json Normal file
View File

@@ -0,0 +1,424 @@
{
"version": "7.10.0",
"objects": [
{
"id": "7f41913f-cba8-43f5-82a8-241b7ead03e0",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:29:37.280Z",
"version": "WzI4NjEsMV0=",
"attributes": {
"title": "RDP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":15,\"y\":28,\"w\":9,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":28,\"w\":13,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":37,\"y\":28,\"w\":11,\"h\":19,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":10,\"w\":14,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":38,\"y\":10,\"w\":10,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":15,\"h\":19,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":22,\"y\":10,\"w\":16,\"h\":18,\"i\":\"17548109-6b40-41e7-997f-17290b9759ac\"},\"panelIndex\":\"17548109-6b40-41e7-997f-17290b9759ac\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":36,\"i\":\"c76b082d-e205-42f7-8c7a-46be60fccb19\"},\"panelIndex\":\"c76b082d-e205-42f7-8c7a-46be60fccb19\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "b4e1f8d3-fdd9-4a86-b907-0e432b1a6049"
},
{
"name": "panel_2",
"type": "visualization",
"id": "171c1475-1288-4dab-b5f4-f2105c7167a5"
},
{
"name": "panel_3",
"type": "visualization",
"id": "0a4694d9-2c36-48f3-979e-22548fff8fda"
},
{
"name": "panel_4",
"type": "visualization",
"id": "890ddd12-deb4-4608-890c-f0290dea3566"
},
{
"name": "panel_5",
"type": "visualization",
"id": "874675b5-bc49-4a3a-8d6e-a7efd713919e"
},
{
"name": "panel_6",
"type": "visualization",
"id": "088c8f99-a90e-4a1e-b1a4-afd93ff076da"
},
{
"name": "panel_7",
"type": "visualization",
"id": "b4d98d1f-dad9-4883-95ff-f8edc0b23b34"
},
{
"name": "panel_8",
"type": "visualization",
"id": "AWDHCvBexQT5EBNmq4aK"
},
{
"name": "panel_9",
"type": "visualization",
"id": "93df26c0-4dc6-11ea-8336-d3388483188b"
},
{
"name": "panel_10",
"type": "search",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b4e1f8d3-fdd9-4a86-b907-0e432b1a6049",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:38.098Z",
"version": "WzUyNywxXQ==",
"attributes": {
"visState": "{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "RDP - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "171c1475-1288-4dab-b5f4-f2105c7167a5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:38.098Z",
"version": "WzUyOCwxXQ==",
"attributes": {
"visState": "{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "RDP - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0a4694d9-2c36-48f3-979e-22548fff8fda",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:24:31.744Z",
"version": "WzI3NjksMV0=",
"attributes": {
"title": "RDP - Destination IP Address",
"visState": "{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "890ddd12-deb4-4608-890c-f0290dea3566",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:38.098Z",
"version": "WzUzMSwxXQ==",
"attributes": {
"visState": "{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rdp.cookie\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}",
"description": "",
"title": "RDP - Cookie",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "874675b5-bc49-4a3a-8d6e-a7efd713919e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:15:23.729Z",
"version": "WzI2NjYsMV0=",
"attributes": {
"title": "RDP - Result",
"visState": "{\"title\":\"RDP - Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "088c8f99-a90e-4a1e-b1a4-afd93ff076da",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:15:43.239Z",
"version": "WzI2ODAsMV0=",
"attributes": {
"title": "RDP - Keyboard Layout",
"visState": "{\"title\":\"RDP - Keyboard Layout\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.keyboard_layout\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Keyboard Layout\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b4d98d1f-dad9-4883-95ff-f8edc0b23b34",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:27:35.109Z",
"version": "WzI4MTcsMV0=",
"attributes": {
"title": "RDP - Client Version",
"visState": "{\"title\":\"RDP - Client Version\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.client_build\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Version\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Client\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHCvBexQT5EBNmq4aK",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:38.098Z",
"version": "WzUzNSwxXQ==",
"attributes": {
"title": "RDP - Log Count",
"visState": "{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "93df26c0-4dc6-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:25:27.738Z",
"version": "WzI3OTMsMV0=",
"attributes": {
"title": "RDP - Encryption",
"visState": "{\"title\":\"RDP - Encryption\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.encryption_level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Type\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rdp.encryption_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Encryption Method\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Encryption Level\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Encryption Method\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5697fae3-8fed-45cd-82e1-ba6f86a99bd3",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:38.098Z",
"version": "WzUzNywxXQ==",
"attributes": {
"title": "RDP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_rdp.client_build",
"zeek_rdp.keyboard_layout",
"zeek_rdp.security_protocol",
"zeek_rdp.encryption_method",
"zeek_rdp.result",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:rdp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

744
Vagrant/resources/malcolm/kibana/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json Normal file
View File

@@ -0,0 +1,744 @@
{
"version": "7.10.0",
"objects": [
{
"id": "7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:36:07.545Z",
"version": "WzM0NjUsMV0=",
"attributes": {
"title": "SSL",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":63,\"w\":30,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":101,\"w\":13,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":27,\"y\":101,\"w\":9,\"h\":18,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":13,\"y\":101,\"w\":14,\"h\":18,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":19,\"y\":45,\"w\":29,\"h\":18,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":19,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":19,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":12,\"y\":27,\"w\":36,\"h\":18,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":83,\"w\":24,\"h\":18,\"i\":\"22\"},\"panelIndex\":\"22\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":83,\"w\":24,\"h\":18,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":13,\"h\":19,\"i\":\"e57b69c8-34a0-4b5a-9146-f81034ce74fe\"},\"panelIndex\":\"e57b69c8-34a0-4b5a-9146-f81034ce74fe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_14\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":18,\"i\":\"078aaedd-22fb-4a22-ad5b-b81403587fde\"},\"panelIndex\":\"078aaedd-22fb-4a22-ad5b-b81403587fde\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_15\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":30,\"y\":63,\"w\":18,\"h\":20,\"i\":\"c151c3a5-c079-4d3b-8a31-da338b974e44\"},\"panelIndex\":\"c151c3a5-c079-4d3b-8a31-da338b974e44\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_16\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":36,\"y\":101,\"w\":12,\"h\":18,\"i\":\"cd6004c4-d604-4503-a4a2-d1c38e852279\"},\"panelIndex\":\"cd6004c4-d604-4503-a4a2-d1c38e852279\",\"embeddableConfig\":{},\"panelRefName\":\"panel_17\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":119,\"w\":48,\"h\":43,\"i\":\"bbcebabc-0baf-4b15-ad17-fc7633b9b8b8\"},\"panelIndex\":\"bbcebabc-0baf-4b15-ad17-fc7633b9b8b8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_18\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "dc0b1b11-52da-4cc0-bddf-db127bd6cfee"
},
{
"name": "panel_2",
"type": "visualization",
"id": "d988522e-b3a8-4d74-98d4-96aff3e0f3f9"
},
{
"name": "panel_3",
"type": "visualization",
"id": "20fa1fd0-f204-499d-996f-e41e1ee3d40f"
},
{
"name": "panel_4",
"type": "visualization",
"id": "df8bd09c-064c-45b3-8d54-9797ccb58d74"
},
{
"name": "panel_5",
"type": "visualization",
"id": "f81fe18d-c2ff-4757-9de3-8b943a759169"
},
{
"name": "panel_6",
"type": "visualization",
"id": "b50ee1a8-d83d-46bf-9ba2-419d089d4797"
},
{
"name": "panel_7",
"type": "visualization",
"id": "8486949c-3592-4831-9020-59bfd968ccfa"
},
{
"name": "panel_8",
"type": "visualization",
"id": "d7a673bc-4a11-423b-acd3-a446425551c1"
},
{
"name": "panel_9",
"type": "visualization",
"id": "f821c7fe-0dd3-4c3c-b5df-77b926f4007a"
},
{
"name": "panel_10",
"type": "visualization",
"id": "AWDHElRWxQT5EBNmq4lz"
},
{
"name": "panel_11",
"type": "visualization",
"id": "1567ea7f-8d0e-470b-adbf-f605dd68bdce"
},
{
"name": "panel_12",
"type": "visualization",
"id": "371b06d0-72a1-11e9-b0f3-590266f42743"
},
{
"name": "panel_13",
"type": "visualization",
"id": "bdda87a0-72a0-11e9-b0f3-590266f42743"
},
{
"name": "panel_14",
"type": "visualization",
"id": "fa696510-4e9b-11ea-b504-97aa449f6abc"
},
{
"name": "panel_15",
"type": "visualization",
"id": "41325860-4dd6-11ea-8336-d3388483188b"
},
{
"name": "panel_16",
"type": "visualization",
"id": "9c20d940-4dd6-11ea-8336-d3388483188b"
},
{
"name": "panel_17",
"type": "visualization",
"id": "f13ba720-4dd6-11ea-8336-d3388483188b"
},
{
"name": "panel_18",
"type": "search",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "dc0b1b11-52da-4cc0-bddf-db127bd6cfee",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0MCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "SSL - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d988522e-b3a8-4d74-98d4-96aff3e0f3f9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.subject_full\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}",
"description": "",
"title": "SSL - Certificate Subject",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "20fa1fd0-f204-499d-996f-e41e1ee3d40f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0MiwxXQ==",
"attributes": {
"title": "SSL - Version",
"visState": "{\"title\":\"SSL - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_ssl.ssl_version: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.ssl_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df8bd09c-064c-45b3-8d54-9797ccb58d74",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0MywxXQ==",
"attributes": {
"visState": "{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SSL - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f81fe18d-c2ff-4757-9de3-8b943a759169",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}",
"description": "",
"title": "SSL - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b50ee1a8-d83d-46bf-9ba2-419d089d4797",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SSL - Destination Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8486949c-3592-4831-9020-59bfd968ccfa",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0NiwxXQ==",
"attributes": {
"title": "SSL - Server",
"visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Server\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Randomness Score (method 1)\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Randomness Score (method 2)\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d7a673bc-4a11-423b-acd3-a446425551c1",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0NywxXQ==",
"attributes": {
"title": "SSL - Destination Country",
"visState": "{\"title\":\"SSL - Destination Country\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"zeek.destination_geo.country_name: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f821c7fe-0dd3-4c3c-b5df-77b926f4007a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0OCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.validation_status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}",
"description": "",
"title": "SSL - Validation Status",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHElRWxQT5EBNmq4lz",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU0OSwxXQ==",
"attributes": {
"title": "SSL - Log Count",
"visState": "{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1567ea7f-8d0e-470b-adbf-f605dd68bdce",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1MCwxXQ==",
"attributes": {
"title": "SSL - Summary",
"visState": "{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.server_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.subject.CN\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.validation_status\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ssl_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "371b06d0-72a1-11e9-b0f3-590266f42743",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1MSwxXQ==",
"attributes": {
"title": "SSL - Client JA3 Lookup",
"visState": "{\"title\":\"SSL - Client JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ja3_desc\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client JA3 Lookup\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "bdda87a0-72a0-11e9-b0f3-590266f42743",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1MiwxXQ==",
"attributes": {
"title": "SSL - Server JA3 Lookup",
"visState": "{\"title\":\"SSL - Server JA3 Lookup\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.ja3s_desc\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server JA3 Lookup\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fa696510-4e9b-11ea-b504-97aa449f6abc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1MywxXQ==",
"attributes": {
"title": "SSL - Relevant Notices",
"visState": "{\"title\":\"SSL - Relevant Notices\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"1\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek_notice.category:(SSL OR CVE_2020_0601)\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "41325860-4dd6-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1NCwxXQ==",
"attributes": {
"title": "SSL - Connection Established",
"visState": "{\"title\":\"SSL - Connection Established\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Established\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.established\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Established\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9c20d940-4dd6-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1NSwxXQ==",
"attributes": {
"title": "SSL - Elliptic Curve",
"visState": "{\"title\":\"SSL - Elliptic Curve\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Elliptic Curve\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ssl.curve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Elliptic Curve\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f13ba720-4dd6-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1NiwxXQ==",
"attributes": {
"title": "SSL - Next Protocol",
"visState": "{\"title\":\"SSL - Next Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssl.next_protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Next Protocol\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b945a684-0841-4e86-87aa-0f1af6fb6579",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:39.113Z",
"version": "WzU1NywxXQ==",
"attributes": {
"title": "SSL - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_ssl.server_name",
"zeek_ssl.validation_status",
"zeek_ssl.established",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssl\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0OCwxXQ==",
"attributes": {
"title": "Notices - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_notice.category",
"zeek_notice.sub_category",
"zeek_notice.msg",
"srcIp",
"dstIp",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

527
Vagrant/resources/malcolm/kibana/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json Normal file
View File

@@ -0,0 +1,527 @@
{
"version": "7.10.0",
"objects": [
{
"id": "82da3101-2a9c-4ae2-bb61-d447a3fbe673",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:46:19.291Z",
"version": "WzIxMjUsMV0=",
"attributes": {
"title": "Kerberos",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":36,\"y\":10,\"w\":12,\"h\":17,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":19,\"y\":27,\"w\":19,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":10,\"w\":15,\"h\":17,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":47,\"w\":24,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":47,\"w\":24,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":null}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":67,\"w\":28,\"h\":25,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":23,\"y\":10,\"w\":13,\"h\":17,\"i\":\"7d02cf7a-cad4-4b2c-822d-a255de92ce23\"},\"panelIndex\":\"7d02cf7a-cad4-4b2c-822d-a255de92ce23\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":38,\"y\":27,\"w\":10,\"h\":20,\"i\":\"defd333f-2642-4357-822f-9fa6f09a9356\"},\"panelIndex\":\"defd333f-2642-4357-822f-9fa6f09a9356\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":28,\"y\":67,\"w\":20,\"h\":25,\"i\":\"6f759830-50a0-41d2-a383-b8e307be3ba3\"},\"panelIndex\":\"6f759830-50a0-41d2-a383-b8e307be3ba3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":92,\"w\":48,\"h\":30,\"i\":\"f0a6a77c-c3fe-48e1-aa26-870211f54ecf\"},\"panelIndex\":\"f0a6a77c-c3fe-48e1-aa26-870211f54ecf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "aaf2aff1-0941-4df3-9668-329601e90ea3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "5a8ab6ad-ea8c-4d52-935e-82fbd2445ec3"
},
{
"name": "panel_3",
"type": "visualization",
"id": "0319fd42-76c4-4894-b7d8-2540537705ff"
},
{
"name": "panel_4",
"type": "visualization",
"id": "334efe47-3d71-4995-8f73-8945969c6879"
},
{
"name": "panel_5",
"type": "visualization",
"id": "8fdb77a7-748c-47a6-a1f9-31c4583f354d"
},
{
"name": "panel_6",
"type": "visualization",
"id": "62d29d31-59dd-4339-9793-5df6bd4cde91"
},
{
"name": "panel_7",
"type": "visualization",
"id": "2805b0f5-d7cf-4cbc-8ffe-d6b087fadb82"
},
{
"name": "panel_8",
"type": "visualization",
"id": "626b7405-7acb-4b43-a0de-44e1d92c7fbf"
},
{
"name": "panel_9",
"type": "visualization",
"id": "AWDG_UbkxQT5EBNmq4Lg"
},
{
"name": "panel_10",
"type": "visualization",
"id": "2bf924c0-4dbc-11ea-8336-d3388483188b"
},
{
"name": "panel_11",
"type": "visualization",
"id": "c8180830-4dbc-11ea-8336-d3388483188b"
},
{
"name": "panel_12",
"type": "visualization",
"id": "51e6a850-4dbd-11ea-8336-d3388483188b"
},
{
"name": "panel_13",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "aaf2aff1-0941-4df3-9668-329601e90ea3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Kerberos - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5a8ab6ad-ea8c-4d52-935e-82fbd2445ec3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.cname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}",
"description": "",
"title": "Kerberos - Client",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0319fd42-76c4-4894-b7d8-2540537705ff",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:45:19.371Z",
"version": "WzIxMDUsMV0=",
"attributes": {
"title": "Kerberos - Success Status",
"visState": "{\"title\":\"Kerberos - Success Status\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_kerberos.success: Descending\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "334efe47-3d71-4995-8f73-8945969c6879",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}",
"description": "",
"title": "Kerberos - Server",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8fdb77a7-748c-47a6-a1f9-31c4583f354d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:44:20.999Z",
"version": "WzIwNjMsMV0=",
"attributes": {
"title": "Kerberos - Cipher",
"visState": "{\"title\":\"Kerberos - Cipher\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.cipher\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "62d29d31-59dd-4339-9793-5df6bd4cde91",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Kerberos - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2805b0f5-d7cf-4cbc-8ffe-d6b087fadb82",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2NywxXQ==",
"attributes": {
"visState": "{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Kerberos - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "626b7405-7acb-4b43-a0de-44e1d92c7fbf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2OCwxXQ==",
"attributes": {
"title": "Kerberos - Service",
"visState": "{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Service\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_kerberos.sname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG_UbkxQT5EBNmq4Lg",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU2OSwxXQ==",
"attributes": {
"title": "Kerberos - Log Count",
"visState": "{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2bf924c0-4dbc-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:44:54.282Z",
"version": "WzIwODksMV0=",
"attributes": {
"title": "Kerberos - Request Types",
"visState": "{\"title\":\"Kerberos - Request Types\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.request_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Request Type\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c8180830-4dbc-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T15:43:51.907Z",
"version": "WzIwNDUsMV0=",
"attributes": {
"title": "Kerberos - Renewable Ticket Requested",
"visState": "{\"title\":\"Kerberos - Renewable Ticket Requested\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_kerberos.renewable\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Renewable ticket requested\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Renewable ticket requested\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "51e6a850-4dbd-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU3MiwxXQ==",
"attributes": {
"title": "Kerberos - Destination Ports",
"visState": "{\"title\":\"Kerberos - Destination Ports\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"log\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "e1bfade1-72ee-4093-9257-5d1921c71041"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e1bfade1-72ee-4093-9257-5d1921c71041",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:40.130Z",
"version": "WzU3MywxXQ==",
"attributes": {
"title": "Kerberos - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_kerberos.request_type",
"zeek_kerberos.success",
"zeek_kerberos.error_msg",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:kerberos\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

515
Vagrant/resources/malcolm/kibana/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json Normal file
View File

@@ -0,0 +1,515 @@
{
"version": "7.10.0",
"objects": [
{
"id": "870a5862-6c26-4a08-99fd-0c06cda85ba3",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU3NCwxXQ==",
"attributes": {
"title": "DNP3",
"hits": 0,
"description": "Dashboard for the DNP3 Protocol",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"h\":37,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":13,\"x\":0,\"y\":37},\"panelIndex\":\"7\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"8\",\"w\":11,\"x\":13,\"y\":37},\"panelIndex\":\"8\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"13\",\"w\":11,\"x\":8,\"y\":18},\"panelIndex\":\"13\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"14\",\"w\":10,\"x\":19,\"y\":18},\"panelIndex\":\"14\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":18,\"i\":\"0d2c1a60-2ee6-46a5-8c6f-e5a95a1f5850\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"0d2c1a60-2ee6-46a5-8c6f-e5a95a1f5850\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":18,\"i\":\"6f17ed53-0ae8-4260-acd7-92115f40037c\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"6f17ed53-0ae8-4260-acd7-92115f40037c\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"dc74966e-dd3d-4277-a4c0-92a2b21d1214\",\"w\":19,\"x\":29,\"y\":18},\"panelIndex\":\"dc74966e-dd3d-4277-a4c0-92a2b21d1214\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":37,\"i\":\"0242ac86-f482-429a-bc77-89eb89eb7996\",\"w\":24,\"x\":24,\"y\":37},\"panelIndex\":\"0242ac86-f482-429a-bc77-89eb89eb7996\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}},\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":18,\"i\":\"9fddb0ae-d93f-4ecb-8625-ccd87a92e175\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"9fddb0ae-d93f-4ecb-8625-ccd87a92e175\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"desc\"}}},\"params\":{\"sort\":{\"columnIndex\":6,\"direction\":\"asc\"}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":23,\"i\":\"20bab908-6058-4f9a-819b-de9011dd65b0\",\"w\":48,\"x\":0,\"y\":74},\"panelIndex\":\"20bab908-6058-4f9a-819b-de9011dd65b0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":20,\"i\":\"f4c2ba58-794b-4b5a-b65e-3cb6a924f199\",\"w\":48,\"x\":0,\"y\":97},\"panelIndex\":\"f4c2ba58-794b-4b5a-b65e-3cb6a924f199\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":18,\"i\":\"842b0a10-1906-4b1f-9da3-f6b271a85dcb\",\"w\":48,\"x\":0,\"y\":117},\"panelIndex\":\"842b0a10-1906-4b1f-9da3-f6b271a85dcb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "d34dd3b3-3861-4b9b-ba39-4ca7e15b3bdd"
},
{
"name": "panel_2",
"type": "visualization",
"id": "131198e7-afc4-40be-bedd-2a3a3a2d511e"
},
{
"name": "panel_3",
"type": "visualization",
"id": "46cd2e4c-ecfb-4fe9-ae51-28c2fecbffc0"
},
{
"name": "panel_4",
"type": "visualization",
"id": "9422ff81-b007-4eef-aca1-1af16509ab8c"
},
{
"name": "panel_5",
"type": "visualization",
"id": "34700240-cb66-11ea-b8b9-778c41cae039"
},
{
"name": "panel_6",
"type": "visualization",
"id": "4f7c9990-cb66-11ea-b8b9-778c41cae039"
},
{
"name": "panel_7",
"type": "visualization",
"id": "9277d050-e33c-11ea-b05f-2302f75ab2c8"
},
{
"name": "panel_8",
"type": "visualization",
"id": "fd7d74c0-e339-11ea-b05f-2302f75ab2c8"
},
{
"name": "panel_9",
"type": "visualization",
"id": "63cebc10-e33b-11ea-b05f-2302f75ab2c8"
},
{
"name": "panel_10",
"type": "search",
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a"
},
{
"name": "panel_11",
"type": "search",
"id": "980f33d0-cb65-11ea-b8b9-778c41cae039"
},
{
"name": "panel_12",
"type": "search",
"id": "cf32a680-cb65-11ea-b8b9-778c41cae039"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d34dd3b3-3861-4b9b-ba39-4ca7e15b3bdd",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU3NiwxXQ==",
"attributes": {
"title": "DNP3 - Source IP",
"visState": "{\"title\":\"DNP3 - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "Source IP Addresses from dnp3.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "131198e7-afc4-40be-bedd-2a3a3a2d511e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU3NywxXQ==",
"attributes": {
"title": "DNP3 - Destination IP",
"visState": "{\"title\":\"DNP3 - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "Destination IP Addresses from dnp3.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "46cd2e4c-ecfb-4fe9-ae51-28c2fecbffc0",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU3OCwxXQ==",
"attributes": {
"title": "DNP3 - Function Request",
"visState": "{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3.fc_request\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "DNP3 function in request packet from dnp3.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9422ff81-b007-4eef-aca1-1af16509ab8c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU3OSwxXQ==",
"attributes": {
"title": "DNP3 - Function Reply",
"visState": "{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3.fc_reply\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "DNP3 function in reply packet from dnp3.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "34700240-cb66-11ea-b8b9-778c41cae039",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4MCwxXQ==",
"attributes": {
"title": "DNP3 - Log Count",
"visState": "{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "Count of DNP3 logs including DNP3 Control and Objects logs",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*dnp3*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4f7c9990-cb66-11ea-b8b9-778c41cae039",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4MSwxXQ==",
"attributes": {
"title": "DNP3 - Logs Over Time",
"visState": "{\"title\":\"DNP3 - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY\"}},\"params\":{\"date\":true,\"interval\":\"P365D\",\"intervalESValue\":365,\"intervalESUnit\":\"d\",\"format\":\"YYYY\",\"bounds\":{\"min\":\"1971-01-14T16:42:16.432Z\",\"max\":\"2021-01-14T16:42:16.432Z\"}},\"label\":\"firstPacket per 365 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Log Type\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-50y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "DNP3 logs over time",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:*dnp3*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9277d050-e33c-11ea-b05f-2302f75ab2c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4MiwxXQ==",
"attributes": {
"title": "DNP3 - Internal Indicators Overview",
"visState": "{\"title\":\"DNP3 - Internal Indicators Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Internal Indicators\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_dnp3.iin_flags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Internal Indicators\"}}]}",
"uiStateJSON": "{}",
"description": "DNP3 Internal Indicators from dnp3.iin in dnp3.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fd7d74c0-e339-11ea-b05f-2302f75ab2c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4MywxXQ==",
"attributes": {
"title": "DNP3 - Objects Overview",
"visState": "{\"title\":\"DNP3 - Objects Overview\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Address\",\"aggType\":\"terms\"}]},\"row\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.object_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Type\"}},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.object_count\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Object Count\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.range_low\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"-\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Range Start\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_objects.range_high\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"-\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Range End\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":null}}}}",
"description": "Overview of DNP3 objects from READ-RESPONSE messages in dnp3_objects.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "cf32a680-cb65-11ea-b8b9-778c41cae039"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "63cebc10-e33b-11ea-b05f-2302f75ab2c8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4NCwxXQ==",
"attributes": {
"title": "DNP3 - Control Overview",
"visState": "{\"title\":\"DNP3 - Control Overview\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":5,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Control Code\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.index_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Index Number\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.function_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.block_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Block Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.operation_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_dnp3_control.trip_control_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Control Code\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":null}}}}",
"description": "Overview of DNP3 control functions from dnp3_control.log",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "980f33d0-cb65-11ea-b8b9-778c41cae039"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cc135a63-3e30-4703-bc31-f7ac09c1d21a",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4NSwxXQ==",
"attributes": {
"title": "DNP3 - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_dnp3.fc_request",
"zeek_dnp3.fc_reply",
"zeek_dnp3.iin_flags",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:dnp3\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "980f33d0-cb65-11ea-b8b9-778c41cae039",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4NiwxXQ==",
"attributes": {
"title": "DNP3 - Control Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_dnp3_control.function_code",
"zeek_dnp3_control.trip_control_code",
"zeek_dnp3_control.operation_type",
"zeek_dnp3_control.status_code"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType==\\\"dnp3_control\\\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "cf32a680-cb65-11ea-b8b9-778c41cae039",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:41.140Z",
"version": "WzU4NywxXQ==",
"attributes": {
"title": "DNP3 - Objects Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_dnp3_objects.function_code",
"zeek_dnp3_objects.object_type",
"zeek_dnp3_objects.object_count",
"zeek_dnp3_objects.range_high",
"zeek_dnp3_objects.range_low"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType==\\\"dnp3_objects\\\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

549
Vagrant/resources/malcolm/kibana/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json Normal file
View File

@@ -0,0 +1,549 @@
{
"version": "7.10.0",
"objects": [
{
"id": "87a32f90-ef58-11e9-974e-9d600036d105",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU4OCwxXQ==",
"attributes": {
"title": "MQTT",
"hits": 0,
"description": "",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":33,\"w\":15,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":15,\"y\":33,\"w\":17,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":32,\"y\":33,\"w\":16,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":21,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"x\":16,\"y\":53,\"w\":32,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"gridData\":{\"x\":0,\"y\":74,\"w\":48,\"h\":25,\"i\":\"12\"},\"version\":\"7.6.2\",\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "e4180250-ef58-11e9-974e-9d600036d105"
},
{
"name": "panel_2",
"type": "visualization",
"id": "275fd330-ef59-11e9-974e-9d600036d105"
},
{
"name": "panel_3",
"type": "visualization",
"id": "74ca3ed0-ef59-11e9-974e-9d600036d105"
},
{
"name": "panel_4",
"type": "visualization",
"id": "9a437230-ef59-11e9-974e-9d600036d105"
},
{
"name": "panel_5",
"type": "visualization",
"id": "dea31bb0-ef59-11e9-974e-9d600036d105"
},
{
"name": "panel_6",
"type": "visualization",
"id": "5c4b61d0-ef5a-11e9-974e-9d600036d105"
},
{
"name": "panel_7",
"type": "visualization",
"id": "c09dc150-ef5a-11e9-974e-9d600036d105"
},
{
"name": "panel_8",
"type": "visualization",
"id": "8079a930-ef5b-11e9-974e-9d600036d105"
},
{
"name": "panel_9",
"type": "visualization",
"id": "da136f80-ef5b-11e9-974e-9d600036d105"
},
{
"name": "panel_10",
"type": "search",
"id": "76cf2c00-ef58-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e4180250-ef58-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5MCwxXQ==",
"attributes": {
"title": "MQTT - Log Count",
"visState": "{\"title\":\"MQTT - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "76cf2c00-ef58-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "275fd330-ef59-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5MSwxXQ==",
"attributes": {
"title": "MQTT - Log Count Over Time",
"visState": "{\"title\":\"MQTT - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MQTT Message Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "76cf2c00-ef58-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "74ca3ed0-ef59-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5MiwxXQ==",
"attributes": {
"title": "MQTT - Source IP",
"visState": "{\"title\":\"MQTT - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "76cf2c00-ef58-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9a437230-ef59-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5MywxXQ==",
"attributes": {
"title": "MQTT - Destination IP",
"visState": "{\"title\":\"MQTT - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "76cf2c00-ef58-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "dea31bb0-ef59-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5NCwxXQ==",
"attributes": {
"title": "MQTT - Protocol",
"visState": "{\"title\":\"MQTT - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mqtt_connect.proto_name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"MQTT Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_mqtt_connect.proto_version\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol Version\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5b0af9f0-ef57-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5c4b61d0-ef5a-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5NSwxXQ==",
"attributes": {
"title": "MQTT - Client ID",
"visState": "{\"title\":\"MQTT - Client ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_connect.client_id\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Client ID\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "5b0af9f0-ef57-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c09dc150-ef5a-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5NiwxXQ==",
"attributes": {
"title": "MQTT - Subscription",
"visState": "{\"title\":\"MQTT - Subscription\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_subscribe.topics\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_subscribe.action\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Action\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0df7e0a0-ef58-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8079a930-ef5b-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5NywxXQ==",
"attributes": {
"title": "MQTT - Publish",
"visState": "{\"title\":\"MQTT - Publish\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "af5d47b0-ef57-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "da136f80-ef5b-11e9-974e-9d600036d105",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5OCwxXQ==",
"attributes": {
"title": "MQTT - Publish Payload",
"visState": "{\"title\":\"MQTT - Publish Payload\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.topic\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Topic\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.from_client\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From Client\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.payload_len\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Length\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.payload\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Payload\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_mqtt_publish.status\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Status\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "af5d47b0-ef57-11e9-974e-9d600036d105"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "76cf2c00-ef58-11e9-974e-9d600036d105",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzU5OSwxXQ==",
"attributes": {
"title": "MQTT - All Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek.logType",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"mqtt_connect\\\" OR \\\"mqtt_publish\\\" OR \\\"mqtt_subscribe\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "5b0af9f0-ef57-11e9-974e-9d600036d105",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzYwMCwxXQ==",
"attributes": {
"title": "MQTT - Connect Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"zeek_mqtt_connect.client_id",
"dstIp",
"dstPort",
"zeek_mqtt_connect.proto_name",
"zeek_mqtt_connect.connect_status",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"mqtt_connect\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "0df7e0a0-ef58-11e9-974e-9d600036d105",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzYwMSwxXQ==",
"attributes": {
"title": "MQTT - Subscribe Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_mqtt_subscribe.action",
"zeek_mqtt_subscribe.topics",
"zeek_mqtt_subscribe.ack",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"mqtt_subscribe\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "af5d47b0-ef57-11e9-974e-9d600036d105",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:42.154Z",
"version": "WzYwMiwxXQ==",
"attributes": {
"title": "MQTT - Publish Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_mqtt_publish.from_client",
"zeek_mqtt_publish.topic",
"zeek_mqtt_publish.status",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:\\\"mqtt_publish\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

209
Vagrant/resources/malcolm/kibana/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json Normal file
View File

@@ -0,0 +1,209 @@
{
"version": "7.10.0",
"objects": [
{
"id": "87d990cc-9e0b-41e5-b8fe-b10ae1da0c85",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:43.189Z",
"version": "WzYwMywxXQ==",
"attributes": {
"title": "Software",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":36,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":36,\"i\":\"f99c68bd-2da6-41d5-bbd1-45f85e79526c\"},\"panelIndex\":\"f99c68bd-2da6-41d5-bbd1-45f85e79526c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "097640cc-167e-453d-bf5a-0e92ac1347fc"
},
{
"name": "panel_2",
"type": "visualization",
"id": "AWDHEKJUxQT5EBNmq4jW"
},
{
"name": "panel_3",
"type": "visualization",
"id": "bb882862-2f74-440a-bb62-41a9dca2b463"
},
{
"name": "panel_4",
"type": "search",
"id": "7d54b196-5c2b-485e-9798-f116fb668413"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "097640cc-167e-453d-bf5a-0e92ac1347fc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:43.189Z",
"version": "WzYwNSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Software - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d54b196-5c2b-485e-9798-f116fb668413"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHEKJUxQT5EBNmq4jW",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:43.189Z",
"version": "WzYwNiwxXQ==",
"attributes": {
"title": "Software - Log Count",
"visState": "{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d54b196-5c2b-485e-9798-f116fb668413"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "bb882862-2f74-440a-bb62-41a9dca2b463",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:43.189Z",
"version": "WzYwNywxXQ==",
"attributes": {
"visState": "{\"title\":\"Software - Summary\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.software_type\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.name\",\"otherBucket\":false,\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.version_major\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_software.version_minor\",\"otherBucket\":false,\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}",
"description": "",
"title": "Software - Summary",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d54b196-5c2b-485e-9798-f116fb668413"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7d54b196-5c2b-485e-9798-f116fb668413",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:43.189Z",
"version": "WzYwOCwxXQ==",
"attributes": {
"title": "Software - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"zeek_software.software_type",
"zeek_software.name",
"zeek_software.unparsed_version"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:software\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

387
Vagrant/resources/malcolm/kibana/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json Normal file
View File

@@ -0,0 +1,387 @@
{
"version": "7.10.0",
"objects": [
{
"id": "92985909-dc29-4533-9e80-d3182a0ecf1d",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:46:32.487Z",
"version": "WzM1OTUsMV0=",
"attributes": {
"title": "Syslog",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":29,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":13,\"y\":29,\"w\":13,\"h\":18,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":26,\"y\":29,\"w\":13,\"h\":18,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":39,\"y\":29,\"w\":9,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":13,\"h\":21,\"i\":\"d1325585-cce1-46f1-acfd-59d64a8be83a\"},\"panelIndex\":\"d1325585-cce1-46f1-acfd-59d64a8be83a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":21,\"y\":8,\"w\":27,\"h\":21,\"i\":\"2abd9c38-fd1e-44fa-b391-ead499a92787\"},\"panelIndex\":\"2abd9c38-fd1e-44fa-b391-ead499a92787\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":29,\"w\":13,\"h\":18,\"i\":\"13e3b050-3d67-4745-a182-b462852a67ef\"},\"panelIndex\":\"13e3b050-3d67-4745-a182-b462852a67ef\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":44,\"i\":\"59631e23-e452-40a9-a9dd-7d432278d35f\"},\"panelIndex\":\"59631e23-e452-40a9-a9dd-7d432278d35f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "cf553dfa-f641-47cf-916d-041cf46a80c4"
},
{
"name": "panel_2",
"type": "visualization",
"id": "46cba2ad-03cd-4eef-8e3a-c35ac3ac1b76"
},
{
"name": "panel_3",
"type": "visualization",
"id": "f54d6418-1499-4a14-9a8e-f706249b9962"
},
{
"name": "panel_4",
"type": "visualization",
"id": "6a006054-309e-447f-9371-99f119d18291"
},
{
"name": "panel_5",
"type": "visualization",
"id": "AWDHE-_wxQT5EBNmq4n3"
},
{
"name": "panel_6",
"type": "visualization",
"id": "eb455420-4dda-11ea-8336-d3388483188b"
},
{
"name": "panel_7",
"type": "visualization",
"id": "343952d0-4ddb-11ea-8336-d3388483188b"
},
{
"name": "panel_8",
"type": "visualization",
"id": "19044160-4dda-11ea-8336-d3388483188b"
},
{
"name": "panel_9",
"type": "search",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cf553dfa-f641-47cf-916d-041cf46a80c4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxMSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Syslog - Log Count Over Time",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "46cba2ad-03cd-4eef-8e3a-c35ac3ac1b76",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxMiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Syslog - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f54d6418-1499-4a14-9a8e-f706249b9962",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxMywxXQ==",
"attributes": {
"visState": "{\"title\":\"Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Syslog - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6a006054-309e-447f-9371-99f119d18291",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxNCwxXQ==",
"attributes": {
"title": "Syslog - Destination Port",
"visState": "{\"title\":\"Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHE-_wxQT5EBNmq4n3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxNSwxXQ==",
"attributes": {
"title": "Syslog - Log Count",
"visState": "{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "eb455420-4dda-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxNiwxXQ==",
"attributes": {
"title": "Syslog - Severity",
"visState": "{\"title\":\"Syslog - Severity\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Severity\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_syslog.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Severity\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "343952d0-4ddb-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:43:14.525Z",
"version": "WzM1NTcsMV0=",
"attributes": {
"title": "Syslog - Facility",
"visState": "{\"title\":\"Syslog - Facility\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_syslog.facility\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Facility\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "19044160-4dda-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxOCwxXQ==",
"attributes": {
"title": "Syslog - Protocol",
"visState": "{\"title\":\"Syslog - Protocol\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"IP Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Protocol\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7d7fd24e-51be-4040-83b3-a6630e989e2d",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:44.215Z",
"version": "WzYxOSwxXQ==",
"attributes": {
"title": "Syslog (Zeek) - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_syslog.severity",
"zeek_syslog.facility",
"zeek_syslog.message",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:syslog\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

571
Vagrant/resources/malcolm/kibana/dashboards/95479950-41f2-11ea-88fa-7151df485405.json Normal file
View File

@@ -0,0 +1,571 @@
{
"version": "7.10.0",
"objects": [
{
"id": "95479950-41f2-11ea-88fa-7151df485405",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T16:31:39.543Z",
"version": "WzIwMTQsMV0=",
"attributes": {
"title": "Security Overview",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":23,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":23,\"i\":\"320b8bf0-6567-4d0b-b7d1-7402baf830d4\",\"w\":12,\"x\":8,\"y\":0},\"panelIndex\":\"320b8bf0-6567-4d0b-b7d1-7402baf830d4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":23,\"i\":\"8f421b7e-8ea9-4d52-a165-8e2a4fa78fd0\",\"w\":15,\"x\":20,\"y\":0},\"panelIndex\":\"8f421b7e-8ea9-4d52-a165-8e2a4fa78fd0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":23,\"i\":\"119a8b45-c803-4c71-93b4-a9514803021a\",\"w\":13,\"x\":35,\"y\":0},\"panelIndex\":\"119a8b45-c803-4c71-93b4-a9514803021a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\",\"w\":15,\"x\":0,\"y\":23},\"panelIndex\":\"1789e54a-db27-4e5e-92d3-2f44b3f9f96e\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":38,\"i\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\",\"w\":15,\"x\":15,\"y\":23},\"panelIndex\":\"9df4498d-9d4d-4613-bc54-8fca34ade25c\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\",\"w\":9,\"x\":30,\"y\":23},\"panelIndex\":\"4cdbaf8d-bb32-457f-a198-e9734168c5eb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"61f158d0-8c28-499f-af09-4df087948d42\",\"w\":9,\"x\":39,\"y\":23},\"panelIndex\":\"61f158d0-8c28-499f-af09-4df087948d42\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":20,\"i\":\"071a1c98-695f-4708-92c9-2c950e515131\",\"w\":15,\"x\":0,\"y\":41},\"panelIndex\":\"071a1c98-695f-4708-92c9-2c950e515131\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":null}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":19,\"i\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\",\"w\":48,\"x\":0,\"y\":61},\"panelIndex\":\"2231b6ad-9e0d-4524-a359-bdc2c8332991\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":30,\"y\":41,\"w\":18,\"h\":20,\"i\":\"6beedf2b-5d72-48af-a90f-f56781764efe\"},\"panelIndex\":\"6beedf2b-5d72-48af-a90f-f56781764efe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "a4f6eba0-41f5-11ea-88fa-7151df485405"
},
{
"name": "panel_2",
"type": "visualization",
"id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75"
},
{
"name": "panel_3",
"type": "visualization",
"id": "c5b1e590-41f3-11ea-88fa-7151df485405"
},
{
"name": "panel_4",
"type": "visualization",
"id": "e9f27fa0-41f8-11ea-88fa-7151df485405"
},
{
"name": "panel_5",
"type": "visualization",
"id": "f7b3ba60-41f7-11ea-88fa-7151df485405"
},
{
"name": "panel_6",
"type": "visualization",
"id": "0ffb5790-41f3-11ea-88fa-7151df485405"
},
{
"name": "panel_7",
"type": "visualization",
"id": "4a183420-41f3-11ea-88fa-7151df485405"
},
{
"name": "panel_8",
"type": "visualization",
"id": "69241a80-421d-11ea-9084-41ab7c5fff2e"
},
{
"name": "panel_9",
"type": "visualization",
"id": "d8b8a6a0-41fe-11ea-88fa-7151df485405"
},
{
"name": "panel_10",
"type": "visualization",
"id": "3a582cc0-6fab-11eb-958c-51e33b5cae2a"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:25:07.132Z",
"version": "WzY5MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a4f6eba0-41f5-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQzOCwxXQ==",
"attributes": {
"title": "Notices by Category",
"visState": "{\"title\":\"Notices by Category\",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.note\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice Category\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0e9b1a00-525e-11e9-9bd7-13d6d1bafa75",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQzOSwxXQ==",
"attributes": {
"title": "Signatures - Signature IDs",
"visState": "{\"title\":\"Signatures - Signature IDs\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":40},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":20},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Signature ID\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_signatures.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Signature ID\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c5b1e590-41f3-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0MCwxXQ==",
"attributes": {
"title": "Clear-text Transmission of Passwords ",
"visState": "{\"title\":\"Clear-text Transmission of Passwords \",\"type\":\"table\",\"params\":{\"perPage\":15,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Username\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\\\\*password:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e9f27fa0-41f8-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0MSwxXQ==",
"attributes": {
"title": "Outdated/Insecure Application Protocols",
"visState": "{\"title\":\"Outdated/Insecure Application Protocols\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol Version\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"(NOT zeek.logType:known*) AND ((zeek.service:ssh AND zeek.service_version < 2) OR (zeek.service:smb AND zeek.service_version < 2) OR (zeek.service:tls AND NOT zeek.service_version:(*TLS*v12* OR *TLS*v13*)) OR (zeek.service:ntp AND zeek.service_version < 4) OR (zeek.service:rfb AND zeek.service_version < 3.8) OR (zeek.service:rdp AND zeek.service_version < 6.0) OR (zeek.service:snmp AND zeek.service_version < 3) OR (zeek.service:ldap AND zeek.service_version < 3) OR (zeek.service:ftp) OR (zeek.service:tftp) OR (zeek.service:telnet) OR (zeek.service:rlogin) OR (zeek.service:rsh))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f7b3ba60-41f7-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0MiwxXQ==",
"attributes": {
"title": "Connections by Destination Country (region map)",
"visState": "{\"title\":\"Connections by Destination Country (region map)\",\"type\":\"region_map\",\"params\":{\"legendPosition\":\"bottomright\",\"addTooltip\":true,\"colorSchema\":\"Blues\",\"emsHotLink\":\"\",\"isDisplayWarning\":false,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<p><a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>\"}},\"mapZoom\":2,\"mapCenter\":[0,0],\"outlineWeight\":1,\"showAllShapes\":true,\"selectedLayer\":{\"name\":\"World (offline)\",\"url\":\"/world.geojson\",\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"name\":\"ISO_A2\",\"description\":\"Country Code\"},{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},{\"name\":\"NAME\",\"description\":\"Country Name\"}],\"format\":{\"type\":\"geojson\"},\"meta\":{\"feature_collection_path\":\"data\"},\"layerId\":\"self_hosted.World (offline)\",\"isEMS\":false},\"selectedJoinField\":{\"name\":\"WB_A2\",\"description\":\"Country Code2\"},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Connections\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_code2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}",
"uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[37.16031654673677,-5.7511603125000015]}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0ffb5790-41f3-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0MywxXQ==",
"attributes": {
"title": "Inbound External Traffic by Country",
"visState": "{\"title\":\"Inbound External Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.source_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Originating Country\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"tags:external_source AND tags:internal_destination\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4a183420-41f3-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0NCwxXQ==",
"attributes": {
"title": "Outbound Internal Traffic by Country",
"visState": "{\"title\":\"Outbound Internal Traffic by Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Responding Country\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"tags:internal_source AND tags:external_destination\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "69241a80-421d-11ea-9084-41ab7c5fff2e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0NSwxXQ==",
"attributes": {
"title": "DNS Queries by Randomness",
"visState": "{\"title\":\"DNS Queries by Randomness\",\"type\":\"table\",\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}}],\"metrics\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.host\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"DNS Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v1\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 1)\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.freq_score_v2\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Randomness Score (method 2)\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d8b8a6a0-41fe-11ea-88fa-7151df485405",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0NywxXQ==",
"attributes": {
"title": "External Remote Access Over Time",
"visState": "{\"title\":\"External Remote Access Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1976-01-28T18:52:45.953Z\",\"max\":\"2020-01-28T18:52:45.953Z\"}},\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-44y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.service:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3a582cc0-6fab-11eb-958c-51e33b5cae2a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T16:31:17.388Z",
"version": "WzE5ODUsMV0=",
"attributes": {
"title": "File Types Observed",
"visState": "{\"title\":\"File Types Observed\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.filetype\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Type\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":42,\"showLabel\":true}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:25:04.031Z",
"version": "WzY2OCwxXQ==",
"attributes": {
"title": "Notices - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_notice.category",
"zeek_notice.sub_category",
"zeek_notice.msg",
"srcIp",
"dstIp",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "34dd33c0-523f-11e9-a30e-e3576242f3ed",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ0OSwxXQ==",
"attributes": {
"title": "Signatures - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_signatures.note",
"zeek_signatures.signature_id",
"zeek_signatures.signature_count",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:25:05.059Z",
"version": "WzY3NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "0b971165-4c39-42ed-b80d-8a8f5658a38e",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:42.447Z",
"version": "WzQ1MSwxXQ==",
"attributes": {
"title": "DNS - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_dns.query",
"zeek_dns.answers",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

386
Vagrant/resources/malcolm/kibana/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json Normal file
View File

@@ -0,0 +1,386 @@
{
"version": "7.10.0",
"objects": [
{
"id": "9ee51f94-3316-4fc5-bd89-93a52af69714",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzYzNiwxXQ==",
"attributes": {
"title": "Files",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":43,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":28,\"y\":24,\"w\":20,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":32,\"y\":43,\"w\":16,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":43,\"w\":16,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":16,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":43,\"w\":16,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":24,\"w\":20,\"h\":19,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":63,\"w\":48,\"h\":35,\"i\":\"8e4863be-7d69-4354-9eb4-4e30a7c983d6\"},\"panelIndex\":\"8e4863be-7d69-4354-9eb4-4e30a7c983d6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "aaa4fbb0-d5fe-4ef9-be76-405b977bcd5b"
},
{
"name": "panel_1",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "66d5d357-edce-450d-b5be-a5a00190e153"
},
{
"name": "panel_3",
"type": "visualization",
"id": "d3a0ac2e-73cf-462e-8b03-e6ff3b8612b7"
},
{
"name": "panel_4",
"type": "visualization",
"id": "9ba4473b-66f4-4aea-b19e-4309ec6534b8"
},
{
"name": "panel_5",
"type": "visualization",
"id": "4474edda-47f0-4b74-b5d2-cbf012368c59"
},
{
"name": "panel_6",
"type": "visualization",
"id": "b1cb0275-a84e-4ef3-ad40-b2b773be43ff"
},
{
"name": "panel_7",
"type": "visualization",
"id": "AWDG9goqxQT5EBNmq4BP"
},
{
"name": "panel_8",
"type": "visualization",
"id": "5a4e8261-d65c-4b36-b3f4-5c272f18990f"
},
{
"name": "panel_9",
"type": "search",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "aaa4fbb0-d5fe-4ef9-be76-405b977bcd5b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzYzNywxXQ==",
"attributes": {
"visState": "{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "Files - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "66d5d357-edce-450d-b5be-a5a00190e153",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzYzOSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.seen_bytes\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}",
"description": "",
"title": "Files - Files By Size (Bytes)",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d3a0ac2e-73cf-462e-8b03-e6ff3b8612b7",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0MCwxXQ==",
"attributes": {
"visState": "{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "FIles - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9ba4473b-66f4-4aea-b19e-4309ec6534b8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.tx_hosts\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "FIles - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4474edda-47f0-4b74-b5d2-cbf012368c59",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0MiwxXQ==",
"attributes": {
"title": "Files - MIME Type",
"visState": "{\"title\":\"Files - MIME Type\",\"type\":\"histogram\",\"params\":{\"addLegend\":false,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_files.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b1cb0275-a84e-4ef3-ad40-b2b773be43ff",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0MywxXQ==",
"attributes": {
"visState": "{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}",
"description": "",
"title": "FIles - MIME Type",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG9goqxQT5EBNmq4BP",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0NCwxXQ==",
"attributes": {
"title": "Files - Log Count",
"visState": "{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5a4e8261-d65c-4b36-b3f4-5c272f18990f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0NSwxXQ==",
"attributes": {
"title": "Files - Source",
"visState": "{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_files.source\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0aca5333-3b1c-4cda-afb4-f7dd86910459",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:46.241Z",
"version": "WzY0NiwxXQ==",
"attributes": {
"title": "Files - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_files.tx_hosts",
"dstIp",
"zeek_files.source",
"zeek_files.mime_type",
"zeek.uid",
"zeek.fuid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "a16110b0-3f99-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:47.256Z",
"version": "WzY0NywxXQ==",
"attributes": {
"title": "Connections - Destination - Sum of Total Bytes (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"95f9b964-c2a2-416b-9903-8b969247e1ab\"},\"panelIndex\":\"95f9b964-c2a2-416b-9903-8b969247e1ab\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"7f315dd1-7809-49af-bed1-edfa12322240\"},\"panelIndex\":\"7f315dd1-7809-49af-bed1-edfa12322240\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "304de8c0-3f95-11e9-a58e-8bdedb0915e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "304de8c0-3f95-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:47.256Z",
"version": "WzY0OSwxXQ==",
"attributes": {
"title": "Connections - Destination - Sum of Total Bytes (region map)",
"visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a>\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Total Bytes\",\"aggType\":\"sum\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Responder Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[38.14774734584061,16.699218750000004],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

313
Vagrant/resources/malcolm/kibana/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json Normal file
View File

@@ -0,0 +1,313 @@
{
"version": "7.10.2",
"objects": [
{
"id": "a33e0a50-afcd-11ea-993f-b7d8522a8bed",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T19:03:14.686Z",
"version": "Wzk1NywxXQ==",
"attributes": {
"title": "Actions and Results",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":46,\"i\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\"},\"panelIndex\":\"f9de9d8e-c9a8-4a7a-81f4-51d42e2585b3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":13,\"h\":7,\"i\":\"12265d8d-1385-4adb-8974-941feadbc9a4\"},\"panelIndex\":\"12265d8d-1385-4adb-8974-941feadbc9a4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":21,\"y\":0,\"w\":27,\"h\":15,\"i\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\"},\"panelIndex\":\"b5a79234-5b7b-4cf2-b558-1e943df3663a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":7,\"w\":13,\"h\":8,\"i\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\"},\"panelIndex\":\"1c6b7570-f4dc-4887-b444-ca96a97d7b84\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":8,\"y\":15,\"w\":40,\"h\":31,\"i\":\"33f87f47-f981-46dd-8a9f-bb3c9ff7bf20\"},\"panelIndex\":\"33f87f47-f981-46dd-8a9f-bb3c9ff7bf20\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":46,\"w\":24,\"h\":18,\"i\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\"},\"panelIndex\":\"7473d8ee-ff30-44be-a4c8-be9008b3681b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":24,\"y\":46,\"w\":24,\"h\":18,\"i\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\"},\"panelIndex\":\"ff71b8b2-8f23-4955-a4ae-65494e1894b7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.2\",\"gridData\":{\"x\":0,\"y\":64,\"w\":48,\"h\":31,\"i\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\"},\"panelIndex\":\"fcff266b-64f1-48fa-ade1-3e7ef4399fa1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]",
"optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed"
},
{
"name": "panel_2",
"type": "visualization",
"id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed"
},
{
"name": "panel_3",
"type": "visualization",
"id": "AWDGyaGxxQT5EBNmq3K9"
},
{
"name": "panel_4",
"type": "visualization",
"id": "1c4354d0-7609-11eb-8496-3528afc64ddb"
},
{
"name": "panel_5",
"type": "visualization",
"id": "77bd1870-46ce-11ea-91c3-61991161aaaf"
},
{
"name": "panel_6",
"type": "visualization",
"id": "767e3d90-afce-11ea-993f-b7d8522a8bed"
},
{
"name": "panel_7",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:47:06.069Z",
"version": "Wzg3NCwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c9bbbcc0-afca-11ea-993f-b7d8522a8bed",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:44.860Z",
"version": "WzY1MywxXQ==",
"attributes": {
"title": "Filter by Application Protocol",
"visState": "{\"title\":\"Filter by Application Protocol\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1592309516260\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Application Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6f5d5c00-afcc-11ea-993f-b7d8522a8bed",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:44.860Z",
"version": "WzY1NCwxXQ==",
"attributes": {
"title": "Total Log Count Over Time by Application Protocol",
"visState": "{\"title\":\"Total Log Count Over Time by Application Protocol\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-01-14T21:31:46.075Z\",\"max\":\"2021-01-14T21:31:46.075Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Application Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Application Protocol\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDGyaGxxQT5EBNmq3K9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:44.860Z",
"version": "WzY1NSwxXQ==",
"attributes": {
"title": "Total Number of Logs",
"visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1c4354d0-7609-11eb-8496-3528afc64ddb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:58:26.589Z",
"version": "WzkyMywxXQ==",
"attributes": {
"title": "Top Actions and Results by Service",
"visState": "{\"title\":\"Top Actions and Results by Service\",\"type\":\"kbn_sankey\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"computedColumns\":[],\"computedColsPerSplitCol\":false,\"hideExportLinks\":false,\"csvExportWithTotal\":false,\"stripedRows\":false,\"addRowNumberColumn\":false,\"csvEncoding\":\"utf-8\",\"showFilterBar\":false,\"filterCaseSensitive\":false,\"filterBarHideable\":false,\"filterAsYouType\":false,\"filterTermsSeparately\":false,\"filterHighlightResults\":false,\"filterBarWidth\":\"25%\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.service:* AND (zeek.action:* OR zeek.result:*)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "77bd1870-46ce-11ea-91c3-61991161aaaf",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:44.860Z",
"version": "WzY1NiwxXQ==",
"attributes": {
"title": "Actions",
"visState": "{\"title\":\"Actions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Action\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "767e3d90-afce-11ea-993f-b7d8522a8bed",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:44.860Z",
"version": "WzY1NywxXQ==",
"attributes": {
"title": "Results",
"visState": "{\"title\":\"Results\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Result\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-23T18:46:55.986Z",
"version": "Wzc4OSwxXQ==",
"attributes": {
"title": "All Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.service",
"zeek.action",
"zeek.result",
"srcIp",
"dstIp",
"dstPort",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

483
Vagrant/resources/malcolm/kibana/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json Normal file
View File

@@ -0,0 +1,483 @@
{
"version": "7.10.0",
"objects": [
{
"id": "a7514350-eba6-11e9-a384-0fcf32210194",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2MSwxXQ==",
"attributes": {
"title": "PROFINET",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":69,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":69,\"w\":48,\"h\":34,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":50,\"w\":19,\"h\":19,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":27,\"y\":50,\"w\":21,\"h\":19,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":14,\"w\":16,\"h\":19,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":24,\"y\":14,\"w\":24,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":33,\"w\":19,\"h\":17,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":27,\"y\":33,\"w\":21,\"h\":17,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "bf41a680-eba6-11e9-a384-0fcf32210194"
},
{
"name": "panel_2",
"type": "visualization",
"id": "fcf95d10-eba6-11e9-a384-0fcf32210194"
},
{
"name": "panel_3",
"type": "search",
"id": "a0a10870-eba5-11e9-a384-0fcf32210194"
},
{
"name": "panel_4",
"type": "visualization",
"id": "ec42baa0-eba8-11e9-a384-0fcf32210194"
},
{
"name": "panel_5",
"type": "visualization",
"id": "0957f330-eba9-11e9-a384-0fcf32210194"
},
{
"name": "panel_6",
"type": "visualization",
"id": "41f36a70-ebaa-11e9-a384-0fcf32210194"
},
{
"name": "panel_7",
"type": "visualization",
"id": "9dccb5f0-eba9-11e9-a384-0fcf32210194"
},
{
"name": "panel_8",
"type": "visualization",
"id": "17319090-ebab-11e9-a384-0fcf32210194"
},
{
"name": "panel_9",
"type": "visualization",
"id": "8022cc90-ebab-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "bf41a680-eba6-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2MywxXQ==",
"attributes": {
"title": "PROFINET - Log Count",
"visState": "{\"title\":\"PROFINET - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"profinet\"}},{\"match_phrase\":{\"zeek.logType\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "fcf95d10-eba6-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2NCwxXQ==",
"attributes": {
"title": "PROFINET - Logs Over Time",
"visState": "{\"title\":\"PROFINET - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"profinet, profinet_dce_rpc\",\"params\":[\"profinet\",\"profinet_dce_rpc\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"profinet\"}},{\"match_phrase\":{\"zeek.logType\":\"profinet_dce_rpc\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a0a10870-eba5-11e9-a384-0fcf32210194",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2NSwxXQ==",
"attributes": {
"title": "PROFINET and Related - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek_profinet.operation_type",
"zeek_profinet.index",
"zeek_profinet_dce_rpc.operation",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(profinet OR profinet_dce_rpc)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "ec42baa0-eba8-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2NiwxXQ==",
"attributes": {
"title": "PROFINET - Source IP",
"visState": "{\"title\":\"PROFINET - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcPort\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "a0a10870-eba5-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0957f330-eba9-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2NywxXQ==",
"attributes": {
"title": "PROFINET - Destination IP",
"visState": "{\"title\":\"PROFINET - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "a0a10870-eba5-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "41f36a70-ebaa-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2OCwxXQ==",
"attributes": {
"title": "PROFINET - Operation",
"visState": "{\"title\":\"PROFINET - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8524e670-eba5-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9dccb5f0-eba9-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY2OSwxXQ==",
"attributes": {
"title": "PROFINET - Operation Details",
"visState": "{\"title\":\"PROFINET - Operation Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.operation_type\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.index\",\"size\":30,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Index\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.slot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Slot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_profinet.subslot_number\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Subslot\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8524e670-eba5-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "17319090-ebab-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY3MCwxXQ==",
"attributes": {
"title": "PROFINET DCE/RPC - Operation",
"visState": "{\"title\":\"PROFINET DCE/RPC - Operation\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.operation\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "96d31d60-eba5-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8022cc90-ebab-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY3MSwxXQ==",
"attributes": {
"title": "PROFINET DCE/RPC - Packet Type",
"visState": "{\"title\":\"PROFINET DCE/RPC - Packet Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_profinet_dce_rpc.packet_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Packet Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "96d31d60-eba5-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8524e670-eba5-11e9-a384-0fcf32210194",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY3MiwxXQ==",
"attributes": {
"title": "PROFINET - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek_profinet.block_version",
"zeek_profinet.operation_type",
"zeek_profinet.index",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:profinet\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "96d31d60-eba5-11e9-a384-0fcf32210194",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:49.327Z",
"version": "WzY3MywxXQ==",
"attributes": {
"title": "PROFINET DCE/RPC - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"zeek_profinet_dce_rpc.version",
"zeek_profinet_dce_rpc.operation",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:profinet_dce_rpc\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

941
Vagrant/resources/malcolm/kibana/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json Normal file
View File

File diff suppressed because one or more lines are too long

423
Vagrant/resources/malcolm/kibana/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json Normal file
View File

@@ -0,0 +1,423 @@
{
"version": "7.10.0",
"objects": [
{
"id": "ae79b7d1-4281-4095-b2f6-fa7eafda9970",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:14:34.527Z",
"version": "WzI2MjYsMV0=",
"attributes": {
"title": "RADIUS",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":27,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":18,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":12,\"y\":27,\"w\":14,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":37,\"y\":8,\"w\":11,\"h\":19,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":26,\"y\":27,\"w\":22,\"h\":18,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":17,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":35,\"i\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\"},\"panelIndex\":\"1422b8a5-559d-4c37-91aa-cc36a293ddff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":24,\"h\":15,\"i\":\"118a0612-bdbb-4918-aab5-79830ee636aa\"},\"panelIndex\":\"118a0612-bdbb-4918-aab5-79830ee636aa\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "4a3b4d78-6adc-4e6f-a7ae-180c6a58e49f"
},
{
"name": "panel_2",
"type": "visualization",
"id": "799ed170-b759-4b14-8a05-8fbdb356ec0e"
},
{
"name": "panel_3",
"type": "visualization",
"id": "6f92b5d9-82b3-477f-9cd5-a68d62a2c804"
},
{
"name": "panel_4",
"type": "visualization",
"id": "45e768b2-e4b3-4e3f-8f1f-9a9300dedce6"
},
{
"name": "panel_5",
"type": "visualization",
"id": "5d64df1a-dc17-475a-ac3b-99e5c4c244f6"
},
{
"name": "panel_6",
"type": "visualization",
"id": "AWDHCgWzxQT5EBNmq4Y5"
},
{
"name": "panel_7",
"type": "visualization",
"id": "56f04556-a0c9-4b82-878b-8d5d9f29edd6"
},
{
"name": "panel_8",
"type": "visualization",
"id": "0299c83a-bd6c-40e6-bd18-01ee324ae7b0"
},
{
"name": "panel_9",
"type": "search",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
},
{
"name": "panel_10",
"type": "visualization",
"id": "168e6b40-6c83-11eb-b775-c574dc643cbb"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4a3b4d78-6adc-4e6f-a7ae-180c6a58e49f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcwMywxXQ==",
"attributes": {
"visState": "{\"title\":\"RADIUS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "RADIUS - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "799ed170-b759-4b14-8a05-8fbdb356ec0e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcwNCwxXQ==",
"attributes": {
"visState": "{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "RADIUS - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6f92b5d9-82b3-477f-9cd5-a68d62a2c804",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:09:23.116Z",
"version": "WzI0MzgsMV0=",
"attributes": {
"title": "RADIUS - Destination IP Address",
"visState": "{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "45e768b2-e4b3-4e3f-8f1f-9a9300dedce6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcwNiwxXQ==",
"attributes": {
"visState": "{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_radius.mac\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}",
"description": "",
"title": "RADIUS - MAC",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5d64df1a-dc17-475a-ac3b-99e5c4c244f6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcwNywxXQ==",
"attributes": {
"visState": "{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_radius.connect_info\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}",
"description": "",
"title": "RADIUS - Connection Information",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHCgWzxQT5EBNmq4Y5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcwOSwxXQ==",
"attributes": {
"title": "RADIUS - Log Count",
"visState": "{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "56f04556-a0c9-4b82-878b-8d5d9f29edd6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcxMCwxXQ==",
"attributes": {
"title": "RADIUS - Username",
"visState": "{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0299c83a-bd6c-40e6-bd18-01ee324ae7b0",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:06:45.852Z",
"version": "WzI0MTYsMV0=",
"attributes": {
"title": "RADIUS - Authentication Result",
"visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_radius.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:51.359Z",
"version": "WzcxMiwxXQ==",
"attributes": {
"title": "RADIUS - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek.user",
"zeek_radius.mac",
"zeek_radius.framed_addr",
"zeek_radius.result",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:radius\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "168e6b40-6c83-11eb-b775-c574dc643cbb",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:06:23.988Z",
"version": "WzI0MDEsMV0=",
"attributes": {
"title": "RADIUS - Authentication Result",
"visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_radius.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "33bc7949-5692-4044-9e3c-0791dc7d70c0"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

388
Vagrant/resources/malcolm/kibana/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json Normal file
View File

@@ -0,0 +1,388 @@
{
"version": "7.10.0",
"objects": [
{
"id": "af5df620-eeb6-11e9-bdef-65a192b7f586",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T16:00:05.351Z",
"version": "WzIzMzIsMV0=",
"attributes": {
"title": "NTP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":66,\"w\":48,\"h\":29,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"table\":null},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":24,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":19,\"h\":20,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":27,\"y\":8,\"w\":21,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":28,\"w\":24,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":48,\"w\":24,\"h\":18,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":48,\"w\":24,\"h\":18,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "search",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
},
{
"name": "panel_2",
"type": "visualization",
"id": "d0e56b00-eeb8-11e9-bdef-65a192b7f586"
},
{
"name": "panel_3",
"type": "visualization",
"id": "24850a90-eeb9-11e9-bdef-65a192b7f586"
},
{
"name": "panel_4",
"type": "visualization",
"id": "48e18de0-eeba-11e9-bdef-65a192b7f586"
},
{
"name": "panel_5",
"type": "visualization",
"id": "1c6cf390-eebe-11e9-bdef-65a192b7f586"
},
{
"name": "panel_6",
"type": "visualization",
"id": "089c9ff0-eebe-11e9-bdef-65a192b7f586"
},
{
"name": "panel_7",
"type": "visualization",
"id": "8ee8f720-eebe-11e9-bdef-65a192b7f586"
},
{
"name": "panel_8",
"type": "visualization",
"id": "6ba97b90-eec8-11e9-acf8-c715d8d1900e"
},
{
"name": "panel_9",
"type": "visualization",
"id": "9050b8f0-eec8-11e9-acf8-c715d8d1900e"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e8699550-eeac-11e9-bdef-65a192b7f586",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcxNSwxXQ==",
"attributes": {
"title": "NTP - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_ntp.version",
"zeek_ntp.stratum",
"zeek_ntp.mode_str",
"zeek_ntp.org_time",
"zeek_ntp.xmt_time",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:ntp\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "d0e56b00-eeb8-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcxNiwxXQ==",
"attributes": {
"title": "NTP - Log Count",
"visState": "{\"title\":\"NTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "24850a90-eeb9-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcxNywxXQ==",
"attributes": {
"title": "NTP - Log Count Over Time",
"visState": "{\"title\":\"NTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Version\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "48e18de0-eeba-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcxOCwxXQ==",
"attributes": {
"title": "NTP - Stratum",
"visState": "{\"title\":\"NTP - Stratum\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.stratum\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NTP Stratum\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1c6cf390-eebe-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcxOSwxXQ==",
"attributes": {
"title": "NTP - Version",
"visState": "{\"title\":\"NTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.version\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Version\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "089c9ff0-eebe-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcyMCwxXQ==",
"attributes": {
"title": "NTP - Mode",
"visState": "{\"title\":\"NTP - Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.mode_str\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"NTP Mode\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8ee8f720-eebe-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcyMSwxXQ==",
"attributes": {
"title": "NTP - Polling Interval",
"visState": "{\"title\":\"NTP - Polling Interval\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_ntp.poll\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Polling Interval (seconds)\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6ba97b90-eec8-11e9-acf8-c715d8d1900e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcyMiwxXQ==",
"attributes": {
"title": "NTP - Source IP",
"visState": "{\"title\":\"NTP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9050b8f0-eec8-11e9-acf8-c715d8d1900e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:52.397Z",
"version": "WzcyMywxXQ==",
"attributes": {
"title": "NTP - Destination IP",
"visState": "{\"title\":\"NTP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "e8699550-eeac-11e9-bdef-65a192b7f586"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "b50c8d17-6ed3-4de6-aed4-5181032810b2",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:53.414Z",
"version": "WzcyNCwxXQ==",
"attributes": {
"title": "Connections - Source - Originator Bytes",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"5a871ebe-5904-4f52-ab3a-e3da4846933d\"},\"panelIndex\":\"5a871ebe-5904-4f52-ab3a-e3da4846933d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"3b635110-907e-457a-bfdf-b86a667a8483\"},\"panelIndex\":\"3b635110-907e-457a-bfdf-b86a667a8483\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "e959f9f2-e154-417f-a530-e1d7744ab9e4"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "e959f9f2-e154-417f-a530-e1d7744ab9e4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:53.414Z",
"version": "WzcyNiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Connections - Source - Originator Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}",
"description": "",
"title": "Connections - Source - Originator Bytes",
"uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "b9f247c0-3f99-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:54.429Z",
"version": "WzczMCwxXQ==",
"attributes": {
"title": "Connections - Destination - Top Connection Duration (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"c96be8c5-f3a1-4d01-a747-66cc2d298318\"},\"panelIndex\":\"c96be8c5-f3a1-4d01-a747-66cc2d298318\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"266c822f-c268-4e47-a53e-90b6ecf74660\"},\"panelIndex\":\"266c822f-c268-4e47-a53e-90b6ecf74660\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "9b1b6960-3f96-11e9-a58e-8bdedb0915e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "9b1b6960-3f96-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:54.429Z",
"version": "WzczMiwxXQ==",
"attributes": {
"title": "Connections - Destination - Top Connection Duration (region map)",
"visState": "{\"title\":\"Connections - Destination - Top Connection Duration (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a>\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}},\"params\":{},\"label\":\"Longest Session (seconds)\",\"aggType\":\"max\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Responder Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\",\"customLabel\":\"Longest Session (seconds)\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Responder Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[38.28591031601368,16.875000000000004],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

527
Vagrant/resources/malcolm/kibana/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json Normal file
View File

@@ -0,0 +1,527 @@
{
"version": "7.10.0",
"objects": [
{
"id": "bb827f8e-639e-468c-93c8-9f5bc132eb8f",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:17:41.430Z",
"version": "WzMyNzUsMV0=",
"attributes": {
"title": "SMTP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"h\":29,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"6\",\"w\":40,\"x\":8,\"y\":23},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":15,\"i\":\"7\",\"w\":20,\"x\":8,\"y\":8},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":41},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":41},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":15,\"i\":\"11\",\"w\":10,\"x\":28,\"y\":8},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"13\",\"w\":13,\"x\":0,\"y\":59},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"14\",\"w\":13,\"x\":13,\"y\":59},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"table\":null},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":18,\"i\":\"16\",\"w\":22,\"x\":26,\"y\":59},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":12,\"i\":\"19\",\"w\":8,\"x\":0,\"y\":29},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"20\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":15,\"i\":\"633e2c8c-ef8e-48b1-b0a4-546a5adff4e4\",\"w\":10,\"x\":38,\"y\":8},\"panelIndex\":\"633e2c8c-ef8e-48b1-b0a4-546a5adff4e4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"},{\"version\":\"7.10.0\",\"gridData\":{\"h\":40,\"i\":\"10319c5c-00bb-41a9-bbab-010e21fd4dfb\",\"w\":48,\"x\":0,\"y\":77},\"panelIndex\":\"10319c5c-00bb-41a9-bbab-010e21fd4dfb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_13\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "815aba5e-16e2-4fa1-ab37-b09c39562fe4"
},
{
"name": "panel_2",
"type": "visualization",
"id": "63a89f9a-274c-4baa-9336-0d7cd6851bb6"
},
{
"name": "panel_3",
"type": "visualization",
"id": "7e16fa6b-1793-4dcd-a19b-ff251bbd0265"
},
{
"name": "panel_4",
"type": "visualization",
"id": "de856f53-42d1-4ffc-8182-5f275cf40006"
},
{
"name": "panel_5",
"type": "visualization",
"id": "45314b56-b8ba-4a89-9cb0-8d2a0e7ebd2e"
},
{
"name": "panel_6",
"type": "visualization",
"id": "77e86ab5-725a-4512-8c05-5250529b4385"
},
{
"name": "panel_7",
"type": "visualization",
"id": "ab85a06b-e513-4c8b-b80b-7283f5f1b066"
},
{
"name": "panel_8",
"type": "visualization",
"id": "ceaa93c5-1a76-469b-b3b3-bf4f9d6315c5"
},
{
"name": "panel_9",
"type": "visualization",
"id": "d622d8f0-64ce-45a6-8d66-9b04ddea2548"
},
{
"name": "panel_10",
"type": "visualization",
"id": "70d51476-219d-4792-b5fd-aee9992e1345"
},
{
"name": "panel_11",
"type": "visualization",
"id": "AWDHDsr0xQT5EBNmq4gw"
},
{
"name": "panel_12",
"type": "visualization",
"id": "38de7940-4dcd-11ea-8336-d3388483188b"
},
{
"name": "panel_13",
"type": "search",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "815aba5e-16e2-4fa1-ab37-b09c39562fe4",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "WzczOCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "63a89f9a-274c-4baa-9336-0d7cd6851bb6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "WzczOSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.subject\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - Subject",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7e16fa6b-1793-4dcd-a19b-ff251bbd0265",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0MCwxXQ==",
"attributes": {
"title": "SMTP - Destination Country",
"visState": "{\"title\":\"SMTP - Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "de856f53-42d1-4ffc-8182-5f275cf40006",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.mailfrom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - \"From\" Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "45314b56-b8ba-4a89-9cb0-8d2a0e7ebd2e",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.rcptto\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - \"To\" Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "77e86ab5-725a-4512-8c05-5250529b4385",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0MywxXQ==",
"attributes": {
"title": "SMTP - TLS",
"visState": "{\"title\":\"SMTP - TLS\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Using TLS\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Using TLS\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ab85a06b-e513-4c8b-b80b-7283f5f1b066",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ceaa93c5-1a76-469b-b3b3-bf4f9d6315c5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d622d8f0-64ce-45a6-8d66-9b04ddea2548",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_smtp.user_agent\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
"description": "",
"title": "SMTP - User Agent",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "70d51476-219d-4792-b5fd-aee9992e1345",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0NywxXQ==",
"attributes": {
"title": "SMTP - Destination Port",
"visState": "{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":5,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHDsr0xQT5EBNmq4gw",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0OCwxXQ==",
"attributes": {
"title": "SMTP - Log Count",
"visState": "{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "38de7940-4dcd-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc0OSwxXQ==",
"attributes": {
"title": "SMTP - Webmail",
"visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Is Webmail\",\"field\":\"zeek_smtp.is_webmail\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Unknown\",\"otherBucketLabel\":\"Other\"}},\"label\":\"Using TLS\",\"params\":{}}],\"metric\":{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":true,\"truncate\":100,\"values\":false},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"SMTP - Webmail\",\"type\":\"pie\"}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c999cb1b-03c8-446e-92ea-addad33ac1ff",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:55.450Z",
"version": "Wzc1MCwxXQ==",
"attributes": {
"title": "SMTP - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_smtp.x_originating_ip",
"srcIp",
"dstIp",
"dstPort",
"zeek_smtp.mailfrom",
"zeek_smtp.user_agent",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:smtp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

322
Vagrant/resources/malcolm/kibana/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json Normal file
View File

@@ -0,0 +1,322 @@
{
"version": "7.10.0",
"objects": [
{
"id": "bed185a0-ef82-11e9-b38a-2db3ee640e88",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:47:53.333Z",
"version": "WzM2MjYsMV0=",
"attributes": {
"title": "Tabular Data Stream",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":34,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":30,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":34},\"panelIndex\":\"2\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"3\",\"w\":7,\"x\":8,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"4\",\"w\":33,\"x\":15,\"y\":0},\"panelIndex\":\"4\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"5\",\"w\":17,\"x\":8,\"y\":14},\"panelIndex\":\"5\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":20,\"i\":\"6\",\"w\":11,\"x\":25,\"y\":14},\"panelIndex\":\"6\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"7\",\"w\":12,\"x\":36,\"y\":14},\"panelIndex\":\"7\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_6\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "search",
"id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_2",
"type": "visualization",
"id": "13841bd0-ef83-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_3",
"type": "visualization",
"id": "402fcee0-ef83-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_4",
"type": "visualization",
"id": "760cdee0-ef83-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_5",
"type": "visualization",
"id": "c4c0bda0-ef87-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_6",
"type": "visualization",
"id": "049512a0-ef88-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:56.463Z",
"version": "Wzc1MywxXQ==",
"attributes": {
"title": "Tabular Data Stream - All Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek.logType",
"zeek_tds.command",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:(\\\"tds\\\" OR \\\"tds_rpc\\\" OR \\\"tds_sql_batch\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "13841bd0-ef83-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:56.463Z",
"version": "Wzc1NCwxXQ==",
"attributes": {
"title": "Tabular Data Stream - Log Count",
"visState": "{\"title\":\"Tabular Data Stream - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "402fcee0-ef83-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:56.463Z",
"version": "Wzc1NSwxXQ==",
"attributes": {
"title": "Tabular Data Stream - Log Count Over Time",
"visState": "{\"title\":\"Tabular Data Stream - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "760cdee0-ef83-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:47:21.220Z",
"version": "WzM2MTAsMV0=",
"attributes": {
"title": "Tabular Data Stream - Command",
"visState": "{\"title\":\"Tabular Data Stream - Command\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_tds.command\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Command\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "2f0626b0-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c4c0bda0-ef87-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:56.463Z",
"version": "Wzc1NywxXQ==",
"attributes": {
"title": "Tabular Data Stream - Source IP",
"visState": "{\"title\":\"Tabular Data Stream - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "049512a0-ef88-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:56.463Z",
"version": "Wzc1OCwxXQ==",
"attributes": {
"title": "Tabular Data Stream - Destination IP",
"visState": "{\"title\":\"Tabular Data Stream - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "4fb01ec0-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2f0626b0-ef82-11e9-b38a-2db3ee640e88",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:56.463Z",
"version": "Wzc1OSwxXQ==",
"attributes": {
"title": "Tabular Data Stream - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_tds.command",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"tds\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

354
Vagrant/resources/malcolm/kibana/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json Normal file
View File

@@ -0,0 +1,354 @@
{
"version": "7.10.0",
"objects": [
{
"id": "bf5efbb0-60f1-11eb-9d60-dbf0411cfc48",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU3NiwxXQ==",
"attributes": {
"title": "TFTP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"a8112d00-f850-4023-81e8-79ba5d5b4098\"},\"panelIndex\":\"a8112d00-f850-4023-81e8-79ba5d5b4098\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"9c14f85e-f1bb-408e-b926-fbaccf6888b0\"},\"panelIndex\":\"9c14f85e-f1bb-408e-b926-fbaccf6888b0\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":10,\"w\":15,\"h\":18,\"i\":\"1d98f088-4985-4fe0-a97f-09fe988e99a2\"},\"panelIndex\":\"1d98f088-4985-4fe0-a97f-09fe988e99a2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":23,\"y\":10,\"w\":12,\"h\":18,\"i\":\"c2928421-bced-4bc1-81b5-fcc3c9146f6d\"},\"panelIndex\":\"c2928421-bced-4bc1-81b5-fcc3c9146f6d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":35,\"y\":10,\"w\":13,\"h\":18,\"i\":\"b004c83d-302d-46dc-988b-9b6efa34117b\"},\"panelIndex\":\"b004c83d-302d-46dc-988b-9b6efa34117b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":20,\"h\":16,\"i\":\"11cd23eb-0863-4dd5-b8ca-5b617e957358\"},\"panelIndex\":\"11cd23eb-0863-4dd5-b8ca-5b617e957358\",\"embeddableConfig\":{\"legendOpen\":true,\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":20,\"y\":28,\"w\":28,\"h\":16,\"i\":\"7b74766e-9cf7-493d-b385-b7ffb6738c61\"},\"panelIndex\":\"7b74766e-9cf7-493d-b385-b7ffb6738c61\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":24,\"i\":\"82d6937c-b2a7-47e8-bb82-376b20125797\"},\"panelIndex\":\"82d6937c-b2a7-47e8-bb82-376b20125797\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "040c28f0-60f2-11eb-9d60-dbf0411cfc48"
},
{
"name": "panel_2",
"type": "visualization",
"id": "7933c480-60f2-11eb-9d60-dbf0411cfc48"
},
{
"name": "panel_3",
"type": "visualization",
"id": "44d83b00-66fe-11eb-90a4-cf1e1f7032b6"
},
{
"name": "panel_4",
"type": "visualization",
"id": "f9fe5ac0-66fc-11eb-90a4-cf1e1f7032b6"
},
{
"name": "panel_5",
"type": "visualization",
"id": "32ddd550-66fd-11eb-90a4-cf1e1f7032b6"
},
{
"name": "panel_6",
"type": "visualization",
"id": "6426d3b0-66fc-11eb-90a4-cf1e1f7032b6"
},
{
"name": "panel_7",
"type": "visualization",
"id": "0a99a5a0-66fe-11eb-90a4-cf1e1f7032b6"
},
{
"name": "panel_8",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:25:07.132Z",
"version": "WzY5MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "040c28f0-60f2-11eb-9d60-dbf0411cfc48",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU3OCwxXQ==",
"attributes": {
"title": "TFTP - Log Count",
"visState": "{\"title\":\"TFTP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "7933c480-60f2-11eb-9d60-dbf0411cfc48",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU3OSwxXQ==",
"attributes": {
"title": "TFTP - Log Count Over Time",
"visState": "{\"title\":\"TFTP - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1996-02-04T15:21:21.768Z\",\"max\":\"2021-02-04T15:21:21.768Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Operation\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "44d83b00-66fe-11eb-90a4-cf1e1f7032b6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU4MCwxXQ==",
"attributes": {
"title": "TFTP - Filename",
"visState": "{\"title\":\"TFTP - Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.filename\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f9fe5ac0-66fc-11eb-90a4-cf1e1f7032b6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU4MSwxXQ==",
"attributes": {
"title": "TFTP - Source IP",
"visState": "{\"title\":\"TFTP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"srcPort: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "32ddd550-66fd-11eb-90a4-cf1e1f7032b6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU4MiwxXQ==",
"attributes": {
"title": "TFTP - Destination IP",
"visState": "{\"title\":\"TFTP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "6426d3b0-66fc-11eb-90a4-cf1e1f7032b6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU4MywxXQ==",
"attributes": {
"title": "TFTP - Transfer Mode",
"visState": "{\"title\":\"TFTP - Transfer Mode\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Transfer Mode\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tftp.mode\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transfer Mode\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0a99a5a0-66fe-11eb-90a4-cf1e1f7032b6",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU4NCwxXQ==",
"attributes": {
"title": "TFTP - Operation Results",
"visState": "{\"title\":\"TFTP - Operation Results\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Operation\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.result: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a0db8d20-60f1-11eb-9d60-dbf0411cfc48",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-15T14:24:54.745Z",
"version": "WzU4NSwxXQ==",
"attributes": {
"title": "TFTP - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.orig_h",
"zeek.orig_p",
"zeek.resp_h",
"zeek.resp_p",
"zeek_tftp.mode",
"zeek.filename",
"zeek.action",
"zeek.result",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:tftp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

318
Vagrant/resources/malcolm/kibana/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json Normal file
View File

@@ -0,0 +1,318 @@
{
"version": "7.10.0",
"objects": [
{
"id": "c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T19:01:48.690Z",
"version": "WzM3MzksMV0=",
"attributes": {
"title": "Telnet, rlogin and rsh",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":35,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":6,\"h\":17,\"i\":\"2a22ad3e-f362-43ed-b872-8258027ab5b1\"},\"panelIndex\":\"2a22ad3e-f362-43ed-b872-8258027ab5b1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":17,\"i\":\"e6df9cb1-b460-4456-b01e-c0ea00c3c9db\"},\"panelIndex\":\"e6df9cb1-b460-4456-b01e-c0ea00c3c9db\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":17,\"i\":\"276fcffb-3696-42cc-8473-9888550c72ff\"},\"panelIndex\":\"276fcffb-3696-42cc-8473-9888550c72ff\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":17,\"w\":13,\"h\":18,\"i\":\"c95b537e-3a4f-4566-b5f7-45597b4dbbe0\"},\"panelIndex\":\"c95b537e-3a4f-4566-b5f7-45597b4dbbe0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":21,\"y\":17,\"w\":12,\"h\":18,\"i\":\"c4466e36-891c-4f73-bbc0-e0bd05e95b3d\"},\"panelIndex\":\"c4466e36-891c-4f73-bbc0-e0bd05e95b3d\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":33,\"y\":17,\"w\":15,\"h\":18,\"i\":\"43a6f1d1-fe78-441a-b6e4-3bb63028afb3\"},\"panelIndex\":\"43a6f1d1-fe78-441a-b6e4-3bb63028afb3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":35,\"w\":48,\"h\":33,\"i\":\"05b94a99-4088-4692-acc3-1641141e2b4a\"},\"panelIndex\":\"05b94a99-4088-4692-acc3-1641141e2b4a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "5437b970-7f2f-11ea-9f8a-1fe1327e2cd2"
},
{
"name": "panel_2",
"type": "visualization",
"id": "81cf5db0-7f30-11ea-9f8a-1fe1327e2cd2"
},
{
"name": "panel_3",
"type": "visualization",
"id": "0a03a430-7f30-11ea-9f8a-1fe1327e2cd2"
},
{
"name": "panel_4",
"type": "visualization",
"id": "b277eb70-7f31-11ea-9f8a-1fe1327e2cd2"
},
{
"name": "panel_5",
"type": "visualization",
"id": "513b13e0-7f32-11ea-9f8a-1fe1327e2cd2"
},
{
"name": "panel_6",
"type": "visualization",
"id": "16f63260-7f31-11ea-9f8a-1fe1327e2cd2"
},
{
"name": "panel_7",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5437b970-7f2f-11ea-9f8a-1fe1327e2cd2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc2NywxXQ==",
"attributes": {
"title": "Telnet, rlogin and rsh - Log Count",
"visState": "{\"title\":\"Telnet, rlogin and rsh - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "81cf5db0-7f30-11ea-9f8a-1fe1327e2cd2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc2OCwxXQ==",
"attributes": {
"title": "Telnet, rlogin and rsh - Login Success",
"visState": "{\"title\":\"Telnet, rlogin and rsh - Login Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Login Succeeded\",\"aggType\":\"terms\"}],\"splitColumn\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]},\"row\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_login.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Login Succeeded\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0a03a430-7f30-11ea-9f8a-1fe1327e2cd2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc2OSwxXQ==",
"attributes": {
"title": "Telnet, rlogin and rsh - Log Count Over Time",
"visState": "{\"title\":\"Telnet, rlogin and rsh - Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD\"}},\"params\":{\"date\":true,\"interval\":\"P30D\",\"intervalESValue\":30,\"intervalESUnit\":\"d\",\"format\":\"YYYY-MM-DD\",\"bounds\":{\"min\":\"1995-04-15T15:43:18.959Z\",\"max\":\"2020-04-15T15:43:18.959Z\"}},\"label\":\"firstPacket per 30 days\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.service: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b277eb70-7f31-11ea-9f8a-1fe1327e2cd2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc3MCwxXQ==",
"attributes": {
"title": "Telnet, rlogin and rsh - Login Attempts with Cleartext Passwords",
"visState": "{\"title\":\"Telnet, rlogin and rsh - Login Attempts with Cleartext Passwords\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"User\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Succeeded\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":99,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"User\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_login.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Success\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.password:*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "513b13e0-7f32-11ea-9f8a-1fe1327e2cd2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc3MSwxXQ==",
"attributes": {
"title": "Telnet, rsh and rlogin - Source",
"visState": "{\"title\":\"Telnet, rsh and rlogin - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "16f63260-7f31-11ea-9f8a-1fe1327e2cd2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc3MiwxXQ==",
"attributes": {
"title": "Telnet, rlogin and rsh - Destination",
"visState": "{\"title\":\"Telnet, rlogin and rsh - Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Protocol\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.service\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Protocol\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Destination IP\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "496bdbd0-7f2e-11ea-9f8a-1fe1327e2cd2",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:58.738Z",
"version": "Wzc3MywxXQ==",
"attributes": {
"title": "Telnet, rlogin and rsh - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.service",
"srcIp",
"dstIp",
"dstPort",
"user",
"zeek_login.client_user",
"zeek_login.success",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:login\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

481
Vagrant/resources/malcolm/kibana/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json Normal file
View File

@@ -0,0 +1,481 @@
{
"version": "7.10.0",
"objects": [
{
"id": "ca5799a0-56b5-11eb-b749-576de068f8ad",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc3NCwxXQ==",
"attributes": {
"title": "BSAP",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":24,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"214f20ea-4d19-4fb5-8c62-7c0e4f466592\",\"w\":7,\"x\":8,\"y\":0},\"panelIndex\":\"214f20ea-4d19-4fb5-8c62-7c0e4f466592\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"5b187be7-f7e6-4a58-ba74-ec912fa49607\",\"w\":33,\"x\":15,\"y\":0},\"panelIndex\":\"5b187be7-f7e6-4a58-ba74-ec912fa49607\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"6cc8de49-0ec8-4bc7-8c27-a13ac5e902cf\",\"w\":13,\"x\":8,\"y\":20},\"panelIndex\":\"6cc8de49-0ec8-4bc7-8c27-a13ac5e902cf\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"9d5e30e6-cabf-47d6-bc1b-513bc11eb63e\",\"w\":14,\"x\":34,\"y\":20},\"panelIndex\":\"9d5e30e6-cabf-47d6-bc1b-513bc11eb63e\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":14,\"i\":\"5052470e-daa5-4f3f-b73a-b5064516c094\",\"w\":8,\"x\":0,\"y\":24},\"panelIndex\":\"5052470e-daa5-4f3f-b73a-b5064516c094\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"ec677134-ad66-4a53-ac6a-493eb295a137\",\"w\":18,\"x\":0,\"y\":38},\"panelIndex\":\"ec677134-ad66-4a53-ac6a-493eb295a137\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"e5af6ed5-8b63-4aba-8640-574acda591eb\",\"w\":30,\"x\":18,\"y\":38},\"panelIndex\":\"e5af6ed5-8b63-4aba-8640-574acda591eb\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"23809e02-25b4-41e3-80ee-b1ce57d9d931\",\"w\":48,\"x\":0,\"y\":56},\"panelIndex\":\"23809e02-25b4-41e3-80ee-b1ce57d9d931\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"1a7bc55a-7421-45c2-ab4a-2fdae0277b45\",\"w\":48,\"x\":0,\"y\":77},\"panelIndex\":\"1a7bc55a-7421-45c2-ab4a-2fdae0277b45\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"fa98d925-9416-4cc7-bd99-82d9d827493b\",\"w\":13,\"x\":21,\"y\":20},\"panelIndex\":\"fa98d925-9416-4cc7-bd99-82d9d827493b\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_10\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "37496460-56b8-11eb-b749-576de068f8ad"
},
{
"name": "panel_2",
"type": "visualization",
"id": "af42dd40-56bb-11eb-b749-576de068f8ad"
},
{
"name": "panel_3",
"type": "visualization",
"id": "5fff2850-56bc-11eb-b749-576de068f8ad"
},
{
"name": "panel_4",
"type": "visualization",
"id": "f2f59d90-56be-11eb-b749-576de068f8ad"
},
{
"name": "panel_5",
"type": "visualization",
"id": "ee0266e0-56bb-11eb-b749-576de068f8ad"
},
{
"name": "panel_6",
"type": "visualization",
"id": "90f88dd0-56c0-11eb-b749-576de068f8ad"
},
{
"name": "panel_7",
"type": "visualization",
"id": "49dcaa80-56c0-11eb-b749-576de068f8ad"
},
{
"name": "panel_8",
"type": "search",
"id": "8c28de50-56b5-11eb-b749-576de068f8ad"
},
{
"name": "panel_9",
"type": "search",
"id": "fd575aa0-56b2-11eb-b749-576de068f8ad"
},
{
"name": "panel_10",
"type": "visualization",
"id": "a9a0f330-56bc-11eb-b749-576de068f8ad"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "37496460-56b8-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc3NiwxXQ==",
"attributes": {
"title": "BSAP - Log Count",
"visState": "{\"title\":\"BSAP - Log Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":32}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"number\",\"params\":{}}}],\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}}}},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "af42dd40-56bb-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc3NywxXQ==",
"attributes": {
"title": "BSAP - Logs Over Time",
"visState": "{\"title\":\"BSAP - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT3H\",\"intervalESValue\":3,\"intervalESUnit\":\"h\",\"format\":\"YYYY-MM-DD HH:mm\",\"bounds\":{\"min\":\"2020-07-21T04:54:40.645Z\",\"max\":\"2020-07-27T11:08:08.319Z\"}},\"label\":\"firstPacket per 3 hours\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.logType: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2020-07-21T04:54:40.645Z\",\"to\":\"2020-07-27T11:08:08.319Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5fff2850-56bc-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc3OCwxXQ==",
"attributes": {
"title": "BSAP - Source IP",
"visState": "{\"title\":\"BSAP - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source Port\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.orig_h\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.orig_p\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*header\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "f2f59d90-56be-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc3OSwxXQ==",
"attributes": {
"title": "BSAP IP - Function",
"visState": "{\"title\":\"BSAP IP - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_bsap_ip_rdb.func_code: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_ip_rdb.app_func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Application Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_ip_rdb.func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subfunction\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8c28de50-56b5-11eb-b749-576de068f8ad"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ee0266e0-56bb-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4MCwxXQ==",
"attributes": {
"title": "BSAP - Transport",
"visState": "{\"title\":\"BSAP - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.proto: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.proto\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "90f88dd0-56c0-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4MSwxXQ==",
"attributes": {
"title": "BSAP Serial - RDB Function",
"visState": "{\"title\":\"BSAP Serial - RDB Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_bsap_serial_rdb.func_code: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_rdb.func_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"RDB Function\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "fd575aa0-56b2-11eb-b749-576de068f8ad"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "49dcaa80-56c0-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4MiwxXQ==",
"attributes": {
"title": "BSAP Serial - Function",
"visState": "{\"title\":\"BSAP Serial - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Destination Function\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.type_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Message Type\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.sfun\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Source Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.dfun\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Function\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_bsap_serial_header.nsb\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Node Status\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "fd575aa0-56b2-11eb-b749-576de068f8ad"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8c28de50-56b5-11eb-b749-576de068f8ad",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4MywxXQ==",
"attributes": {
"title": "BSAP IP - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.orig_h",
"zeek.resp_h",
"zeek_bsap_ip_rdb.app_func_code",
"zeek_bsap_ip_rdb.func_code",
"zeek_bsap_ip_rdb.node_status",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"zeek.logType:bsap_ip_*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "fd575aa0-56b2-11eb-b749-576de068f8ad",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4NCwxXQ==",
"attributes": {
"title": "BSAP Serial - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.orig_h",
"zeek.resp_h",
"zeek_bsap_serial_header.type_name",
"zeek_bsap_serial_header.sfun",
"zeek_bsap_serial_header.dfun",
"zeek_bsap_serial_rdb.func_code",
"zeek_bsap_serial_header.nsb",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:bsap_serial_*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "a9a0f330-56bc-11eb-b749-576de068f8ad",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4NSwxXQ==",
"attributes": {
"title": "BSAP - Destination IP",
"visState": "{\"title\":\"BSAP - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek.resp_p: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.resp_h\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":500,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.resp_p\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek.logType:bsap*header\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c97bc964-5319-41e7-ad22-db28156a2ac1",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:24:59.492Z",
"version": "Wzc4NiwxXQ==",
"attributes": {
"title": "All Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.logType",
"zeek.service",
"zeek.action",
"zeek.result",
"srcIp",
"dstIp",
"dstPort",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:*\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

493
Vagrant/resources/malcolm/kibana/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json Normal file
View File

@@ -0,0 +1,493 @@
{
"version": "7.10.0",
"objects": [
{
"id": "caef3ade-d289-4d05-a511-149f3e97f238",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:33:44.355Z",
"version": "WzM0MzgsMV0=",
"attributes": {
"title": "SSH",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":26,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":9,\"h\":18,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":9,\"y\":26,\"w\":11,\"h\":18,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":44,\"w\":22,\"h\":18,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"table\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":27,\"y\":8,\"w\":21,\"h\":18,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":19,\"h\":18,\"i\":\"1becdc6f-a3f4-46f7-b5b0-72a67a679e0f\"},\"panelIndex\":\"1becdc6f-a3f4-46f7-b5b0-72a67a679e0f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":20,\"y\":26,\"w\":14,\"h\":18,\"i\":\"68d1576b-a947-46f9-a99d-b951a09a95c7\"},\"panelIndex\":\"68d1576b-a947-46f9-a99d-b951a09a95c7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":35,\"y\":44,\"w\":13,\"h\":18,\"i\":\"26424c79-7bf6-45f0-bf5c-ca687818490b\"},\"panelIndex\":\"26424c79-7bf6-45f0-bf5c-ca687818490b\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":22,\"y\":44,\"w\":13,\"h\":18,\"i\":\"db42e16c-0961-4dda-a58a-dd44b5197bcf\"},\"panelIndex\":\"db42e16c-0961-4dda-a58a-dd44b5197bcf\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":34,\"y\":26,\"w\":14,\"h\":18,\"i\":\"4a419bd4-4f84-446b-b269-1f6f1c2c27fe\"},\"panelIndex\":\"4a419bd4-4f84-446b-b269-1f6f1c2c27fe\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":62,\"w\":48,\"h\":36,\"i\":\"4afc3dad-4ba2-4e21-9f31-87453145b668\"},\"panelIndex\":\"4afc3dad-4ba2-4e21-9f31-87453145b668\",\"embeddableConfig\":{},\"panelRefName\":\"panel_12\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "14e6c4af-72c5-4ce3-94fc-0cb1d501af96"
},
{
"name": "panel_2",
"type": "visualization",
"id": "17a08d5e-7ee7-43ed-b7f4-eaed153bdb7d"
},
{
"name": "panel_3",
"type": "visualization",
"id": "71ef0954-81c5-4953-b455-f996b21e8f08"
},
{
"name": "panel_4",
"type": "visualization",
"id": "4d7cb8d4-9f67-4469-b3f5-74d6fb942d35"
},
{
"name": "panel_5",
"type": "visualization",
"id": "AWDHEYk4xQT5EBNmq4k5"
},
{
"name": "panel_6",
"type": "visualization",
"id": "35ca43f9-14cc-4266-8a55-25f859530ba2"
},
{
"name": "panel_7",
"type": "visualization",
"id": "eba2e900-4dd0-11ea-8336-d3388483188b"
},
{
"name": "panel_8",
"type": "visualization",
"id": "baa06220-4dd4-11ea-8336-d3388483188b"
},
{
"name": "panel_9",
"type": "visualization",
"id": "562d3ec0-4dd5-11ea-8336-d3388483188b"
},
{
"name": "panel_10",
"type": "visualization",
"id": "3760b940-4dd5-11ea-8336-d3388483188b"
},
{
"name": "panel_11",
"type": "visualization",
"id": "90422180-4dd4-11ea-8336-d3388483188b"
},
{
"name": "panel_12",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "14e6c4af-72c5-4ce3-94fc-0cb1d501af96",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc4OSwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSH - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "SSH - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "17a08d5e-7ee7-43ed-b7f4-eaed153bdb7d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5MCwxXQ==",
"attributes": {
"visState": "{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "SSH - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "71ef0954-81c5-4953-b455-f996b21e8f08",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:27:49.060Z",
"version": "WzM0MDEsMV0=",
"attributes": {
"title": "SSH - Destination IP Address",
"visState": "{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\"}}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4d7cb8d4-9f67-4469-b3f5-74d6fb942d35",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5MywxXQ==",
"attributes": {
"visState": "{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.client\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}",
"description": "",
"title": "SSH - Client/Server",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHEYk4xQT5EBNmq4k5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5NCwxXQ==",
"attributes": {
"title": "SSH - Log Count",
"visState": "{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "35ca43f9-14cc-4266-8a55-25f859530ba2",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5NSwxXQ==",
"attributes": {
"title": "SSH -Server",
"visState": "{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.server\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "eba2e900-4dd0-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:25:38.325Z",
"version": "WzMzNzYsMV0=",
"attributes": {
"title": "SSH - Version",
"visState": "{\"title\":\"SSH - Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_ssh.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"SSH Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":false,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"SSH Version\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "baa06220-4dd4-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5NywxXQ==",
"attributes": {
"title": "SSH - Client Algorithms",
"visState": "{\"title\":\"SSH - Client Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithms Offered by Server\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Client\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "562d3ec0-4dd5-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "WzgwMCwxXQ==",
"attributes": {
"title": "SSH - HASSH Server Hash",
"visState": "{\"title\":\"SSH - HASSH Server Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshServer\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Server Hash\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "3760b940-4dd5-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5OSwxXQ==",
"attributes": {
"title": "SSH - HASSH Client Hash",
"visState": "{\"title\":\"SSH - HASSH Client Hash\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"HASSH Client Hash\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hassh\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HASSH Client Hash\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "90422180-4dd4-11ea-8336-d3388483188b",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "Wzc5OCwxXQ==",
"attributes": {
"title": "SSH - Server Algorithms",
"visState": "{\"title\":\"SSH - Server Algorithms\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Algorithms Offered by Client\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_ssh.hasshServerAlgorithms\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Algorithms Offered by Server\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "88a40703-9791-4f96-bc06-992f96c9b350"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "88a40703-9791-4f96-bc06-992f96c9b350",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:00.506Z",
"version": "WzgwMSwxXQ==",
"attributes": {
"title": "SSH - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_ssh.auth_success",
"zeek_ssh.sshka",
"zeek_ssh.cipher_alg",
"zeek_ssh.mac_alg",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:ssh\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "d41fe630-3f98-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:01.513Z",
"version": "WzgwMiwxXQ==",
"attributes": {
"title": "Connections - Source - Originator Bytes (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"aa2d7102-11ce-426c-9979-82d5bd6d6d3b\"},\"panelIndex\":\"aa2d7102-11ce-426c-9979-82d5bd6d6d3b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"8519445c-b38a-4d86-bff3-e42b2b231ca4\"},\"panelIndex\":\"8519445c-b38a-4d86-bff3-e42b2b231ca4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "89122c10-3f94-11e9-a58e-8bdedb0915e8"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "89122c10-3f94-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:01.513Z",
"version": "WzgwNCwxXQ==",
"attributes": {
"title": "Connections - Source - Originator Bytes (region map)",
"visState": "{\"title\":\"Connections - Source - Originator Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":10,\"attribution\":\"<a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a>\"}},\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Originator Bytes\",\"aggType\":\"cardinality\"},\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Originator Country\",\"aggType\":\"terms\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.orig_bytes\",\"customLabel\":\"Originator Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[37.73168660636539,16.171875000000004],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "d4fd6afd-15cb-42bf-8a25-03dd8e59b327",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:02.530Z",
"version": "WzgwOCwxXQ==",
"attributes": {
"title": "Connections - Destination - Responder Bytes",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"d4b659f9-f6be-441e-a6c4-ea4acab7619d\"},\"panelIndex\":\"d4b659f9-f6be-441e-a6c4-ea4acab7619d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"a23bbf3d-6744-4dc7-a46a-50f450b6bff4\"},\"panelIndex\":\"a23bbf3d-6744-4dc7-a46a-50f450b6bff4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "ba8e479e-49b0-427e-a919-72aa774cedba"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ba8e479e-49b0-427e-a919-72aa774cedba",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:02.530Z",
"version": "WzgxMCwxXQ==",
"attributes": {
"visState": "{\"title\":\"Connections - Destination - Responder Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}",
"description": "",
"title": "Connections - Destination - Responder Bytes",
"uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "e09a4b86-29b5-4256-bb3b-802ac9f90404",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:03.541Z",
"version": "WzgxNCwxXQ==",
"attributes": {
"title": "Connections - Source - Top Connection Duration",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":null},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"03359f20-178f-4878-b423-ec2b347e5d9a\"},\"panelIndex\":\"03359f20-178f-4878-b423-ec2b347e5d9a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"e854052a-b93b-4de5-8ae3-46cef99a54ce\"},\"panelIndex\":\"e854052a-b93b-4de5-8ae3-46cef99a54ce\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "66e7f9d4-2a90-4708-b313-ca1cc2dbd89f"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "66e7f9d4-2a90-4708-b313-ca1cc2dbd89f",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:03.541Z",
"version": "WzgxNiwxXQ==",
"attributes": {
"visState": "{\"title\":\"Connections - Source - Top Connection Duration\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}",
"description": "",
"title": "Connections - Source - Top Connection Duration",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

478
Vagrant/resources/malcolm/kibana/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json Normal file
View File

@@ -0,0 +1,478 @@
{
"version": "7.10.0",
"objects": [
{
"id": "e76d05c0-eb9f-11e9-a384-0fcf32210194",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyMCwxXQ==",
"attributes": {
"title": "S7comm",
"hits": 0,
"description": "",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":51,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":34,\"w\":20,\"h\":17,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":20,\"h\":17,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":14,\"w\":20,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":20,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "24c75a10-eba0-11e9-a384-0fcf32210194"
},
{
"name": "panel_2",
"type": "visualization",
"id": "455369e0-eba0-11e9-a384-0fcf32210194"
},
{
"name": "panel_3",
"type": "visualization",
"id": "739fdf30-eba1-11e9-a384-0fcf32210194"
},
{
"name": "panel_4",
"type": "visualization",
"id": "32d94580-eba2-11e9-a384-0fcf32210194"
},
{
"name": "panel_5",
"type": "visualization",
"id": "0b553f40-eba8-11e9-a384-0fcf32210194"
},
{
"name": "panel_6",
"type": "visualization",
"id": "2b801c40-eba8-11e9-a384-0fcf32210194"
},
{
"name": "panel_7",
"type": "visualization",
"id": "a5ed7c10-eeb0-11e9-bdef-65a192b7f586"
},
{
"name": "panel_8",
"type": "visualization",
"id": "bb650520-eeb2-11e9-bdef-65a192b7f586"
},
{
"name": "panel_9",
"type": "search",
"id": "484253d0-eb9d-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "24c75a10-eba0-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyMiwxXQ==",
"attributes": {
"title": "S7comm - Log Count",
"visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"s7comm\"}},{\"match_phrase\":{\"zeek.logType\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "455369e0-eba0-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyMywxXQ==",
"attributes": {
"title": "S7comm - Logs Over Time",
"visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.logType\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"zeek.logType\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"zeek.logType\":\"s7comm\"}},{\"match_phrase\":{\"zeek.logType\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "739fdf30-eba1-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyNCwxXQ==",
"attributes": {
"title": "S7comm - Message Type",
"visState": "{\"title\":\"S7comm - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_s7comm.rosctr\",\"size\":15,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "484253d0-eb9d-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "32d94580-eba2-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyNSwxXQ==",
"attributes": {
"title": "COTP - PDU Type",
"visState": "{\"title\":\"COTP - PDU Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_iso_cotp.pdu_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"PDU Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "9a78c670-eb9d-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0b553f40-eba8-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyNiwxXQ==",
"attributes": {
"title": "S7comm - Source IP",
"visState": "{\"title\":\"S7comm - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "81417210-eba2-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "2b801c40-eba8-11e9-a384-0fcf32210194",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyNywxXQ==",
"attributes": {
"title": "S7comm - Destination IP",
"visState": "{\"title\":\"S7comm - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "81417210-eba2-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "a5ed7c10-eeb0-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyOCwxXQ==",
"attributes": {
"title": "S7comm - User Data",
"visState": "{\"title\":\"S7comm - User Data\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.group\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Group\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.mode\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Mode\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.sub\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sub Parameter\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"zeek_s7comm.rosctr:\\\"User Data\\\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "484253d0-eb9d-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "bb650520-eeb2-11e9-bdef-65a192b7f586",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgyOSwxXQ==",
"attributes": {
"title": "S7comm - Job Request and Acknowledgement",
"visState": "{\"title\":\"S7comm - Job Request and Acknowledgement\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.rosctr\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.class\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Class\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_s7comm.parameters.code\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Code\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"zeek_s7comm.rosctr:(\\\"Acknowledge Data\\\" OR \\\"Job\\\")\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "484253d0-eb9d-11e9-a384-0fcf32210194"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "484253d0-eb9d-11e9-a384-0fcf32210194",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgzMCwxXQ==",
"attributes": {
"title": "S7comm - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_s7comm.rosctr",
"zeek_s7comm.parameter",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"zeek.logType:s7comm\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "9a78c670-eb9d-11e9-a384-0fcf32210194",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgzMSwxXQ==",
"attributes": {
"title": "Connection-Oriented Transport Protocol - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"zeek.orig_p",
"dstIp",
"zeek.resp_p",
"zeek_iso_cotp.pdu_type",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:iso_cotp\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "81417210-eba2-11e9-a384-0fcf32210194",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:04.558Z",
"version": "WzgzMiwxXQ==",
"attributes": {
"title": "S7comm and Related - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"zeek_iso_cotp.pdu_type",
"zeek_s7comm.parameter",
"zeek_s7comm.data_info",
"zeek_s7comm.rosctr",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"zeek.logType:(iso_cotp OR s7comm)\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

138
Vagrant/resources/malcolm/kibana/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json Normal file
View File

@@ -0,0 +1,138 @@
{
"version": "7.10.0",
"objects": [
{
"id": "ed8a6640-3f98-11e9-a58e-8bdedb0915e8",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:05.562Z",
"version": "WzgzMywxXQ==",
"attributes": {
"title": "Connections - Source - Responder Bytes (region map)",
"hits": 0,
"description": "",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":44,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":40,\"i\":\"3\"},\"version\":\"7.6.2\",\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[0,0],\"mapZoom\":3},\"panelRefName\":\"panel_1\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "18420e50-3f95-11e9-a58e-8bdedb0915e8"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "18420e50-3f95-11e9-a58e-8bdedb0915e8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:05.562Z",
"version": "WzgzNSwxXQ==",
"attributes": {
"title": "Connections - Source - Responder Bytes (region map)",
"visState": "{\"title\":\"Connections - Source - Responder Bytes (region map)\",\"type\":\"region_map\",\"params\":{\"addTooltip\":true,\"colorSchema\":\"Green to Red\",\"emsHotLink\":null,\"isDisplayWarning\":false,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":3,\"outlineWeight\":1,\"selectedJoinField\":{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},\"selectedLayer\":{\"attribution\":\"https://exploratory.io/maps\",\"fields\":[{\"description\":\"Country Code\",\"name\":\"ISO_A2\"},{\"description\":\"Country Code2\",\"name\":\"WB_A2\"},{\"description\":\"Country Name\",\"name\":\"NAME\"}],\"format\":{\"type\":\"geojson\"},\"isEMS\":false,\"layerId\":\"self_hosted.World (offline)\",\"meta\":{\"feature_collection_path\":\"data\"},\"name\":\"World (offline)\",\"url\":\"/world.geojson\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"zeek_conn.resp_bytes\",\"customLabel\":\"Responder Bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"srcGEO\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Originator Country\"}}]}",
"uiStateJSON": "{\"mapCenter\":[0,0],\"mapZoom\":3}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

491
Vagrant/resources/malcolm/kibana/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json Normal file
View File

@@ -0,0 +1,491 @@
{
"version": "7.10.0",
"objects": [
{
"id": "f1f09567-fc7f-450b-a341-19d2f2bb468b",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "WzgzNywxXQ==",
"attributes": {
"title": "Notices",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"h\":11,\"i\":\"4\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"4\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":30,\"i\":\"5\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":13,\"x\":0,\"y\":30},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"8\",\"w\":13,\"x\":13,\"y\":30},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"11\",\"w\":17,\"x\":8,\"y\":11},\"panelIndex\":\"11\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"12\",\"w\":24,\"x\":24,\"y\":67},\"panelIndex\":\"12\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":67},\"panelIndex\":\"13\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"14\",\"w\":11,\"x\":25,\"y\":11},\"panelIndex\":\"14\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":18,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":49},\"panelIndex\":\"15\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":11,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":24,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":86},\"panelIndex\":\"17\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"18\",\"w\":22,\"x\":26,\"y\":30},\"panelIndex\":\"18\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"},{\"version\":\"7.6.2\",\"gridData\":{\"h\":19,\"i\":\"19\",\"w\":12,\"x\":36,\"y\":11},\"panelIndex\":\"19\",\"embeddableConfig\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"panelRefName\":\"panel_12\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "0455b814-9b8e-4895-985d-c0d484bb025c"
},
{
"name": "panel_1",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_2",
"type": "visualization",
"id": "abb2c718-e1f5-4b59-9c3d-54082ee3a407"
},
{
"name": "panel_3",
"type": "visualization",
"id": "af961658-7f3d-4f88-b35f-76d1b6f49002"
},
{
"name": "panel_4",
"type": "visualization",
"id": "519823ff-ee5b-4051-9dd5-0467e595ab25"
},
{
"name": "panel_5",
"type": "visualization",
"id": "8f4a6c67-6833-4c53-b874-4341df5f181d"
},
{
"name": "panel_6",
"type": "visualization",
"id": "47adad3a-a0d2-46eb-a957-1886abd4472d"
},
{
"name": "panel_7",
"type": "visualization",
"id": "8a911a83-3962-44b8-be39-b54532f51b46"
},
{
"name": "panel_8",
"type": "visualization",
"id": "8da041f0-ea80-4841-aabc-ae32c40f20c5"
},
{
"name": "panel_9",
"type": "visualization",
"id": "AWDG1uC-xQT5EBNmq3dP"
},
{
"name": "panel_10",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
},
{
"name": "panel_11",
"type": "visualization",
"id": "cd33ef1d-d5b8-43aa-8ae1-2534f0b79759"
},
{
"name": "panel_12",
"type": "visualization",
"id": "559cf002-6086-4655-908e-d1f757cd58a9"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "0455b814-9b8e-4895-985d-c0d484bb025c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "WzgzOCwxXQ==",
"attributes": {
"title": "Notices - Log Count Over Time",
"visState": "{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"stacked\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"type\":\"line\",\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm:ss\"}},\"params\":{\"date\":true,\"interval\":\"PT1S\",\"intervalESValue\":1,\"intervalESUnit\":\"s\",\"format\":\"HH:mm:ss\",\"bounds\":{\"min\":\"2017-04-16T17:22:12.510Z\",\"max\":\"2017-04-16T17:23:40.195Z\"}},\"label\":\"firstPacket per second\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"2017-04-16T17:22:12.510Z\",\"to\":\"2017-04-16T17:23:40.195Z\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "abb2c718-e1f5-4b59-9c3d-54082ee3a407",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0MCwxXQ==",
"attributes": {
"visState": "{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Notices - Source IP Addresses",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "af961658-7f3d-4f88-b35f-76d1b6f49002",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0MSwxXQ==",
"attributes": {
"visState": "{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "Notices - Destination IP Addresses",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "519823ff-ee5b-4051-9dd5-0467e595ab25",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0MiwxXQ==",
"attributes": {
"title": "Notices - Notice Type",
"visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8f4a6c67-6833-4c53-b874-4341df5f181d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0MywxXQ==",
"attributes": {
"visState": "{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.file_mime_type\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}",
"description": "",
"title": "Notices - File MIME Type",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "47adad3a-a0d2-46eb-a957-1886abd4472d",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.file_desc\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}",
"description": "",
"title": "Notices - File Description",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8a911a83-3962-44b8-be39-b54532f51b46",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0NSwxXQ==",
"attributes": {
"title": "Notice - Destination Port",
"visState": "{\"title\":\"Notice - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Port\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dstPort\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8da041f0-ea80-4841-aabc-ae32c40f20c5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0NiwxXQ==",
"attributes": {
"title": "Notice - Message Details",
"visState": "{\"title\":\"Notice - Message Details\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Subcategory\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Message\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Sub-Message\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Category\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subcategory\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.msg\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDG1uC-xQT5EBNmq3dP",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0NywxXQ==",
"attributes": {
"title": "Notices - Log Count",
"visState": "{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0OCwxXQ==",
"attributes": {
"title": "Notices - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek_notice.category",
"zeek_notice.sub_category",
"zeek_notice.msg",
"srcIp",
"dstIp",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "cd33ef1d-d5b8-43aa-8ae1-2534f0b79759",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg0OSwxXQ==",
"attributes": {
"title": "Notices - Notice Types by Source and Destination",
"visState": "{\"title\":\"Notices - Notice Types by Source and Destination\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":4,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Note\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Source IP Address\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination IP Address\",\"aggType\":\"terms\"},{\"accessor\":3,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"-\"}},\"params\":{},\"label\":\"Notice Category\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Category\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_notice.sub_category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Notice Subcategory\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "559cf002-6086-4655-908e-d1f757cd58a9",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:06.578Z",
"version": "Wzg1MCwxXQ==",
"attributes": {
"title": "Notices - Destination Country",
"visState": "{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Destination Country\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.destination_geo.country_name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Country\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "8f003748-a6f8-4244-9d4e-e38e4a48da4c"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

210
Vagrant/resources/malcolm/kibana/dashboards/f394057d-1b16-4174-b994-7045f423a416.json Normal file
View File

@@ -0,0 +1,210 @@
{
"version": "7.10.0",
"objects": [
{
"id": "f394057d-1b16-4174-b994-7045f423a416",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1MSwxXQ==",
"attributes": {
"title": "Connections - Source - Sum of Total Bytes",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":23,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":40,\"h\":50,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":3},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":8,\"h\":15,\"i\":\"0a22cd88-c236-4994-9b27-db3f5b731d7f\"},\"panelIndex\":\"0a22cd88-c236-4994-9b27-db3f5b731d7f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.2\",\"gridData\":{\"x\":0,\"y\":38,\"w\":8,\"h\":12,\"i\":\"4a3f5963-08e0-4206-aede-70e943fed585\"},\"panelIndex\":\"4a3f5963-08e0-4206-aede-70e943fed585\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "c964c032-31ce-4397-bac3-f6b625e66548"
},
{
"name": "panel_2",
"type": "visualization",
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49"
},
{
"name": "panel_3",
"type": "visualization",
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c964c032-31ce-4397-bac3-f6b625e66548",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1MywxXQ==",
"attributes": {
"visState": "{\"title\":\"Connections - Source - Sum of Total Bytes\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"totBytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}",
"description": "",
"title": "Connections - Source - Sum of Total Bytes",
"uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "623ef480-4e73-11ea-b4e7-0f540ddf3a49",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NCwxXQ==",
"attributes": {
"title": "Connections - Protocol Filters",
"visState": "{\"title\":\"Connections - Protocol Filters\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1581606976709\",\"fieldName\":\"network.type\",\"parent\":\"\",\"label\":\"Network Layer\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1581606723028\",\"fieldName\":\"zeek.proto\",\"parent\":\"\",\"label\":\"Protocol\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1581606665268\",\"fieldName\":\"zeek.service\",\"parent\":\"\",\"label\":\"Service\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
{
"name": "control_0_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_1_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
},
{
"name": "control_2_index_pattern",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "4dd65202-bd19-40d6-9e0d-ff41c6d5a4b5",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NSwxXQ==",
"attributes": {
"title": "Connections - Maps",
"visState": "{\"title\":\"Connections - Maps\",\"type\":\"markdown\",\"params\":{\"fontSize\":10,\"markdown\":\"#### Coordinate Maps\\n[Source - Originator Bytes](/kibana/app/dashboards#/view/b50c8d17-6ed3-4de6-aed4-5181032810b2) ● [Destination - Responder Bytes](/kibana/app/dashboards#/view/d4fd6afd-15cb-42bf-8a25-03dd8e59b327) ● [Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f394057d-1b16-4174-b994-7045f423a416) ● [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/60d78fbd-471c-4f59-a9e3-189b33a13644) ● [Source - Top Connection Duration](/kibana/app/dashboards#/view/e09a4b86-29b5-4256-bb3b-802ac9f90404) ● [Destination - Top Connection Duration](/kibana/app/dashboards#/view/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0) \\n#### Region Maps\\n[Source - Originator Bytes ](/kibana/app/dashboards#/view/d41fe630-3f98-11e9-a58e-8bdedb0915e8) ● [Destination - Responder Bytes ](/kibana/app/dashboards#/view/77fc9960-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Sum of Total Bytes ](/kibana/app/dashboards#/view/1ce42250-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Sum of Total Bytes ](/kibana/app/dashboards#/view/a16110b0-3f99-11e9-a58e-8bdedb0915e8) ● [Source - Top Connection Duration ](/kibana/app/dashboards#/view/39abfe30-3f99-11e9-a58e-8bdedb0915e8) ● [Destination - Top Connection Duration ](/kibana/app/dashboards#/view/b9f247c0-3f99-11e9-a58e-8bdedb0915e8)\",\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "52570870-e9d4-444f-a3df-e44c6757ed9f",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:07.590Z",
"version": "Wzg1NiwxXQ==",
"attributes": {
"title": "Connections - Logs",
"description": "",
"hits": 0,
"columns": [
"zeek.proto",
"zeek.service",
"srcIp",
"srcPort",
"dstIp",
"dstPort",
"totBytes",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"zeek.logType:conn\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

493
Vagrant/resources/malcolm/kibana/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json Normal file
View File

@@ -0,0 +1,493 @@
{
"version": "7.10.0",
"objects": [
{
"id": "f77bf097-18a8-465c-b634-eb2acc7a4f26",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T17:56:05.373Z",
"version": "WzMwNTMsMV0=",
"attributes": {
"title": "RFB",
"hits": 0,
"description": "",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":27,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"legendOpen\":true,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":19,\"i\":\"5\",\"w\":13,\"x\":8,\"y\":8},\"panelIndex\":\"5\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7\",\"w\":13,\"x\":21,\"y\":8},\"panelIndex\":\"7\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"8\",\"w\":18,\"x\":0,\"y\":27},\"panelIndex\":\"8\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"11\",\"w\":16,\"x\":0,\"y\":48},\"panelIndex\":\"11\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"12\",\"w\":16,\"x\":16,\"y\":48},\"panelIndex\":\"12\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"13\",\"w\":16,\"x\":32,\"y\":48},\"panelIndex\":\"13\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"14\",\"w\":15,\"x\":33,\"y\":27},\"panelIndex\":\"14\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":21,\"i\":\"15\",\"w\":15,\"x\":18,\"y\":27},\"panelIndex\":\"15\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"16\",\"w\":14,\"x\":34,\"y\":8},\"panelIndex\":\"16\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"17\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":38,\"i\":\"2e466042-c74a-4549-9419-847d918823ae\",\"w\":48,\"x\":0,\"y\":70},\"panelIndex\":\"2e466042-c74a-4549-9419-847d918823ae\",\"version\":\"7.10.0\",\"panelRefName\":\"panel_12\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "visualization",
"id": "ebfb6257-cd49-4120-aefb-e3ef95624acc"
},
{
"name": "panel_2",
"type": "visualization",
"id": "24fb5549-3160-41fb-901f-81c03c165e8c"
},
{
"name": "panel_3",
"type": "visualization",
"id": "5d961a31-c465-45eb-9e8f-2bbad058a4f8"
},
{
"name": "panel_4",
"type": "visualization",
"id": "8efb6175-3c0d-45ac-ae17-2908b8b7ab33"
},
{
"name": "panel_5",
"type": "visualization",
"id": "cd575019-21e5-45be-8fb1-7b447cdf2c91"
},
{
"name": "panel_6",
"type": "visualization",
"id": "0ac25486-a491-4797-b40f-c83d7d14ded0"
},
{
"name": "panel_7",
"type": "visualization",
"id": "5cd98bd4-370d-4d9c-afeb-0018145f6e28"
},
{
"name": "panel_8",
"type": "visualization",
"id": "c4b27ea5-7188-4c09-9754-ea3c67fe44de"
},
{
"name": "panel_9",
"type": "visualization",
"id": "c46f1254-54b6-414b-88cc-69751026b0e0"
},
{
"name": "panel_10",
"type": "visualization",
"id": "0537ea69-4e73-4055-92a8-b90369603b5a"
},
{
"name": "panel_11",
"type": "visualization",
"id": "AWDHC8iGxQT5EBNmq4bs"
},
{
"name": "panel_12",
"type": "search",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "ebfb6257-cd49-4120-aefb-e3ef95624acc",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg1OSwxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"firstPacket per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Log Count Over Time",
"uiStateJSON": "{}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "24fb5549-3160-41fb-901f-81c03c165e8c",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2MCwxXQ==",
"attributes": {
"title": "RFB - Authentication Status",
"visState": "{\"title\":\"RFB - Authentication Status\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"Authenticated\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.auth\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"F\",\"customLabel\":\"Authenticated\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5d961a31-c465-45eb-9e8f-2bbad058a4f8",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2MSwxXQ==",
"attributes": {
"title": "RFB - Exclusive Session",
"visState": "{\"title\":\"RFB - Exclusive Session\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"label\":\"zeek_rfb.share_flag: Descending\",\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exclusive Session\"}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "8efb6175-3c0d-45ac-ae17-2908b8b7ab33",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2MiwxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.desktop_name\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Desktop Name",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "cd575019-21e5-45be-8fb1-7b447cdf2c91",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2MywxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Source IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0ac25486-a491-4797-b40f-c83d7d14ded0",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2NCwxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Destination IP Address",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "5cd98bd4-370d-4d9c-afeb-0018145f6e28",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2NSwxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Destination Port",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c4b27ea5-7188-4c09-9754-ea3c67fe44de",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2NiwxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.server_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.server_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Server Version",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "c46f1254-54b6-414b-88cc-69751026b0e0",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2NywxXQ==",
"attributes": {
"visState": "{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.client_major_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_rfb.client_minor_version\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}",
"description": "",
"title": "RFB - Client Version",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "0537ea69-4e73-4055-92a8-b90369603b5a",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T17:52:25.525Z",
"version": "WzI5ODksMV0=",
"attributes": {
"title": "RFB - Authentication Method",
"visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek_rfb.authentication_method\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Authentication Method\"},\"schema\":\"segment\"}],\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"series\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"Method\",\"aggType\":\"terms\"}]}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "search_0",
"type": "search",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "AWDHC8iGxQT5EBNmq4bs",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg2OSwxXQ==",
"attributes": {
"title": "RFB - Log Count",
"visState": "{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "161c6526-b634-4b79-8cb5-39b667eaa862"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "161c6526-b634-4b79-8cb5-39b667eaa862",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:08.611Z",
"version": "Wzg3MCwxXQ==",
"attributes": {
"title": "RFB - Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_rfb.desktop_name",
"zeek_rfb.authentication_method",
"zeek_rfb.auth",
"zeek_rfb.share_flag",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"zeek.logType:rfb\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
}
]
}

316
Vagrant/resources/malcolm/kibana/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json Normal file
View File

@@ -0,0 +1,316 @@
{
"version": "7.10.0",
"objects": [
{
"id": "fa141950-ef89-11e9-b38a-2db3ee640e88",
"type": "dashboard",
"namespaces": [
"default"
],
"updated_at": "2021-02-11T18:59:12.130Z",
"version": "WzM3MjIsMV0=",
"attributes": {
"title": "Tabular Data Stream - SQL",
"hits": 0,
"description": "",
"panelsJSON": "[{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":28,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":48,\"w\":48,\"h\":31,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":20,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":11,\"h\":20,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"7.10.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
},
{
"name": "panel_1",
"type": "search",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_2",
"type": "visualization",
"id": "455451f0-ef8a-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_3",
"type": "visualization",
"id": "827dd240-ef8a-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_4",
"type": "visualization",
"id": "b63a4c30-ef8a-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_5",
"type": "visualization",
"id": "d9275670-ef8a-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_6",
"type": "visualization",
"id": "13598fc0-ef8b-11e9-b38a-2db3ee640e88"
},
{
"name": "panel_7",
"type": "visualization",
"id": "539691a0-ef8b-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"dashboard": "7.9.3"
}
},
{
"id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Zeek Logs",
"visState": "{\"title\":\"Zeek Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/kibana/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/kibana/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/kibana/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Connections](/kibana/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/kibana/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/kibana/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/kibana/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/kibana/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Notices](/kibana/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Weird](/kibana/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/kibana/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Intel Feeds](/kibana/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/kibana/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/kibana/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/kibana/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/kibana/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/kibana/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/kibana/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/kibana/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/kibana/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/kibana/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MySQL](/kibana/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/kibana/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/kibana/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [QUIC](/kibana/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/kibana/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/kibana/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/kibana/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/kibana/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/kibana/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/kibana/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/kibana/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/kibana/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/kibana/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/kibana/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [Syslog](/kibana/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/kibana/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/kibana/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/kibana/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/kibana/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/kibana/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/kibana/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/kibana/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/kibana/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/kibana/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/kibana/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [Modbus](/kibana/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [MQTT](/kibana/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [PROFINET](/kibana/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/kibana/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/kibana/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88",
"type": "search",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3MywxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Logs",
"description": "",
"hits": 0,
"columns": [
"srcIp",
"dstIp",
"dstPort",
"zeek_tds_sql_batch.header_type",
"zeek_tds_sql_batch.query",
"zeek.uid"
],
"sort": [
[
"firstPacket",
"desc"
]
],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"zeek.logType:\\\"tds_sql_batch\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "sessions2-*"
}
],
"migrationVersion": {
"search": "7.9.3"
}
},
{
"id": "455451f0-ef8a-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3NCwxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Log Count",
"visState": "{\"title\":\"Tabular Data Stream - SQL Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "827dd240-ef8a-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3NSwxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Log Count Over Time",
"visState": "{\"title\":\"Tabular Data Stream - SQL Log Count Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}",
"uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "b63a4c30-ef8a-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3NiwxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Header Type",
"visState": "{\"title\":\"Tabular Data Stream - SQL Header Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek_tds_sql_batch.header_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Header Type\"}}]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "d9275670-ef8a-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3NywxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Source IP",
"visState": "{\"title\":\"Tabular Data Stream - SQL Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"srcIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "13598fc0-ef8b-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3OCwxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Destination IP",
"visState": "{\"title\":\"Tabular Data Stream - SQL Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstIp\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dstPort\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
},
{
"id": "539691a0-ef8b-11e9-b38a-2db3ee640e88",
"type": "visualization",
"namespaces": [
"default"
],
"updated_at": "2021-02-10T21:25:09.616Z",
"version": "Wzg3OSwxXQ==",
"attributes": {
"title": "Tabular Data Stream - SQL Query",
"visState": "{\"title\":\"Tabular Data Stream - SQL Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek_tds_sql_batch.query\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Query\"}}]}",
"uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "1c454740-ef82-11e9-b38a-2db3ee640e88"
}
],
"migrationVersion": {
"visualization": "7.10.0"
}
}
]
}

30
Vagrant/resources/malcolm/kibana/kibana.yml Normal file
View File

@@ -0,0 +1,30 @@
---
# Default Kibana configuration from kibana-docker.
server.name: kibana
server.host: "0"
server.basePath: "/kibana"
server.rewriteBasePath: true
elasticsearch.hosts: ["${ELASTICSEARCH_URL}"]
elasticsearch.requestTimeout: 180000
kibana.defaultAppId: "dashboard/${KIBANA_DEFAULT_DASHBOARD}"
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false
# offline region map
map.regionmap:
includeElasticMapsService: false
layers:
- name: "World (offline)"
url: "/world.geojson"
attribution: "https://exploratory.io/maps"
fields:
- name: "ISO_A2"
description: "Country Code"
- name: "WB_A2"
description: "Country Code2"
- name: "NAME"
description: "Country Name"

35513
Vagrant/resources/malcolm/kibana/maps/world.geojson Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
Vagrant/resources/malcolm/kibana/maps/world.rds Normal file
View File

Binary file not shown.

149
Vagrant/resources/malcolm/kibana/scripts/elastic_index_policy_create.py Executable file
View File

@@ -0,0 +1,149 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import json
import re
import os
import sys
import time
TEMPLATE_POLICY_ID_DEFAULT = 'session_index_policy'
INDEX_PATTERN_DEFAULT = 'sessions2-*'
TEMPLATE_SCHEMA_VERSION_DEFAULT = 1
POLICY_STATE_HOT = 'hot'
POLICY_STATE_SNAPSHOT = 'recent'
POLICY_STATE_COLD = 'cold'
POLICY_STATE_CLOSED = 'closed'
POLICY_STATE_DELETE = 'delete'
POLICY_STATE_HOT_REPLICAS = 0
POLICY_SNAPSHOT_NAME = 'session_snapshot'
###################################################################################################
debug = False
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
origPath = os.getcwd()
###################################################################################################
# print to stderr
def eprint(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
###################################################################################################
# convenient boolean argument parsing
def str2bool(v):
if v.lower() in ('yes', 'true', 't', 'y', '1'):
return True
elif v.lower() in ('no', 'false', 'f', 'n', '0'):
return False
else:
raise argparse.ArgumentTypeError('Boolean value expected.')
###################################################################################################
# main
def main():
global debug
parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} <arguments>'.format(scriptName))
parser.add_argument('-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output")
parser.add_argument('--policy', dest='policyId', metavar='<str>', type=str, default=TEMPLATE_POLICY_ID_DEFAULT, help='Index management policy ID')
parser.add_argument('--index-pattern', dest='indexPattern', metavar='<str>', type=str, default=os.getenv('ARKIME_INDEX_PATTERN', INDEX_PATTERN_DEFAULT), help='Index management policy index pattern (comma-separated)')
parser.add_argument('--priority', dest='templatePriority', metavar='<int>', type=int, default=100, help='Template priority')
parser.add_argument('--version', dest='schemaVersion', metavar='<int>', type=int, default=TEMPLATE_SCHEMA_VERSION_DEFAULT, help='Index management policy template schema version')
parser.add_argument('--replicas', dest='hotReplicaCount', metavar='<int>', type=int, default=POLICY_STATE_HOT_REPLICAS, help='Replica count for hot state')
parser.add_argument('--snapshot', dest='snapshotAge', metavar='<str>', type=str, default='1d', help='Snapshot index age (e.g., 1d); 0 to disable')
parser.add_argument('--snapshot-repo', dest='snapshotRepo', metavar='<str>', type=str, default=os.getenv('ISM_SNAPSHOT_REPO', 'logs'), help='Snapshot repository')
parser.add_argument('--snapshot-name', dest='snapshotName', metavar='<str>', type=str, default=POLICY_SNAPSHOT_NAME, help='Snapshot name')
parser.add_argument('--cold', dest='coldAge', metavar='<str>', type=str, default='30d', help='Cold state index age (e.g., 30d); 0 to disable')
parser.add_argument('--close', dest='closeAge', metavar='<str>', type=str, default='60d', help='Close state index age (e.g., 60d); 0 to disable')
parser.add_argument('--delete', dest='deleteAge', metavar='<str>', type=str, default='365d', help='Delete state index age (e.g., 365d); 0 to disable')
try:
parser.error = parser.exit
args = parser.parse_args()
except SystemExit:
parser.print_help()
exit(2)
debug = args.debug
if debug:
eprint(os.path.join(scriptPath, scriptName))
eprint("Arguments: {}".format(sys.argv[1:]))
eprint("Arguments: {}".format(args))
else:
sys.tracebacklimit = 0
# verify that age parameters are in the right format (number and units)
for ageParam in (args.snapshotAge, args.coldAge, args.closeAge, args.deleteAge):
if not ((ageParam == '0') or re.match(r'^\d+[dhms]$', ageParam)):
raise argparse.ArgumentTypeError(f'Invalid age parameter {ageParam}')
# store policy information
policyDict = dict()
policyDict['policy_id'] = args.policyId
policyDict['description'] = f'Index state management policy to snapshot indices after {args.snapshotAge}, move them into a cold state after {args.coldAge} and delete them after {args.deleteAge}'
policyDict['last_updated_time'] = time.time_ns() // 1000000
policyDict['schema_version'] = args.schemaVersion
policyDict['error_notification'] = None
# list of states and their transitions
states = list()
# hot -> snapshot -> cold -> closed -> deleted
# hot state is default and always exists
policyDict['default_state'] = POLICY_STATE_HOT
hotState = dict()
hotState['name'] = POLICY_STATE_HOT
hotState['actions'] = [{ 'replica_count' : { 'number_of_replicas' : args.hotReplicaCount}}]
states.append(hotState)
# create a "snapshot" state for backup and set the previous state's transition to it
if (args.snapshotAge != '0'):
snapshotState = dict()
snapshotState['name'] = POLICY_STATE_SNAPSHOT
snapshotState['actions'] = [{ 'snapshot' : { 'repository' : args.snapshotRepo, 'snapshot' : args.snapshotName}}]
states[len(states)-1]['transitions'] = [{'state_name' : POLICY_STATE_SNAPSHOT,
'conditions' : { 'min_index_age' : args.snapshotAge}}]
states.append(snapshotState)
# create a "cold" state for read-only indices and set the previous state's transition to it
if (args.coldAge != '0'):
coldState = dict()
coldState['name'] = POLICY_STATE_COLD
coldState['actions'] = [{ 'read_only' : {}}]
states[len(states)-1]['transitions'] = [{'state_name' : POLICY_STATE_COLD,
'conditions' : { 'min_index_age' : args.coldAge}}]
states.append(coldState)
# create a "closed" state for closed indices and set the previous state's transition to it
if (args.closeAge != '0'):
closedState = dict()
closedState['name'] = POLICY_STATE_CLOSED
closedState['actions'] = [{ 'close' : {}}]
states[len(states)-1]['transitions'] = [{'state_name' : POLICY_STATE_CLOSED,
'conditions' : { 'min_index_age' : args.closeAge}}]
states.append(closedState)
# create a "deleted" state for deleted indices and set the previous state's transition to it
if (args.deleteAge != '0'):
deleteState = dict()
deleteState['name'] = POLICY_STATE_DELETE
deleteState['actions'] = [{ 'delete' : {}}]
states[len(states)-1]['transitions'] = [{'state_name' : POLICY_STATE_DELETE,
'conditions' : { 'min_index_age' : args.deleteAge}}]
states.append(deleteState)
# the final state doesn't transition
states[len(states)-1]['transitions'] = []
policyDict['states'] = states
policyDict['ism_template'] = { 'index_patterns' : [x.strip() for x in args.indexPattern.split(',')],
'priority' : args.templatePriority }
policy = dict()
policy['policy'] = policyDict
print(json.dumps(policy))
if __name__ == '__main__':
main()

130
Vagrant/resources/malcolm/kibana/scripts/kibana-create-moloch-sessions-index.sh Executable file
View File

@@ -0,0 +1,130 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
set -euo pipefail
shopt -s nocasematch
if [[ -n $ELASTICSEARCH_URL ]]; then
ES_URL="$ELASTICSEARCH_URL"
elif [[ -n $ES_HOST ]] && [[ -n $ES_PORT ]]; then
ES_URL="http://$ES_HOST:$ES_PORT"
else
ES_URL="http://elasticsearch:9200"
fi
if [[ -n $KIBANA_URL ]]; then
KIB_URL="$KIBANA_URL"
elif [[ -n $KIBANA_HOST ]] && [[ -n $KIBANA_PORT ]]; then
KIB_URL="http://$KIBANA_HOST:$KIBANA_PORT"
else
KIB_URL="http://kibana:5601/kibana"
fi
INDEX_PATTERN=${ARKIME_INDEX_PATTERN:-"sessions2-*"}
INDEX_PATTERN_ID=${ARKIME_INDEX_PATTERN_ID:-"sessions2-*"}
INDEX_TIME_FIELD=${ARKIME_INDEX_TIME_FIELD:-"firstPacket"}
INDEX_POLICY_FILE="/data/init/index-management-policy.json"
INDEX_POLICY_FILE_HOST="/data/index-management-policy.json"
ZEEK_TEMPLATE_FILE="/data/init/zeek_template.json"
ZEEK_TEMPLATE_FILE_ORIG="/data/zeek_template.json"
INDEX_POLICY_NAME=${ISM_POLICY_NAME:-"session_index_policy"}
# is the argument to automatically create this index enabled?
if [[ "$CREATE_ES_ARKIME_SESSION_INDEX" = "true" ]] ; then
# give Elasticsearch time to start before configuring Kibana
/data/elastic_search_status.sh >/dev/null 2>&1
# is the kibana process server up and responding to requests?
if curl -L --silent --output /dev/null --fail -XGET "$KIB_URL/api/status" ; then
# have we not not already created the index pattern?
if ! curl -L --silent --output /dev/null --fail -XGET "$KIB_URL/api/saved_objects/index-pattern/$INDEX_PATTERN_ID" ; then
echo "Elasticsearch is running! Setting up index management policies..."
# register the repo location for elasticsearch snapshots
/data/register-elasticsearch-snapshot-repo.sh
# tweak the sessions template (sessions2-* zeek template file) to use the index management policy
if [[ -f "$INDEX_POLICY_FILE_HOST" ]] && (( $(jq length "$INDEX_POLICY_FILE_HOST") > 0 )); then
# user has provided a file for index management, use it
cp "$INDEX_POLICY_FILE_HOST" "$INDEX_POLICY_FILE"
INDEX_POLICY_NAME="$(cat "$INDEX_POLICY_FILE" | jq '..|objects|.policy_id//empty' | tr -d '"')"
else
# need to generate index management file based on environment variables
/data/elastic_index_policy_create.py \
--policy "$INDEX_POLICY_NAME" \
--index-pattern "$INDEX_PATTERN" \
--priority 100 \
--snapshot ${ISM_SNAPSHOT_AGE:-"0"} \
--cold ${ISM_COLD_AGE:-"0"} \
--close ${ISM_CLOSE_AGE:-"0"} \
--delete ${ISM_DELETE_AGE:-"0"} \
> "$INDEX_POLICY_FILE"
fi
if [[ -f "$INDEX_POLICY_FILE" ]]; then
# make API call to define index management policy
# https://opendistro.github.io/for-elasticsearch-docs/docs/ism/api/#create-policy
curl -w "\n" -L --silent --output /dev/null --show-error -XPUT -H "Content-Type: application/json" "$ES_URL/_opendistro/_ism/policies/$INDEX_POLICY_NAME" -d "@$INDEX_POLICY_FILE"
if [[ -f "$ZEEK_TEMPLATE_FILE_ORIG" ]]; then
# insert opendistro.index_state_management.policy_id into index template settings: will be
# imported by kibana-create-moloch-sessions-index.sh
cat "$ZEEK_TEMPLATE_FILE_ORIG" | jq ".settings += {\"opendistro.index_state_management.policy_id\": \"$INDEX_POLICY_NAME\"}" > "$ZEEK_TEMPLATE_FILE"
fi
fi
echo "Importing zeek_template..."
if [[ -f "$ZEEK_TEMPLATE_FILE_ORIG" ]] && [[ ! -f "$ZEEK_TEMPLATE_FILE" ]]; then
cp "$ZEEK_TEMPLATE_FILE_ORIG" "$ZEEK_TEMPLATE_FILE"
fi
# load zeek_template containing zeek field type mappings (merged from /data/zeek_template.json to /data/init/zeek_template.json in kibana_helpers.sh on startup)
curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" \
"$ES_URL/_template/zeek_template?include_type_name=true" -d "@$ZEEK_TEMPLATE_FILE" 2>&1
echo "Importing index pattern..."
# From https://github.com/elastic/kibana/issues/3709
# Create index pattern
curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" -H "kbn-xsrf: anything" \
"$KIB_URL/api/saved_objects/index-pattern/$INDEX_PATTERN_ID" \
-d"{\"attributes\":{\"title\":\"$INDEX_PATTERN\",\"timeFieldName\":\"$INDEX_TIME_FIELD\"}}" 2>&1
echo "Setting default index pattern..."
# Make it the default index
curl -w "\n" -sSL -XPOST -H "Content-Type: application/json" -H "kbn-xsrf: anything" \
"$KIB_URL/api/kibana/settings/defaultIndex" \
-d"{\"value\":\"$INDEX_PATTERN_ID\"}"
echo "Importing Kibana saved objects..."
# install default dashboards, index patterns, etc.
for i in /opt/kibana/dashboards/*.json; do
curl -L --silent --output /dev/null --show-error -XPOST "$KIB_URL/api/kibana/dashboards/import?force=true" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d "@$i"
done
# set dark theme
curl -L --silent --output /dev/null --show-error -XPOST "$KIB_URL/api/kibana/settings/theme:darkMode" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}'
# set default query time range
curl -L --silent --output /dev/null --show-error -XPOST "$KIB_URL/api/kibana/settings" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
# turn off telemetry
curl -L --silent --output /dev/null --show-error -XPOST "$KIB_URL/api/telemetry/v2/optIn" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d '{"enabled":false}'
# pin filters by default
curl -L --silent --output /dev/null --show-error -XPOST "$KIB_URL/api/kibana/settings/filters:pinnedByDefault" -H 'kbn-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}'
echo "Kibana saved objects import complete!"
fi
fi
fi

291
Vagrant/resources/malcolm/kibana/scripts/kibana_index_refresh.py Executable file
View File

@@ -0,0 +1,291 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import json
import re
import requests
import os
import sys
GET_STATUS_API = 'api/status'
GET_INDEX_PATTERN_INFO_URI = 'api/saved_objects/_find'
GET_FIELDS_URI = 'api/index_patterns/_fields_for_wildcard'
PUT_INDEX_PATTERN_URI = 'api/saved_objects/index-pattern'
ES_GET_TEMPLATE_URI = '_template'
###################################################################################################
debug = False
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
origPath = os.getcwd()
###################################################################################################
# print to stderr
def eprint(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
###################################################################################################
# convenient boolean argument parsing
def str2bool(v):
if v.lower() in ('yes', 'true', 't', 'y', '1'):
return True
elif v.lower() in ('no', 'false', 'f', 'n', '0'):
return False
else:
raise argparse.ArgumentTypeError('Boolean value expected.')
###################################################################################################
# main
def main():
global debug
parser = argparse.ArgumentParser(description=scriptName, add_help=False, usage='{} <arguments>'.format(scriptName))
parser.add_argument('-v', '--verbose', dest='debug', type=str2bool, nargs='?', const=True, default=False, help="Verbose output")
parser.add_argument('-i', '--index', dest='index', metavar='<str>', type=str, default='sessions2-*', help='Index Pattern Name')
parser.add_argument('-k', '--kibana', dest='kibanaUrl', metavar='<protocol://host:port>', type=str, default=os.getenv('KIBANA_URL', 'http://kibana:5601/kibana'), help='Kibana URL')
parser.add_argument('-e', '--elastic', dest='elasticUrl', metavar='<protocol://host:port>', type=str, default=os.getenv('ELASTICSEARCH_URL', 'http://elasticsearch:9200'), help='Elasticsearch URL')
parser.add_argument('-t', '--template', dest='template', metavar='<str>', type=str, default=None, help='Elasticsearch template to merge')
parser.add_argument('-n', '--dry-run', dest='dryrun', type=str2bool, nargs='?', const=True, default=False, help="Dry run (no PUT)")
try:
parser.error = parser.exit
args = parser.parse_args()
except SystemExit:
parser.print_help()
exit(2)
debug = args.debug
if debug:
eprint(os.path.join(scriptPath, scriptName))
eprint("Arguments: {}".format(sys.argv[1:]))
eprint("Arguments: {}".format(args))
else:
sys.tracebacklimit = 0
# get version number so kibana doesn't think we're doing a XSRF when we do the PUT
statusInfoResponse = requests.get('{}/{}'.format(args.kibanaUrl, GET_STATUS_API))
statusInfoResponse.raise_for_status()
statusInfo = statusInfoResponse.json()
kibanaVersion = statusInfo['version']['number']
if debug:
eprint('Kibana version is {}'.format(kibanaVersion))
esInfoResponse = requests.get(args.elasticUrl)
esInfo = statusInfoResponse.json()
elasticVersion = statusInfo['version']['number']
if debug:
eprint('Elasticsearch version is {}'.format(elasticVersion))
# find the ID of the index name (probably will be the same as the name)
getIndexInfoResponse = requests.get(
'{}/{}'.format(args.kibanaUrl, GET_INDEX_PATTERN_INFO_URI),
params={
'type': 'index-pattern',
'fields': 'id',
'search': '"{}"'.format(args.index)
}
)
getIndexInfoResponse.raise_for_status()
getIndexInfo = getIndexInfoResponse.json()
indexId = getIndexInfo['saved_objects'][0]['id'] if (len(getIndexInfo['saved_objects']) > 0) else None
if debug:
eprint('Index ID for {} is {}'.format(args.index, indexId))
if indexId is not None:
# get the current fields list
getFieldsResponse = requests.get('{}/{}'.format(args.kibanaUrl, GET_FIELDS_URI),
params={ 'pattern': args.index,
'meta_fields': ["_source","_id","_type","_index","_score"] })
getFieldsResponse.raise_for_status()
getFieldsList = getFieldsResponse.json()['fields']
fieldsNames = [field['name'] for field in getFieldsList if 'name' in field]
# get the fields from the template, if specified, and merge those into the fields list
if args.template is not None:
try:
# request template from elasticsearch and pull the mappings/properties (field list) out
getTemplateResponse = requests.get('{}/{}/{}'.format(args.elasticUrl, ES_GET_TEMPLATE_URI, args.template))
getTemplateResponse.raise_for_status()
getTemplateInfo = getTemplateResponse.json()[args.template]['mappings']['properties']
# a field should be merged if it's not already in the list we have from kibana, and it's
# in the list of types we're merging (leave more complex types like nested and geolocation
# to be handled naturally as the data shows up)
for field in getTemplateInfo:
mergeFieldTypes = ("date", "float", "integer", "ip", "keyword", "long", "short", "text")
if ((field not in fieldsNames) and
('type' in getTemplateInfo[field]) and
(getTemplateInfo[field]['type'] in mergeFieldTypes)):
# create field dict in same format as those returned by GET_FIELDS_URI above
mergedFieldInfo = {}
mergedFieldInfo['name'] = field
mergedFieldInfo['esTypes'] = [ getTemplateInfo[field]['type'] ]
if ((getTemplateInfo[field]['type'] == 'float') or
(getTemplateInfo[field]['type'] == 'integer') or
(getTemplateInfo[field]['type'] == 'long') or
(getTemplateInfo[field]['type'] == 'short')):
mergedFieldInfo['type'] = 'number'
elif ((getTemplateInfo[field]['type'] == 'keyword') or
(getTemplateInfo[field]['type'] == 'text')):
mergedFieldInfo['type'] = 'string'
else:
mergedFieldInfo['type'] = getTemplateInfo[field]['type']
mergedFieldInfo['searchable'] = True
mergedFieldInfo['aggregatable'] = ("text" not in mergedFieldInfo['esTypes'])
mergedFieldInfo['readFromDocValues'] = mergedFieldInfo['aggregatable']
fieldsNames.append(field)
getFieldsList.append(mergedFieldInfo)
# elif debug:
# eprint('Not merging {}: {}'.format(field, json.dumps(getTemplateInfo[field])))
except Exception as e:
eprint('"{}" raised for "{}", skipping template merge'.format(str(e), args.template))
if debug:
eprint('{} would have {} fields'.format(args.index, len(getFieldsList)))
# define field formatting map for Kibana -> Arkime drilldown and other URL drilldowns
#
# see: https://github.com/cisagov/Malcolm/issues/133
# https://github.com/mmguero-dev/kibana-plugin-drilldownmenu
#
# fieldFormatMap is
# {
# "zeek.orig_h": {
# "id": "drilldown",
# "params": {
# "parsedUrl": {
# "origin": "https://malcolm.local.lan",
# "pathname": "/kibana/app/kibana",
# "basePath": "/kibana"
# },
# "urlTemplates": [
# null,
# {
# "url": "/idkib2mol/zeek.orig_h == {{value}}",
# "label": "Arkime: zeek.orig_h == {{value}}"
# }
# ]
# }
# },
# ...
# }
fieldFormatMap = {}
for field in getFieldsList:
if field['name'][:1].isalpha():
# for Arkime to query by database field name, see moloch issue/PR 1461/1463
valQuote = '"' if field['type'] == 'string' else ''
valDbPrefix = '' if field['name'].startswith('zeek') else 'db:'
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = '/idkib2mol/{}{} == {}{{{{value}}}}{}'.format(valDbPrefix, field['name'], valQuote, valQuote)
drilldownInfoParamsUrlTemplateValues['label'] = 'Arkime {}: {}{{{{value}}}}{}'.format(field['name'], valQuote, valQuote)
drilldownInfoParamsUrlTemplates = [None, drilldownInfoParamsUrlTemplateValues]
if (field['type'] == 'ip') or (re.search(r'[_\.-](h|ip)$', field['name'], re.IGNORECASE) is not None):
# add drilldown for searching IANA for IP addresses
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.virustotal.com/en/ip-address/{{value}}/information/'
drilldownInfoParamsUrlTemplateValues['label'] = 'VirusTotal IP: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'(^|[\b_\.-])(md5|sha(1|256|384|512))\b', field['name'], re.IGNORECASE) is not None:
# add drilldown for searching VirusTotal for hash signatures
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.virustotal.com/gui/file/{{value}}/detection'
drilldownInfoParamsUrlTemplateValues['label'] = 'VirusTotal Hash: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'(^|[\b_\.-])(hit|signature(_?id))?s?$', field['name'], re.IGNORECASE) is not None:
# add drilldown for searching the web for signature IDs
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://duckduckgo.com/?q="{{value}}"'
drilldownInfoParamsUrlTemplateValues['label'] = 'Web Search: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'(^|src|dst|source|dest|destination|[\b_\.-])p(ort)?s?$', field['name'], re.IGNORECASE) is not None:
# add drilldown for searching IANA for ports
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search={{value}}'
drilldownInfoParamsUrlTemplateValues['label'] = 'Port Registry: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'^(zeek\.service|protocol?|network\.protocol)$', field['name'], re.IGNORECASE) is not None:
# add drilldown for searching IANA for services
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search={{value}}'
drilldownInfoParamsUrlTemplateValues['label'] = 'Service Registry: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'^(network\.transport|zeek\.proto|ipProtocol)$', field['name'], re.IGNORECASE) is not None:
# add URL link for assigned transport protocol numbers
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml'
drilldownInfoParamsUrlTemplateValues['label'] = 'Protocol Registry'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'(as\.number|(src|dst)ASN|asn\.(src|dst))$', field['name'], re.IGNORECASE) is not None:
# add drilldown for searching ARIN for ASN
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://search.arin.net/rdap/?query={{value}}&searchFilter=asn'
drilldownInfoParamsUrlTemplateValues['label'] = 'ARIN ASN: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'(^zeek\.filetype$|mime[_\.-]?type)', field['name'], re.IGNORECASE) is not None:
# add drilldown for searching mime/media/content types
# TODO: '/' in URL is getting messed up somehow, maybe we need to url encode it manually? not sure...
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = 'https://www.iana.org/assignments/media-types/{{value}}'
drilldownInfoParamsUrlTemplateValues['label'] = 'Media Type Registry: {{value}}'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
elif re.search(r'(^zeek_files\.extracted$)', field['name'], re.IGNORECASE) is not None:
# add download for extracted/quarantined zeek files
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = '/dl-extracted-files/quarantine/{{value}}'
drilldownInfoParamsUrlTemplateValues['label'] = 'Download (if quarantined)'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
drilldownInfoParamsUrlTemplateValues = {}
drilldownInfoParamsUrlTemplateValues['url'] = '/dl-extracted-files/preserved/{{value}}'
drilldownInfoParamsUrlTemplateValues['label'] = 'Download (if preserved)'
drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
drilldownInfoParams = {}
drilldownInfoParams['urlTemplates'] = drilldownInfoParamsUrlTemplates
drilldownInfo = {}
drilldownInfo['id'] = 'drilldown'
drilldownInfo['params'] = drilldownInfoParams
fieldFormatMap[field['name']] = drilldownInfo
# set the index pattern with our complete list of fields
putIndexInfo = {}
putIndexInfo['attributes'] = {}
putIndexInfo['attributes']['title'] = args.index
putIndexInfo['attributes']['fields'] = json.dumps(getFieldsList)
putIndexInfo['attributes']['fieldFormatMap'] = json.dumps(fieldFormatMap)
if not args.dryrun:
putResponse = requests.put('{}/{}/{}'.format(args.kibanaUrl, PUT_INDEX_PATTERN_URI, indexId),
headers={ 'Content-Type': 'application/json',
'kbn-xsrf': 'true',
'kbn-version': kibanaVersion, },
data=json.dumps(putIndexInfo))
putResponse.raise_for_status()
# if we got this far, it probably worked!
if args.dryrun:
print("success (dry run only, no write performed)")
else:
print("success")
else:
print("failure (could not find Index ID for {})".format(args.index))
if __name__ == '__main__':
main()

19
Vagrant/resources/malcolm/kibana/scripts/register-elasticsearch-snapshot-repo.sh Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
if [ $# -gt 0 ]; then
ES_URL="$1"
elif [[ -n $ELASTICSEARCH_URL ]]; then
ES_URL="$ELASTICSEARCH_URL"
elif [[ -n $ES_HOST ]] && [[ -n $ES_PORT ]]; then
ES_URL="http://$ES_HOST:$ES_PORT"
else
ES_URL="http://elasticsearch:9200"
fi
[[ -n $ISM_SNAPSHOT_REPO ]] && \
curl -w "\n" -H "Accept: application/json" \
-H "Content-type: application/json" \
-XPUT -fsSL "$ES_URL/_snapshot/$ISM_SNAPSHOT_REPO" \
-d "{ \"type\": \"fs\", \"settings\": { \"location\": \"$ISM_SNAPSHOT_REPO\", \"compress\": ${ISM_SNAPSHOT_COMPRESSED:-false} } }"

53
Vagrant/resources/malcolm/kibana/supervisord.conf Normal file
View File

@@ -0,0 +1,53 @@
; Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
[unix_http_server]
file=/tmp/supervisor.sock ; (the path to the socket file)
chmod=0700
[supervisord]
nodaemon=true
logfile=/dev/null
logfile_maxbytes=0
pidfile=/tmp/supervisord.pid
[rpcinterface:supervisor]
supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///tmp/supervisor.sock
[program:idxinit]
command=bash -c "sleep 180 && /data/elastic_search_status.sh -w && /data/kibana_index_refresh.py -v --kibana \"%(ENV_KIBANA_URL)s\" --elastic \"%(ENV_ELASTICSEARCH_URL)s\" --template zeek_template"
autostart=true
autorestart=false
startsecs=0
startretries=0
stopasgroup=true
killasgroup=true
directory=/data
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:maps]
command=/usr/local/bin/http-server /opt/maps --cors='*' -d false -i false --no-dotfiles -p %(ENV_KIBANA_OFFLINE_REGION_MAPS_PORT)s
autostart=true
autorestart=true
startsecs=0
startretries=0
stopasgroup=true
killasgroup=true
directory=/opt/maps
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:cron]
autostart=true
autorestart=true
command=/usr/local/bin/supercronic -json "%(ENV_SUPERCRONIC_CRONTAB)s"
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true

992
Vagrant/resources/malcolm/kibana/zeek_template.json Normal file
View File

@@ -0,0 +1,992 @@
{
"index_patterns" : ["sessions2-*"],
"order" : 0,
"settings" : {
"index" : {
"mapping.total_fields.limit" : "2000"
}
},
"mappings": {
"session": {
"properties": {
"client.address": { "type": "keyword" },
"client.bytes": { "type": "long" },
"client.domain": { "type": "keyword" },
"client.ip": { "type": "ip" },
"client.mac": { "type": "keyword" },
"client.packets": { "type": "integer" },
"client.port": { "type": "integer" },
"destination.domain": { "type": "keyword" },
"dns.answers": { "type": "nested" },
"dns.header_flags": { "type": "keyword" },
"dns.id": { "type": "keyword" },
"dns.op_code": { "type": "keyword" },
"dns.question.class": { "type": "keyword" },
"dns.question.name": { "type": "keyword" },
"dns.question.type": { "type": "keyword" },
"dns.resolved_ip": { "type": "ip" },
"dns.response_code": { "type": "keyword" },
"dns.type": { "type": "keyword" },
"ecs.version": { "type": "keyword" },
"event.action": { "type": "keyword" },
"event.category": { "type": "keyword" },
"event.dataset": { "type": "keyword" },
"event.duration": { "type": "long" },
"event.end": { "type": "date" },
"event.id": { "type": "keyword" },
"event.ingested": { "type": "date" },
"event.kind": { "type": "keyword" },
"event.outcome": { "type": "keyword" },
"event.provider": { "type": "keyword" },
"event.start": { "type": "date" },
"event.type": { "type": "keyword" },
"file.accessed": { "type": "date" },
"file.created": { "type": "date" },
"file.ctime": { "type": "date" },
"file.directory": { "type": "keyword" },
"file.extension": { "type": "keyword" },
"file.hash.md5": { "type": "keyword" },
"file.hash.sha1": { "type": "keyword" },
"file.hash.sha256": { "type": "keyword" },
"file.mime_type": { "type": "keyword" },
"file.mtime": { "type": "date" },
"file.name": { "type": "keyword" },
"file.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"file.size": { "type": "long" },
"file.type": { "type": "keyword" },
"host.name": { "type": "keyword" },
"http.request.body.bytes": { "type": "long" },
"http.request.method": { "type": "keyword" },
"http.request.referrer": { "type": "keyword" },
"http.response.body.bytes": { "type": "long" },
"http.response.status_cocde": { "type": "short" },
"http.version": { "type": "keyword" },
"log.file.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"network.application": { "type": "keyword" },
"network.bytes": { "type": "long" },
"network.community_id": { "type": "keyword" },
"network.iana_number": { "type": "keyword" },
"network.packets": { "type": "long" },
"network.protocol": { "type": "keyword" },
"network.transport": { "type": "keyword" },
"network.type": { "type": "keyword" },
"related.hash": { "type": "keyword" },
"related.ip": { "type": "ip" },
"related.user": { "type": "keyword" },
"rule.author": { "type": "keyword" },
"rule.category": { "type": "keyword" },
"rule.description": { "type": "keyword" },
"rule.license": { "type": "keyword" },
"rule.name": { "type": "keyword" },
"rule.reference": { "type": "keyword" },
"rule.ruleset": { "type": "keyword" },
"server.address": { "type": "keyword" },
"server.bytes": { "type": "long" },
"server.domain": { "type": "keyword" },
"server.ip": { "type": "ip" },
"server.mac": { "type": "keyword" },
"server.packets": { "type": "integer" },
"server.port": { "type": "integer" },
"threat.framework": { "type": "keyword" },
"threat.tactic.id": { "type": "keyword" },
"threat.tactic.name": { "type": "keyword" },
"threat.tactic.reference": { "type": "keyword" },
"threat.technique.id": { "type": "keyword" },
"threat.technique.name": { "type": "keyword" },
"threat.technique.reference": { "type": "keyword" },
"tls.cipher": { "type": "keyword" },
"tls.client.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.client.ja3": { "type": "keyword" },
"tls.client.server_name": { "type": "keyword" },
"tls.client.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.curve": { "type": "keyword" },
"tls.established": { "type": "keyword" },
"tls.next_protocol": { "type": "keyword" },
"tls.resumed": { "type": "keyword" },
"tls.server.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.server.ja3s": { "type": "keyword" },
"tls.server.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.version": { "type": "keyword" },
"tls.version_protocol": { "type": "keyword" },
"url.domain": { "type": "keyword" },
"url.extension": { "type": "keyword" },
"url.fragment": { "type": "keyword" },
"url.full": { "type": "keyword" },
"url.original": { "type": "keyword" },
"url.password": { "type": "keyword" },
"url.path": { "type": "keyword" },
"url.port": { "type": "integer" },
"url.query": { "type": "keyword" },
"url.scheme": { "type": "keyword" },
"url.username": { "type": "keyword" },
"user_agent.original": { "type": "keyword" },
"zeekLogDocId": { "type": "keyword" },
"zeek.action": { "type": "keyword" },
"zeek.community_id": { "type": "keyword" },
"zeek.destination_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.destination_geo.continent_code": { "type": "keyword" },
"zeek.destination_geo.country_code2": { "type": "keyword" },
"zeek.destination_geo.country_code3": { "type": "keyword" },
"zeek.destination_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.destination_geo.dma_code": { "type": "short" },
"zeek.destination_geo.ip": { "type": "ip" },
"zeek.destination_geo.latitude": { "type": "float" },
"zeek.destination_geo.location": { "type": "geo_point" },
"zeek.destination_geo.longitude": { "type": "float" },
"zeek.destination_geo.postal_code": { "type": "keyword" },
"zeek.destination_geo.region_code": { "type": "keyword" },
"zeek.destination_geo.region_name": { "type": "keyword" },
"zeek.destination_geo.timezone": { "type": "keyword" },
"zeek.destination_ip_reverse_dns": { "type": "keyword" },
"zeek.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.filetype": { "type": "keyword" },
"zeek.freq_score_v1": { "type": "float" },
"zeek.freq_score_v2": { "type": "float" },
"zeek.fuid": { "type": "keyword" },
"zeek.logType": { "type": "keyword" },
"zeek.orig_h": { "type": "ip" },
"zeek.orig_hostname": { "type": "keyword" },
"zeek.orig_l2_addr": { "type": "keyword" },
"zeek.orig_l2_oui": { "type": "keyword" },
"zeek.orig_p": { "type": "integer" },
"zeek.orig_segment": { "type": "keyword" },
"zeek.password": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.proto": { "type": "keyword" },
"zeek.resp_h": { "type": "ip" },
"zeek.resp_hostname": { "type": "keyword" },
"zeek.resp_l2_addr": { "type": "keyword" },
"zeek.resp_l2_oui": { "type": "keyword" },
"zeek.resp_p": { "type": "integer" },
"zeek.resp_segment": { "type": "keyword" },
"zeek.result": { "type": "keyword" },
"zeek.service": { "type": "keyword" },
"zeek.service_version": { "type": "keyword" },
"zeek.source_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.source_geo.continent_code": { "type": "keyword" },
"zeek.source_geo.country_code2": { "type": "keyword" },
"zeek.source_geo.country_code3": { "type": "keyword" },
"zeek.source_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.source_geo.dma_code": { "type": "short" },
"zeek.source_geo.ip": { "type": "ip" },
"zeek.source_geo.latitude": { "type": "float" },
"zeek.source_geo.location": { "type": "geo_point" },
"zeek.source_geo.longitude": { "type": "float" },
"zeek.source_geo.postal_code": { "type": "keyword" },
"zeek.source_geo.region_code": { "type": "keyword" },
"zeek.source_geo.region_name": { "type": "keyword" },
"zeek.source_geo.timezone": { "type": "keyword" },
"zeek.source_ip_reverse_dns": { "type": "keyword" },
"zeek.ts": { "type": "date" },
"zeek.uid": { "type": "keyword" },
"zeek.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_bacnet.bvlc_function": { "type": "keyword" },
"zeek_bacnet.pdu_type": { "type": "keyword" },
"zeek_bacnet.pdu_service": { "type": "keyword" },
"zeek_bacnet.invoke_id": { "type": "integer" },
"zeek_bacnet.result_code": { "type": "keyword" },
"zeek_bacnet_discovery.pdu_service": { "type": "keyword" },
"zeek_bacnet_discovery.object_type": { "type": "keyword" },
"zeek_bacnet_discovery.instance_number": { "type": "integer" },
"zeek_bacnet_discovery.vendor": { "type": "keyword" },
"zeek_bacnet_discovery.range": { "type": "keyword" },
"zeek_bacnet_discovery.range_low": { "type": "integer" },
"zeek_bacnet_discovery.range_high": { "type": "integer" },
"zeek_bacnet_discovery.object_name": { "type": "keyword" },
"zeek_bacnet_property.pdu_service": { "type": "keyword" },
"zeek_bacnet_property.object_type": { "type": "keyword" },
"zeek_bacnet_property.instance_number": { "type": "integer" },
"zeek_bacnet_property.property": { "type": "keyword" },
"zeek_bacnet_property.array_index": { "type": "integer" },
"zeek_bacnet_property.value": { "type": "keyword" },
"zeek_bestguess.name": { "type": "keyword" },
"zeek_bestguess.category": { "type": "keyword" },
"zeek_bsap_ip_header.num_msg": { "type": "keyword" },
"zeek_bsap_ip_header.type_name": { "type": "integer" },
"zeek_bsap_ip_rdb.app_func_code": { "type": "keyword" },
"zeek_bsap_ip_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_ip_rdb.data_len": { "type": "integer" },
"zeek_bsap_ip_rdb.func_code": { "type": "keyword" },
"zeek_bsap_ip_rdb.header_size": { "type": "integer" },
"zeek_bsap_ip_rdb.mes_seq": { "type": "integer" },
"zeek_bsap_ip_rdb.node_status": { "type": "integer" },
"zeek_bsap_ip_rdb.res_seq": { "type": "integer" },
"zeek_bsap_ip_rdb.sequence": { "type": "integer" },
"zeek_bsap_ip_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_serial_header.ctl": { "type": "integer" },
"zeek_bsap_serial_header.dadd": { "type": "integer" },
"zeek_bsap_serial_header.dfun": { "type": "keyword" },
"zeek_bsap_serial_header.nsb": { "type": "integer" },
"zeek_bsap_serial_header.sadd": { "type": "integer" },
"zeek_bsap_serial_header.seq": { "type": "integer" },
"zeek_bsap_serial_header.ser": { "type": "keyword" },
"zeek_bsap_serial_header.sfun": { "type": "keyword" },
"zeek_bsap_serial_header.type_name": { "type": "keyword" },
"zeek_bsap_serial_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_serial_rdb.func_code": { "type": "keyword" },
"zeek_bsap_serial_rdb_ext.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_serial_rdb_ext.dfun": { "type": "keyword" },
"zeek_bsap_serial_rdb_ext.extfun": { "type": "keyword" },
"zeek_bsap_serial_rdb_ext.nsb": { "type": "integer" },
"zeek_bsap_serial_rdb_ext.seq": { "type": "integer" },
"zeek_bsap_serial_rdb_ext.sfun": { "type": "keyword" },
"zeek_bsap_serial_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_cip.cip_sequence_count": { "type": "integer" },
"zeek_cip.direction": { "type": "keyword" },
"zeek_cip.cip_service": { "type": "keyword" },
"zeek_cip.cip_status": { "type": "keyword" },
"zeek_cip.class_id": { "type": "keyword" },
"zeek_cip.class_name": { "type": "keyword" },
"zeek_cip.instance_id": { "type": "keyword" },
"zeek_cip.attribute_id": { "type": "keyword" },
"zeek_cip.data_id": { "type": "keyword" },
"zeek_cip.other_id": { "type": "keyword" },
"zeek_cip_identity.encapsulation_version": { "type": "integer" },
"zeek_cip_identity.socket_address": { "type": "ip" },
"zeek_cip_identity.socket_address_asn": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_cip_identity.socket_address_geo.continent_code": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.country_code2": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.country_code3": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_cip_identity.socket_address_geo.dma_code": { "type": "short" },
"zeek_cip_identity.socket_address_geo.ip": { "type": "ip" },
"zeek_cip_identity.socket_address_geo.latitude": { "type": "float" },
"zeek_cip_identity.socket_address_geo.location": { "type": "geo_point" },
"zeek_cip_identity.socket_address_geo.longitude": { "type": "float" },
"zeek_cip_identity.socket_address_geo.postal_code": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.region_code": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.region_name": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.timezone": { "type": "keyword" },
"zeek_cip_identity.socket_port": { "type": "integer" },
"zeek_cip_identity.vendor_id": { "type": "integer" },
"zeek_cip_identity.vendor_name": { "type": "keyword" },
"zeek_cip_identity.device_type_id": { "type": "integer" },
"zeek_cip_identity.device_type_name": { "type": "keyword" },
"zeek_cip_identity.product_code": { "type": "integer" },
"zeek_cip_identity.revision": { "type": "keyword" },
"zeek_cip_identity.device_status": { "type": "keyword" },
"zeek_cip_identity.serial_number": { "type": "keyword" },
"zeek_cip_identity.product_name": { "type": "keyword" },
"zeek_cip_identity.device_state": { "type": "keyword" },
"zeek_cip_io.connection_id": { "type": "keyword" },
"zeek_cip_io.sequence_number": { "type": "integer" },
"zeek_cip_io.data_length": { "type": "integer" },
"zeek_cip_io.io_data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_conn.conn_state": { "type": "keyword" },
"zeek_conn.conn_state_description": { "type": "keyword" },
"zeek_conn.duration": { "type": "float" },
"zeek_conn.history": { "type": "keyword" },
"zeek_conn.inner_vlan": { "type": "integer" },
"zeek_conn.local_orig": { "type": "keyword" },
"zeek_conn.local_resp": { "type": "keyword" },
"zeek_conn.missed_bytes": { "type": "long" },
"zeek_conn.orig_bytes": { "type": "long" },
"zeek_conn.orig_ip_bytes": { "type": "long" },
"zeek_conn.orig_pkts": { "type": "integer" },
"zeek_conn.resp_bytes": { "type": "long" },
"zeek_conn.resp_ip_bytes": { "type": "long" },
"zeek_conn.resp_pkts": { "type": "integer" },
"zeek_conn.tunnel_parents": { "type": "keyword" },
"zeek_conn.vlan": { "type": "integer" },
"zeek_dce_rpc.endpoint": { "type": "keyword" },
"zeek_dce_rpc.named_pipe": { "type": "keyword" },
"zeek_dce_rpc.operation": { "type": "keyword" },
"zeek_dce_rpc.rtt": { "type": "float" },
"zeek_dhcp.assigned_ip": { "type": "ip" },
"zeek_dhcp.client_fqdn": { "type": "keyword" },
"zeek_dhcp.client_message": { "type": "keyword" },
"zeek_dhcp.client_software": { "type": "keyword" },
"zeek_dhcp.domain": { "type": "keyword" },
"zeek_dhcp.duration": { "type": "float" },
"zeek_dhcp.host_name": { "type": "keyword" },
"zeek_dhcp.lease_time": { "type": "float" },
"zeek_dhcp.mac": { "type": "keyword" },
"zeek_dhcp.msg_types": { "type": "keyword" },
"zeek_dhcp.requested_ip": { "type": "ip" },
"zeek_dhcp.server_message": { "type": "keyword" },
"zeek_dhcp.server_software": { "type": "keyword" },
"zeek_dhcp.trans_id": { "type": "keyword" },
"zeek_dnp3.fc_reply": { "type": "keyword" },
"zeek_dnp3.fc_request": { "type": "keyword" },
"zeek_dnp3.iin": { "type": "keyword" },
"zeek_dnp3.iin_flags": { "type": "keyword" },
"zeek_dnp3_control.block_type": { "type": "keyword" },
"zeek_dnp3_control.function_code": { "type": "keyword" },
"zeek_dnp3_control.index_number": { "type": "integer" },
"zeek_dnp3_control.trip_control_code": { "type": "keyword" },
"zeek_dnp3_control.operation_type": { "type": "keyword" },
"zeek_dnp3_control.execute_count": { "type": "integer" },
"zeek_dnp3_control.on_time": { "type": "integer" },
"zeek_dnp3_control.off_time": { "type": "integer" },
"zeek_dnp3_control.status_code": { "type": "keyword" },
"zeek_dnp3_objects.function_code": { "type": "keyword" },
"zeek_dnp3_objects.object_type": { "type": "keyword" },
"zeek_dnp3_objects.object_count": { "type": "integer" },
"zeek_dnp3_objects.range_low": { "type": "integer" },
"zeek_dnp3_objects.range_high": { "type": "integer" },
"zeek_dns.AA": { "type": "keyword" },
"zeek_dns.answers": { "type": "keyword" },
"zeek_dns.qclass": { "type": "keyword" },
"zeek_dns.qclass_name": { "type": "keyword" },
"zeek_dns.qtype": { "type": "keyword" },
"zeek_dns.qtype_name": { "type": "keyword" },
"zeek_dns.query": { "type": "keyword" },
"zeek_dns.RA": { "type": "keyword" },
"zeek_dns.rcode": { "type": "short" },
"zeek_dns.rcode_name": { "type": "keyword" },
"zeek_dns.RD": { "type": "keyword" },
"zeek_dns.rejected": { "type": "keyword" },
"zeek_dns.rtt": { "type": "float" },
"zeek_dns.TC": { "type": "keyword" },
"zeek_dns.trans_id": { "type": "keyword" },
"zeek_dns.TTLs": { "type": "float" },
"zeek_dns.Z": { "type": "keyword" },
"zeek_dpd.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_dpd.service": { "type": "keyword" },
"zeek_ecat_aoe_info.command": { "type": "keyword" },
"zeek_ecat_aoe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_aoe_info.orig_port": { "type": "keyword" },
"zeek_ecat_aoe_info.resp_port": { "type": "keyword" },
"zeek_ecat_aoe_info.state": { "type": "keyword" },
"zeek_ecat_arp_info.arp_type": { "type": "keyword" },
"zeek_ecat_arp_info.orig_hw_addr": { "type": "keyword" },
"zeek_ecat_arp_info.orig_proto_addr": { "type": "keyword" },
"zeek_ecat_arp_info.resp_hw_addr": { "type": "keyword" },
"zeek_ecat_arp_info.resp_proto_addr": { "type": "keyword" },
"zeek_ecat_coe_info.dataoffset": { "type": "keyword" },
"zeek_ecat_coe_info.index": { "type": "keyword" },
"zeek_ecat_coe_info.number": { "type": "keyword" },
"zeek_ecat_coe_info.req_resp": { "type": "keyword" },
"zeek_ecat_coe_info.subindex": { "type": "keyword" },
"zeek_ecat_coe_info.type": { "type": "keyword" },
"zeek_ecat_dev_info.build": { "type": "keyword" },
"zeek_ecat_dev_info.dev_type": { "type": "keyword" },
"zeek_ecat_dev_info.dpram": { "type": "keyword" },
"zeek_ecat_dev_info.features": { "type": "keyword" },
"zeek_ecat_dev_info.fmmucnt": { "type": "keyword" },
"zeek_ecat_dev_info.ports": { "type": "keyword" },
"zeek_ecat_dev_info.revision": { "type": "keyword" },
"zeek_ecat_dev_info.slave_id": { "type": "keyword" },
"zeek_ecat_dev_info.smcount": { "type": "keyword" },
"zeek_ecat_foe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_foe_info.error_code": { "type": "keyword" },
"zeek_ecat_foe_info.filename": { "type": "keyword" },
"zeek_ecat_foe_info.opcode": { "type": "keyword" },
"zeek_ecat_foe_info.packet_num": { "type": "keyword" },
"zeek_ecat_foe_info.reserved": { "type": "keyword" },
"zeek_ecat_log_address.command": { "type": "keyword" },
"zeek_ecat_log_address.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_log_address.length": { "type": "integer" },
"zeek_ecat_log_address.log_addr": { "type": "keyword" },
"zeek_ecat_registers.command": { "type": "keyword" },
"zeek_ecat_registers.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_registers.register_addr": { "type": "keyword" },
"zeek_ecat_registers.register_type": { "type": "keyword" },
"zeek_ecat_registers.slave_addr": { "type": "keyword" },
"zeek_ecat_soe_info.drive_num": { "type": "keyword" },
"zeek_ecat_soe_info.element": { "type": "keyword" },
"zeek_ecat_soe_info.error": { "type": "keyword" },
"zeek_ecat_soe_info.incomplete": { "type": "keyword" },
"zeek_ecat_soe_info.index": { "type": "keyword" },
"zeek_ecat_soe_info.opcode": { "type": "keyword" },
"zeek_enip.enip_command": { "type": "keyword" },
"zeek_enip.length": { "type": "integer" },
"zeek_enip.session_handle": { "type": "keyword" },
"zeek_enip.enip_status": { "type": "keyword" },
"zeek_enip.sender_context": { "type": "keyword" },
"zeek_enip.options": { "type": "keyword" },
"zeek_files.analyzers": { "type": "keyword" },
"zeek_files.conn_uids": { "type": "keyword" },
"zeek_files.depth": { "type": "integer" },
"zeek_files.duration": { "type": "float" },
"zeek_files.extracted": { "type": "keyword" },
"zeek_files.extracted_cutoff": { "type": "keyword" },
"zeek_files.extracted_size": { "type": "integer" },
"zeek_files.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_files.is_orig": { "type": "keyword" },
"zeek_files.local_orig": { "type": "keyword" },
"zeek_files.md5": { "type": "keyword" },
"zeek_files.mime_type": { "type": "keyword" },
"zeek_files.missing_bytes": { "type": "long" },
"zeek_files.overflow_bytes": { "type": "long" },
"zeek_files.parent_fuid": { "type": "keyword" },
"zeek_files.rx_hosts": { "type": "ip" },
"zeek_files.seen_bytes": { "type": "long" },
"zeek_files.sha1": { "type": "keyword" },
"zeek_files.sha256": { "type": "keyword" },
"zeek_files.source": { "type": "keyword" },
"zeek_files.timedout": { "type": "keyword" },
"zeek_files.total_bytes": { "type": "long" },
"zeek_files.tx_hosts": { "type": "ip" },
"zeek_ftp.arg": { "type": "keyword" },
"zeek_ftp.command": { "type": "keyword" },
"zeek_ftp.data_channel_orig_h": { "type": "ip" },
"zeek_ftp.data_channel_passive": { "type": "keyword" },
"zeek_ftp.data_channel_resp_h": { "type": "ip" },
"zeek_ftp.data_channel_resp_p": { "type": "integer" },
"zeek_ftp.file_size": { "type": "long" },
"zeek_ftp.mime_type": { "type": "keyword" },
"zeek_ftp.reply_code": { "type": "short" },
"zeek_ftp.reply_msg": { "type": "keyword" },
"zeek_gquic.cyu": { "type": "keyword" },
"zeek_gquic.cyutags": { "type": "keyword" },
"zeek_gquic.server_name": { "type": "keyword" },
"zeek_gquic.tag_count": { "type": "integer" },
"zeek_gquic.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_gquic.version": { "type": "keyword" },
"zeek_http.host": { "type": "keyword" },
"zeek_http.info_code": { "type": "short" },
"zeek_http.info_msg": { "type": "keyword" },
"zeek_http.method": { "type": "keyword" },
"zeek_http.orig_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_http.orig_fuids": { "type": "keyword" },
"zeek_http.orig_mime_types": { "type": "keyword" },
"zeek_http.origin": { "type": "keyword" },
"zeek_http.post_password_plain": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_http.post_username": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_http.proxied": { "type": "keyword" },
"zeek_http.referrer": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_http.request_body_len": { "type": "long" },
"zeek_http.resp_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_http.resp_fuids": { "type": "keyword" },
"zeek_http.resp_mime_types": { "type": "keyword" },
"zeek_http.response_body_len": { "type": "long" },
"zeek_http.status_code": { "type": "short" },
"zeek_http.status_msg": { "type": "keyword", "ignore_above": 1024 },
"zeek_http.tags": { "type": "keyword" },
"zeek_http.trans_depth": { "type": "integer" },
"zeek_http.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_http.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_http.version": { "type": "keyword" },
"zeek_intel.file_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_intel.file_mime_type": { "type": "keyword" },
"zeek_intel.indicator": { "type": "keyword" },
"zeek_intel.indicator_type": { "type": "keyword" },
"zeek_intel.matched": { "type": "keyword" },
"zeek_intel.seen_node": { "type": "keyword" },
"zeek_intel.seen_where": { "type": "keyword" },
"zeek_intel.sources": { "type": "keyword" },
"zeek_ipsec.is_orig": { "type": "keyword" },
"zeek_ipsec.initiator_spi": { "type": "keyword" },
"zeek_ipsec.responder_spi": { "type": "keyword" },
"zeek_ipsec.maj_ver": { "type": "integer" },
"zeek_ipsec.min_ver": { "type": "integer" },
"zeek_ipsec.exchange_type": { "type": "integer" },
"zeek_ipsec.flag_e": { "type": "keyword" },
"zeek_ipsec.flag_c": { "type": "keyword" },
"zeek_ipsec.flag_a": { "type": "keyword" },
"zeek_ipsec.flag_i": { "type": "keyword" },
"zeek_ipsec.flag_v": { "type": "keyword" },
"zeek_ipsec.flag_r": { "type": "keyword" },
"zeek_ipsec.flags": { "type": "keyword" },
"zeek_ipsec.message_id": { "type": "keyword" },
"zeek_ipsec.vendor_ids": { "type": "keyword" },
"zeek_ipsec.notify_messages": { "type": "keyword" },
"zeek_ipsec.transforms": { "type": "keyword" },
"zeek_ipsec.ke_dh_groups": { "type": "integer" },
"zeek_ipsec.proposals": { "type": "integer" },
"zeek_ipsec.certificates": { "type": "keyword" },
"zeek_ipsec.transform_attributes": { "type": "keyword" },
"zeek_ipsec.length": { "type": "integer" },
"zeek_ipsec.hash": { "type": "keyword" },
"zeek_irc.addl": { "type": "keyword" },
"zeek_irc.command": { "type": "keyword" },
"zeek_irc.dcc_file_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_irc.dcc_file_size": { "type": "long" },
"zeek_irc.dcc_mime_type": { "type": "keyword" },
"zeek_irc.nick": { "type": "keyword" },
"zeek_irc.value": { "type": "keyword" },
"zeek_iso_cotp.pdu_type": { "type": "keyword" },
"zeek_kerberos.cipher": { "type": "keyword" },
"zeek_kerberos.client_cert_fuid": { "type": "keyword" },
"zeek_kerberos.client_cert_subject": { "type": "keyword" },
"zeek_kerberos.cname": { "type": "keyword" },
"zeek_kerberos.error_msg": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_kerberos.forwardable": { "type": "keyword" },
"zeek_kerberos.from": { "type": "date" },
"zeek_kerberos.renewable": { "type": "keyword" },
"zeek_kerberos.request_type": { "type": "keyword" },
"zeek_kerberos.server_cert_fuid": { "type": "keyword" },
"zeek_kerberos.server_cert_subject": { "type": "keyword" },
"zeek_kerberos.sname": { "type": "keyword" },
"zeek_kerberos.success": { "type": "keyword" },
"zeek_kerberos.till": { "type": "date" },
"zeek_known_certs.issuer_subject": { "type": "keyword" },
"zeek_known_certs.serial": { "type": "keyword" },
"zeek_known_certs.subject": { "type": "keyword" },
"zeek_known_modbus.device_type": { "type": "keyword" },
"zeek_ldap.message_id": { "type": "keyword" },
"zeek_ldap.version": { "type": "integer" },
"zeek_ldap.operation": { "type": "keyword" },
"zeek_ldap.result_code": { "type": "keyword" },
"zeek_ldap.result_message": { "type": "keyword" },
"zeek_ldap.object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ldap.argument": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ldap_search.message_id": { "type": "keyword" },
"zeek_ldap_search.scope": { "type": "keyword" },
"zeek_ldap_search.deref": { "type": "keyword" },
"zeek_ldap_search.base_object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ldap_search.result_count": { "type": "integer" },
"zeek_ldap_search.result_code": { "type": "keyword" },
"zeek_ldap_search.result_message": { "type": "keyword" },
"zeek_login.client_user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_login.confused": { "type": "keyword" },
"zeek_login.success": { "type": "keyword" },
"zeek_modbus.exception": { "type": "keyword" },
"zeek_modbus.func": { "type": "keyword" },
"zeek_modbus_detailed.unit_id": { "type": "integer" },
"zeek_modbus_detailed.func": { "type": "keyword" },
"zeek_modbus_detailed.network_direction": { "type": "keyword" },
"zeek_modbus_detailed.address": { "type": "integer" },
"zeek_modbus_detailed.quantity": { "type": "integer" },
"zeek_modbus_detailed.values": { "type": "keyword" },
"zeek_modbus_mask_write_register.unit_id": { "type": "integer" },
"zeek_modbus_mask_write_register.func": { "type": "keyword" },
"zeek_modbus_mask_write_register.network_direction": { "type": "keyword" },
"zeek_modbus_mask_write_register.address": { "type": "integer" },
"zeek_modbus_mask_write_register.and_mask": { "type": "integer" },
"zeek_modbus_mask_write_register.or_mask": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.unit_id": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.func": { "type": "keyword" },
"zeek_modbus_read_write_multiple_registers.network_direction": { "type": "keyword" },
"zeek_modbus_read_write_multiple_registers.write_start_address": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.write_registers": { "type": "keyword" },
"zeek_modbus_read_write_multiple_registers.read_start_address": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.read_quantity": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.read_registers": { "type": "keyword" },
"zeek_modbus_register_change.delta": { "type": "float" },
"zeek_modbus_register_change.new_val": { "type": "integer" },
"zeek_modbus_register_change.old_val": { "type": "integer" },
"zeek_modbus_register_change.register": { "type": "integer" },
"zeek_mqtt_connect.client_id": { "type": "keyword" },
"zeek_mqtt_connect.connect_status": { "type": "keyword" },
"zeek_mqtt_connect.proto_name": { "type": "keyword" },
"zeek_mqtt_connect.proto_version": { "type": "keyword" },
"zeek_mqtt_connect.will_payload": { "type": "keyword" },
"zeek_mqtt_connect.will_topic": { "type": "keyword" },
"zeek_mqtt_publish.from_client": { "type": "keyword" },
"zeek_mqtt_publish.payload": { "type": "keyword" },
"zeek_mqtt_publish.payload_len": { "type": "integer" },
"zeek_mqtt_publish.qos": { "type": "keyword" },
"zeek_mqtt_publish.retain": { "type": "keyword" },
"zeek_mqtt_publish.status": { "type": "keyword" },
"zeek_mqtt_publish.topic": { "type": "keyword" },
"zeek_mqtt_subscribe.ack": { "type": "keyword" },
"zeek_mqtt_subscribe.action": { "type": "keyword" },
"zeek_mqtt_subscribe.granted_qos_level": { "type": "integer" },
"zeek_mqtt_subscribe.qos_levels": { "type": "integer" },
"zeek_mqtt_subscribe.topics": { "type": "keyword" },
"zeek_mysql.arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_mysql.cmd": { "type": "keyword" },
"zeek_mysql.response": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_mysql.rows": { "type": "integer" },
"zeek_mysql.success": { "type": "keyword" },
"zeek_noise.msg_type": { "type": "keyword" },
"zeek_noise.sender": { "type": "keyword" },
"zeek_noise.receiver": { "type": "keyword" },
"zeek_noise.unenc_ephemeral": { "type": "keyword" },
"zeek_noise.enc_static": { "type": "keyword" },
"zeek_noise.enc_timestamp": { "type": "keyword" },
"zeek_noise.enc_nothing": { "type": "keyword" },
"zeek_noise.nonce": { "type": "keyword" },
"zeek_noise.enc_cookie": { "type": "keyword" },
"zeek_noise.mac1": { "type": "keyword" },
"zeek_noise.mac2": { "type": "keyword" },
"zeek_noise.enc_payload_len": { "type": "integer" },
"zeek_noise.enc_payload": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_notice.actions": { "type": "keyword" },
"zeek_notice.category": { "type": "keyword" },
"zeek_notice.dropped": { "type": "keyword" },
"zeek_notice.dst": { "type": "ip" },
"zeek_notice.file_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_notice.file_mime_type": { "type": "keyword" },
"zeek_notice.msg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_notice.n": { "type": "integer" },
"zeek_notice.note": { "type": "keyword" },
"zeek_notice.p": { "type": "integer" },
"zeek_notice.peer_descr": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_notice.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_notice.remote_location_country_code": { "type": "keyword" },
"zeek_notice.remote_location_latitude": { "type": "float" },
"zeek_notice.remote_location_longitude": { "type": "float" },
"zeek_notice.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_notice.src": { "type": "ip" },
"zeek_notice.sub": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_notice.sub_category": { "type": "keyword" },
"zeek_notice.suppress_for": { "type": "float" },
"zeek_ntlm.domain": { "type": "keyword" },
"zeek_ntlm.host": { "type": "keyword" },
"zeek_ntlm.server_dns_computer": { "type": "keyword" },
"zeek_ntlm.server_nb_computer": { "type": "keyword" },
"zeek_ntlm.server_tree": { "type": "keyword" },
"zeek_ntlm.status": { "type": "keyword" },
"zeek_ntlm.success": { "type": "keyword" },
"zeek_ntp.mode": { "type": "keyword" },
"zeek_ntp.mode_str": { "type": "keyword" },
"zeek_ntp.num_exts": { "type": "integer" },
"zeek_ntp.org_time": { "type": "date" },
"zeek_ntp.poll": { "type": "float" },
"zeek_ntp.precision": { "type": "float" },
"zeek_ntp.rec_time": { "type": "date" },
"zeek_ntp.ref_id": { "type": "keyword" },
"zeek_ntp.ref_time": { "type": "date" },
"zeek_ntp.root_delay": { "type": "float" },
"zeek_ntp.root_disp": { "type": "float" },
"zeek_ntp.stratum": { "type": "keyword" },
"zeek_ntp.version": { "type": "integer" },
"zeek_ntp.xmt_time": { "type": "date" },
"zeek_pe.compile_ts": { "type": "date" },
"zeek_pe.has_cert_table": { "type": "keyword" },
"zeek_pe.has_debug_data": { "type": "keyword" },
"zeek_pe.has_export_table": { "type": "keyword" },
"zeek_pe.has_import_table": { "type": "keyword" },
"zeek_pe.is_64bit": { "type": "keyword" },
"zeek_pe.is_exe": { "type": "keyword" },
"zeek_pe.machine": { "type": "keyword" },
"zeek_pe.os": { "type": "keyword" },
"zeek_pe.section_names": { "type": "keyword" },
"zeek_pe.subsystem": { "type": "keyword" },
"zeek_pe.uses_aslr": { "type": "keyword" },
"zeek_pe.uses_code_integrity": { "type": "keyword" },
"zeek_pe.uses_dep": { "type": "keyword" },
"zeek_pe.uses_seh": { "type": "keyword" },
"zeek_profinet.block_version": { "type": "keyword" },
"zeek_profinet.index": { "type": "keyword" },
"zeek_profinet.operation_type": { "type": "keyword" },
"zeek_profinet.slot_number": { "type": "integer" },
"zeek_profinet.subslot_number": { "type": "integer" },
"zeek_profinet_dce_rpc.activity_uuid": { "type": "keyword" },
"zeek_profinet_dce_rpc.interface_uuid": { "type": "keyword" },
"zeek_profinet_dce_rpc.object_uuid": { "type": "keyword" },
"zeek_profinet_dce_rpc.operation": { "type": "keyword" },
"zeek_profinet_dce_rpc.packet_type": { "type": "keyword" },
"zeek_profinet_dce_rpc.server_boot_time": { "type": "integer" },
"zeek_profinet_dce_rpc.version": { "type": "integer" },
"zeek_radius.connect_info": { "type": "keyword" },
"zeek_radius.framed_addr": { "type": "ip" },
"zeek_radius.mac": { "type": "keyword" },
"zeek_radius.reply_msg": { "type": "keyword" },
"zeek_radius.result": { "type": "keyword" },
"zeek_radius.ttl": { "type": "float" },
"zeek_radius.tunnel_client": { "type": "keyword" },
"zeek_rdp.cert_count": { "type": "integer" },
"zeek_rdp.cert_permanent": { "type": "keyword" },
"zeek_rdp.cert_type": { "type": "keyword" },
"zeek_rdp.client_build": { "type": "keyword" },
"zeek_rdp.client_channels": { "type": "keyword" },
"zeek_rdp.client_dig_product_id": { "type": "keyword" },
"zeek_rdp.client_name": { "type": "keyword" },
"zeek_rdp.cookie": { "type": "keyword" },
"zeek_rdp.desktop_height": { "type": "integer" },
"zeek_rdp.desktop_width": { "type": "integer" },
"zeek_rdp.encryption_level": { "type": "keyword" },
"zeek_rdp.encryption_method": { "type": "keyword" },
"zeek_rdp.keyboard_layout": { "type": "keyword" },
"zeek_rdp.requested_color_depth": { "type": "keyword" },
"zeek_rdp.result": { "type": "keyword" },
"zeek_rdp.security_protocol": { "type": "keyword" },
"zeek_rfb.auth": { "type": "keyword" },
"zeek_rfb.authentication_method": { "type": "keyword" },
"zeek_rfb.client_major_version": { "type": "keyword" },
"zeek_rfb.client_minor_version": { "type": "keyword" },
"zeek_rfb.desktop_name": { "type": "keyword" },
"zeek_rfb.height": { "type": "integer" },
"zeek_rfb.server_major_version": { "type": "keyword" },
"zeek_rfb.server_minor_version": { "type": "keyword" },
"zeek_rfb.share_flag": { "type": "keyword" },
"zeek_rfb.width": { "type": "integer" },
"zeek_s7comm.data_info": { "type": "keyword" },
"zeek_s7comm.item_count": { "type": "integer" },
"zeek_s7comm.parameter": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_s7comm.parameters.class": { "type": "keyword" },
"zeek_s7comm.parameters.code": { "type": "keyword" },
"zeek_s7comm.parameters.group": { "type": "keyword" },
"zeek_s7comm.parameters.mode": { "type": "keyword" },
"zeek_s7comm.parameters.sub": { "type": "keyword" },
"zeek_s7comm.parameters.type": { "type": "keyword" },
"zeek_s7comm.rosctr": { "type": "keyword" },
"zeek_signatures.engine": { "type": "keyword" },
"zeek_signatures.event_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_signatures.hits": { "type": "nested" },
"zeek_signatures.host_count": { "type": "integer" },
"zeek_signatures.note": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_signatures.signature_count": { "type": "integer" },
"zeek_signatures.signature_id": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_signatures.sub_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_sip.call_id": { "type": "keyword" },
"zeek_sip.content_type": { "type": "keyword" },
"zeek_sip.date": { "type": "keyword" },
"zeek_sip.method": { "type": "keyword" },
"zeek_sip.reply_to": { "type": "keyword" },
"zeek_sip.request_body_len": { "type": "integer" },
"zeek_sip.request_from": { "type": "keyword" },
"zeek_sip.request_path": { "type": "keyword" },
"zeek_sip.request_to": { "type": "keyword" },
"zeek_sip.response_body_len": { "type": "integer" },
"zeek_sip.response_from": { "type": "keyword" },
"zeek_sip.response_path": { "type": "keyword" },
"zeek_sip.response_to": { "type": "keyword" },
"zeek_sip.seq": { "type": "keyword" },
"zeek_sip.status_code": { "type": "short" },
"zeek_sip.status_msg": { "type": "keyword" },
"zeek_sip.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_sip.trans_depth": { "type": "integer" },
"zeek_sip.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_sip.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_sip.version": { "type": "keyword" },
"zeek_sip.warning": { "type": "keyword" },
"zeek_smb_cmd.argument": { "type": "keyword" },
"zeek_smb_cmd.command": { "type": "keyword" },
"zeek_smb_cmd.rtt": { "type": "float" },
"zeek_smb_cmd.status": { "type": "keyword" },
"zeek_smb_cmd.sub_command": { "type": "keyword" },
"zeek_smb_cmd.tree": { "type": "keyword" },
"zeek_smb_cmd.tree_service": { "type": "keyword" },
"zeek_smb_cmd.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_smb_cmd.version": { "type": "keyword" },
"zeek_smb_files.action": { "type": "keyword" },
"zeek_smb_files.data_len_req": { "type": "long" },
"zeek_smb_files.data_len_rsp": { "type": "long" },
"zeek_smb_files.data_offset_req": { "type": "long" },
"zeek_smb_files.name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_files.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_files.prev_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_files.size": { "type": "long" },
"zeek_smb_files.times_accessed": { "type": "date" },
"zeek_smb_files.times_changed": { "type": "date" },
"zeek_smb_files.times_created": { "type": "date" },
"zeek_smb_files.times_modified": { "type": "date" },
"zeek_smb_files.ts": { "type": "date" },
"zeek_smb_mapping.native_file_system": { "type": "keyword" },
"zeek_smb_mapping.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_mapping.resource_type": { "type": "keyword" },
"zeek_smb_mapping.share_type": { "type": "keyword" },
"zeek_smtp.cc": { "type": "keyword" },
"zeek_smtp.date": { "type": "keyword" },
"zeek_smtp.first_received": { "type": "keyword" },
"zeek_smtp.from": { "type": "keyword" },
"zeek_smtp.helo": { "type": "keyword" },
"zeek_smtp.in_reply_to": { "type": "keyword" },
"zeek_smtp.is_webmail": { "type": "keyword" },
"zeek_smtp.last_reply": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smtp.last_reply_code": { "type": "keyword" },
"zeek_smtp.last_reply_msg": { "type": "keyword" },
"zeek_smtp.mailfrom": { "type": "keyword" },
"zeek_smtp.msg_id": { "type": "keyword" },
"zeek_smtp.path": { "type": "ip" },
"zeek_smtp.rcptto": { "type": "keyword" },
"zeek_smtp.reply_to": { "type": "keyword" },
"zeek_smtp.second_received": { "type": "keyword" },
"zeek_smtp.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smtp.tls": { "type": "keyword" },
"zeek_smtp.to": { "type": "keyword" },
"zeek_smtp.trans_depth": { "type": "integer" },
"zeek_smtp.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_smtp.x_originating_ip": { "type": "ip" },
"zeek_snmp.community": { "type": "keyword" },
"zeek_snmp.display_string": { "type": "keyword" },
"zeek_snmp.duration": { "type": "float" },
"zeek_snmp.get_bulk_requests": { "type": "integer" },
"zeek_snmp.get_requests": { "type": "integer" },
"zeek_snmp.get_responses": { "type": "integer" },
"zeek_snmp.set_requests": { "type": "integer" },
"zeek_snmp.up_since": { "type": "date" },
"zeek_snmp.version": { "type": "keyword" },
"zeek_socks.bound_host": { "type": "ip" },
"zeek_socks.bound_name": { "type": "keyword" },
"zeek_socks.bound_port": { "type": "integer" },
"zeek_socks.request_host": { "type": "ip" },
"zeek_socks.request_name": { "type": "keyword" },
"zeek_socks.request_port": { "type": "integer" },
"zeek_socks.server_status": { "type": "keyword" },
"zeek_socks.version": { "type": "integer" },
"zeek_software.name": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_software.software_type": { "type": "keyword" },
"zeek_software.unparsed_version": { "type": "keyword", "ignore_above": 1024 },
"zeek_software.version_addl": { "type": "keyword", "ignore_above": 1024 },
"zeek_software.version_major": { "type": "integer" },
"zeek_software.version_minor": { "type": "integer" },
"zeek_software.version_minor2": { "type": "integer" },
"zeek_software.version_minor3": { "type": "integer" },
"zeek_ssh.auth_attempts": { "type": "integer" },
"zeek_ssh.auth_success": { "type": "keyword" },
"zeek_ssh.cipher_alg": { "type": "keyword" },
"zeek_ssh.client": { "type": "keyword" },
"zeek_ssh.compression_alg": { "type": "keyword" },
"zeek_ssh.cshka": { "type": "keyword" },
"zeek_ssh.direction": { "type": "keyword" },
"zeek_ssh.hassh": { "type": "keyword" },
"zeek_ssh.hasshAlgorithms": { "type": "keyword" },
"zeek_ssh.hasshServer": { "type": "keyword" },
"zeek_ssh.hasshServerAlgorithms": { "type": "keyword" },
"zeek_ssh.hasshVersion": { "type": "keyword" },
"zeek_ssh.host_key": { "type": "keyword" },
"zeek_ssh.host_key_alg": { "type": "keyword" },
"zeek_ssh.kex_alg": { "type": "keyword" },
"zeek_ssh.mac_alg": { "type": "keyword" },
"zeek_ssh.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ssh.remote_location_country_code": { "type": "keyword" },
"zeek_ssh.remote_location_latitude": { "type": "float" },
"zeek_ssh.remote_location_longitude": { "type": "float" },
"zeek_ssh.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ssh.server": { "type": "keyword" },
"zeek_ssh.sshka": { "type": "keyword" },
"zeek_ssh.version": { "type": "integer" },
"zeek_ssl.cert_chain_fuids": { "type": "keyword" },
"zeek_ssl.cipher": { "type": "keyword" },
"zeek_ssl.client_cert_chain_fuids": { "type": "keyword" },
"zeek_ssl.client_issuer.C": { "type": "keyword" },
"zeek_ssl.client_issuer.CN": { "type": "keyword" },
"zeek_ssl.client_issuer.DC": { "type": "keyword" },
"zeek_ssl.client_issuer.emailAddress": { "type": "keyword" },
"zeek_ssl.client_issuer.GN": { "type": "keyword" },
"zeek_ssl.client_issuer.initials": { "type": "keyword" },
"zeek_ssl.client_issuer.L": { "type": "keyword" },
"zeek_ssl.client_issuer.O": { "type": "keyword" },
"zeek_ssl.client_issuer.OU": { "type": "keyword" },
"zeek_ssl.client_issuer.pseudonym": { "type": "keyword" },
"zeek_ssl.client_issuer.serialNumber": { "type": "keyword" },
"zeek_ssl.client_issuer.SN": { "type": "keyword" },
"zeek_ssl.client_issuer.ST": { "type": "keyword" },
"zeek_ssl.client_issuer.title": { "type": "keyword" },
"zeek_ssl.client_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.client_subject.C": { "type": "keyword" },
"zeek_ssl.client_subject.CN": { "type": "keyword" },
"zeek_ssl.client_subject.emailAddress": { "type": "keyword" },
"zeek_ssl.client_subject.GN": { "type": "keyword" },
"zeek_ssl.client_subject.initials": { "type": "keyword" },
"zeek_ssl.client_subject.L": { "type": "keyword" },
"zeek_ssl.client_subject.O": { "type": "keyword" },
"zeek_ssl.client_subject.OU": { "type": "keyword" },
"zeek_ssl.client_subject.pseudonym": { "type": "keyword" },
"zeek_ssl.client_subject.serialNumber": { "type": "keyword" },
"zeek_ssl.client_subject.SN": { "type": "keyword" },
"zeek_ssl.client_subject.ST": { "type": "keyword" },
"zeek_ssl.client_subject.title": { "type": "keyword" },
"zeek_ssl.client_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.curve": { "type": "keyword" },
"zeek_ssl.established": { "type": "keyword" },
"zeek_ssl.issuer.C": { "type": "keyword" },
"zeek_ssl.issuer.CN": { "type": "keyword" },
"zeek_ssl.issuer.DC": { "type": "keyword" },
"zeek_ssl.issuer.emailAddress": { "type": "keyword" },
"zeek_ssl.issuer.GN": { "type": "keyword" },
"zeek_ssl.issuer.initials": { "type": "keyword" },
"zeek_ssl.issuer.L": { "type": "keyword" },
"zeek_ssl.issuer.O": { "type": "keyword" },
"zeek_ssl.issuer.OU": { "type": "keyword" },
"zeek_ssl.issuer.pseudonym": { "type": "keyword" },
"zeek_ssl.issuer.serialNumber": { "type": "keyword" },
"zeek_ssl.issuer.SN": { "type": "keyword" },
"zeek_ssl.issuer.ST": { "type": "keyword" },
"zeek_ssl.issuer.title": { "type": "keyword" },
"zeek_ssl.issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.ja3": { "type": "keyword" },
"zeek_ssl.ja3_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.ja3s": { "type": "keyword" },
"zeek_ssl.ja3s_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.last_alert": { "type": "keyword" },
"zeek_ssl.next_protocol": { "type": "keyword" },
"zeek_ssl.resumed": { "type": "keyword" },
"zeek_ssl.server_name": { "type": "keyword" },
"zeek_ssl.ssl_version": { "type": "keyword" },
"zeek_ssl.subject.C": { "type": "keyword" },
"zeek_ssl.subject.CN": { "type": "keyword" },
"zeek_ssl.subject.description": { "type": "keyword" },
"zeek_ssl.subject.emailAddress": { "type": "keyword" },
"zeek_ssl.subject.GN": { "type": "keyword" },
"zeek_ssl.subject.initials": { "type": "keyword" },
"zeek_ssl.subject.L": { "type": "keyword" },
"zeek_ssl.subject.O": { "type": "keyword" },
"zeek_ssl.subject.OU": { "type": "keyword" },
"zeek_ssl.subject.postalCode": { "type": "keyword" },
"zeek_ssl.subject.pseudonym": { "type": "keyword" },
"zeek_ssl.subject.serialNumber": { "type": "keyword" },
"zeek_ssl.subject.SN": { "type": "keyword" },
"zeek_ssl.subject.ST": { "type": "keyword" },
"zeek_ssl.subject.street": { "type": "keyword" },
"zeek_ssl.subject.title": { "type": "keyword" },
"zeek_ssl.subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.validation_status": { "type": "keyword" },
"zeek_syslog.facility": { "type": "keyword" },
"zeek_syslog.message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_syslog.severity": { "type": "keyword" },
"zeek_tds.command": { "type": "keyword" },
"zeek_tds_rpc.parameter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_tds_rpc.parameters": { "type": "nested" },
"zeek_tds_rpc.procedure_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_tds_sql_batch.header_type": { "type": "keyword" },
"zeek_tds_sql_batch.query": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_tftp.wrq": { "type": "keyword" },
"zeek_tftp.fname": { "type": "keyword" },
"zeek_tftp.mode": { "type": "keyword" },
"zeek_tftp.uid_data": { "type": "keyword" },
"zeek_tftp.size": { "type": "integer" },
"zeek_tftp.block_sent": { "type": "integer" },
"zeek_tftp.block_acked": { "type": "integer" },
"zeek_tftp.error_code": { "type": "integer" },
"zeek_tftp.error_msg": { "type": "keyword" },
"zeek_tunnel.action": { "type": "keyword" },
"zeek_tunnel.tunnel_type": { "type": "keyword" },
"zeek_weird.addl": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_weird.name": { "type": "keyword" },
"zeek_weird.notice": { "type": "keyword" },
"zeek_weird.peer": { "type": "keyword" },
"zeek_wireguard.established": { "type": "keyword" },
"zeek_wireguard.initiations": { "type": "integer" },
"zeek_wireguard.responses": { "type": "integer" },
"zeek_x509.basic_constraints_ca": { "type": "keyword" },
"zeek_x509.basic_constraints_path_len": { "type": "integer" },
"zeek_x509.certificate_curve": { "type": "keyword" },
"zeek_x509.certificate_exponent": { "type": "keyword" },
"zeek_x509.certificate_issuer.C": { "type": "keyword" },
"zeek_x509.certificate_issuer.CN": { "type": "keyword" },
"zeek_x509.certificate_issuer.DC": { "type": "keyword" },
"zeek_x509.certificate_issuer.emailAddress": { "type": "keyword" },
"zeek_x509.certificate_issuer.GN": { "type": "keyword" },
"zeek_x509.certificate_issuer.initials": { "type": "keyword" },
"zeek_x509.certificate_issuer.L": { "type": "keyword" },
"zeek_x509.certificate_issuer.O": { "type": "keyword" },
"zeek_x509.certificate_issuer.OU": { "type": "keyword" },
"zeek_x509.certificate_issuer.pseudonym": { "type": "keyword" },
"zeek_x509.certificate_issuer.serialNumber": { "type": "keyword" },
"zeek_x509.certificate_issuer.SN": { "type": "keyword" },
"zeek_x509.certificate_issuer.ST": { "type": "keyword" },
"zeek_x509.certificate_issuer.title": { "type": "keyword" },
"zeek_x509.certificate_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_x509.certificate_key_alg": { "type": "keyword" },
"zeek_x509.certificate_key_length": { "type": "integer" },
"zeek_x509.certificate_key_type": { "type": "keyword" },
"zeek_x509.certificate_not_valid_after": { "type": "date" },
"zeek_x509.certificate_not_valid_before": { "type": "date" },
"zeek_x509.certificate_serial": { "type": "keyword" },
"zeek_x509.certificate_sig_alg": { "type": "keyword" },
"zeek_x509.certificate_subject.C": { "type": "keyword" },
"zeek_x509.certificate_subject.CN": { "type": "keyword" },
"zeek_x509.certificate_subject.DC": { "type": "keyword" },
"zeek_x509.certificate_subject.description": { "type": "keyword" },
"zeek_x509.certificate_subject.emailAddress": { "type": "keyword" },
"zeek_x509.certificate_subject.GN": { "type": "keyword" },
"zeek_x509.certificate_subject.initials": { "type": "keyword" },
"zeek_x509.certificate_subject.L": { "type": "keyword" },
"zeek_x509.certificate_subject.O": { "type": "keyword" },
"zeek_x509.certificate_subject.OU": { "type": "keyword" },
"zeek_x509.certificate_subject.postalCode": { "type": "keyword" },
"zeek_x509.certificate_subject.pseudonym": { "type": "keyword" },
"zeek_x509.certificate_subject.serialNumber": { "type": "keyword" },
"zeek_x509.certificate_subject.SN": { "type": "keyword" },
"zeek_x509.certificate_subject.ST": { "type": "keyword" },
"zeek_x509.certificate_subject.street": { "type": "keyword" },
"zeek_x509.certificate_subject.title": { "type": "keyword" },
"zeek_x509.certificate_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_x509.certificate_version": { "type": "integer" },
"zeek_x509.san_dns": { "type": "keyword" },
"zeek_x509.san_email": { "type": "keyword" },
"zeek_x509.san_ip": { "type": "ip" },
"zeek_x509.san_uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }
}
}
}
}