diff --git a/packages/corelight/changelog.yml b/packages/corelight/changelog.yml index a04275838c6..781ed628f82 100644 --- a/packages/corelight/changelog.yml +++ b/packages/corelight/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Add AWS VPC Flow dashboard + type: enhancement + link: https://github.com/elastic/integrations/pull/16912 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/corelight/docs/README.md b/packages/corelight/docs/README.md index a688f341fbc..42adf1e4274 100644 --- a/packages/corelight/docs/README.md +++ b/packages/corelight/docs/README.md @@ -3,6 +3,7 @@ [Corelight](https://corelight.com/) provides network detection and response (NDR) solutions that enhance visibility, threat detection, and incident response by leveraging open-source technologies like Zeek. Its platform integrates with existing security tools to deliver high-fidelity network data, helping organizations detect and respond to threats more effectively across both on-premises and cloud environments​. This integration includes only the Corelight dashboards mentioned below: +- AWS VPC Flow - Connections - Corelight Suricata IDS Alert Overview - DNS diff --git a/packages/corelight/img/aws-vpc-flow.png b/packages/corelight/img/aws-vpc-flow.png new file mode 100644 index 00000000000..dcc83c84222 Binary files /dev/null and b/packages/corelight/img/aws-vpc-flow.png differ diff --git a/packages/corelight/kibana/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce.json b/packages/corelight/kibana/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce.json index ddc3a944e3a..7f12545e9ca 100644 --- a/packages/corelight/kibana/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce.json +++ b/packages/corelight/kibana/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce.json @@ -1,1505 +1,1638 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": { - "ignoreFilters": false, - "ignoreQuery": false, - "ignoreTimerange": false, - "ignoreValidations": false - }, - "panelsJSON": { - "15c3dcbc-d25f-44e9-a9ad-7b773eaa0a8e": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "observer.hostname", - "id": "15c3dcbc-d25f-44e9-a9ad-7b773eaa0a8e", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false }, - "title": "Corelight Sensor" - }, - "grow": true, - "order": 0, - "type": "optionsListControl", - "width": "medium" - }, - "7d61094e-24f9-42db-8d54-acd2e006aea4": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "vpn.inferences", - "id": "7d61094e-24f9-42db-8d54-acd2e006aea4", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Inference" - }, - "grow": true, - "order": 2, - "type": "optionsListControl", - "width": "medium" - }, - "f4bcd288-056d-4cbf-abb7-7d3c327845af": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "vpn.name", - "id": "f4bcd288-056d-4cbf-abb7-7d3c327845af", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "VPN Type" - }, - "grow": true, - "order": 1, - "type": "optionsListControl", - "width": "medium" - } - }, - "showApplySelections": false - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "vpn" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "vpn" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "vpn.name", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "key": "vpn.name", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "vpn.name" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "vpn.inferences", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", - "key": "vpn.inferences", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "vpn.inferences" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "panelsJSON": { + "15c3dcbc-d25f-44e9-a9ad-7b773eaa0a8e": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "observer.hostname", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Corelight Sensor" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "7d61094e-24f9-42db-8d54-acd2e006aea4": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "vpn.inferences", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Inference" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "f4bcd288-056d-4cbf-abb7-7d3c327845af": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "vpn.name", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "VPN Type" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" } - } }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - **VPN Insights**\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 33, - "i": "e96045e5-3a9a-4736-a40b-093df6963b15", - "w": 11, - "x": 0, - "y": 0 + "showApplySelections": false }, - "panelIndex": "e96045e5-3a9a-4736-a40b-093df6963b15", - "title": "Table of Contents", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-50f85297-0e80-4346-8a62-e12782abfa6b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "50f85297-0e80-4346-8a62-e12782abfa6b": { - "columnOrder": [ - "1c9c1cbe-e591-4fb3-b731-7317af0bcd9b", - "acd0742c-2971-454d-8812-7f37a42102b2" - ], - "columns": { - "1c9c1cbe-e591-4fb3-b731-7317af0bcd9b": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Inferences", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "acd0742c-2971-454d-8812-7f37a42102b2", - "type": "column" + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "vpn.inferences" + "type": "phrase" }, - "acd0742c-2971-454d-8812-7f37a42102b2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "query": { + "match_phrase": { + "event.dataset": "vpn" } - }, - "scale": "ratio", - "sourceField": "___records___" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } } - ] }, - "layerId": "50f85297-0e80-4346-8a62-e12782abfa6b", - "layerType": "data", - "legendDisplay": "show", - "metrics": ["acd0742c-2971-454d-8812-7f37a42102b2"], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": ["1c9c1cbe-e591-4fb3-b731-7317af0bcd9b"], - "truncateLegend": false - } - ], - "shape": "pie" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "241315f2-1624-4910-a79a-4be4628aba8a", - "w": 18, - "x": 11, - "y": 0 - }, - "panelIndex": "241315f2-1624-4910-a79a-4be4628aba8a", - "title": "Inference Type [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d96ea5f4-9da8-4b60-ae32-68b85df0e198", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "d96ea5f4-9da8-4b60-ae32-68b85df0e198": { - "columnOrder": [ - "7e248b47-d2f5-4819-958c-17c562da6ca5", - "b0217379-ed87-48c8-a419-52eaa530fe0c" - ], - "columns": { - "7e248b47-d2f5-4819-958c-17c562da6ca5": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "Source IP", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "b0217379-ed87-48c8-a419-52eaa530fe0c", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 20 - }, - "scale": "ordinal", - "sourceField": "source.ip" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.name", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "vpn.name", + "negate": false, + "type": "exists" }, - "b0217379-ed87-48c8-a419-52eaa530fe0c": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "query": { + "exists": { + "field": "vpn.name" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "key": "vpn.inferences", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "vpn.inferences" } - }, - "scale": "ratio", - "sourceField": "___records___" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "7e248b47-d2f5-4819-958c-17c562da6ca5" - }, - { - "columnId": "b0217379-ed87-48c8-a419-52eaa530fe0c", - "isMetric": true, - "isTransposed": false - } ], - "layerId": "d96ea5f4-9da8-4b60-ae32-68b85df0e198", - "layerType": "data", - "paging": { - "enabled": true, - "size": 10 + "query": { + "language": "kuery", + "query": "" } - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {} + } }, - "gridData": { - "h": 16, - "i": "7979cfb6-8f48-4a78-8c4d-97ca8b4c78bf", - "w": 19, - "x": 29, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "7979cfb6-8f48-4a78-8c4d-97ca8b4c78bf", - "title": "Top VPN Users [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b": { - "columnOrder": [ - "4271c8dc-cd79-4f0b-8a76-899c1188bd77", - "a6abc4f3-33cc-4992-8d29-5933eab02294" - ], - "columns": { - "4271c8dc-cd79-4f0b-8a76-899c1188bd77": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "VPN Name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "a6abc4f3-33cc-4992-8d29-5933eab02294", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "secondaryFields": [], - "size": 5 - }, - "scale": "ordinal", - "sourceField": "vpn.name" - }, - "a6abc4f3-33cc-4992-8d29-5933eab02294": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - **VPN Insights**\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} } - } }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 33, + "i": "e96045e5-3a9a-4736-a40b-093df6963b15", + "w": 11, + "x": 0, + "y": 0 }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b", - "layerType": "data", - "legendDisplay": "show", - "metrics": ["a6abc4f3-33cc-4992-8d29-5933eab02294"], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": ["4271c8dc-cd79-4f0b-8a76-899c1188bd77"], - "truncateLegend": false - } - ], - "shape": "pie" - } + "panelIndex": "e96045e5-3a9a-4736-a40b-093df6963b15", + "title": "Table of Contents", + "type": "visualization" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "7b07885d-b4fc-4651-94d8-2a6373a52adf", - "w": 14, - "x": 11, - "y": 16 - }, - "panelIndex": "7b07885d-b4fc-4651-94d8-2a6373a52adf", - "title": "VPN Type [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-8132d9fd-dd00-4f09-b3ba-525959e7cfab", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "8132d9fd-dd00-4f09-b3ba-525959e7cfab": { - "columnOrder": [ - "de7c24f6-3c28-4fa5-b844-f15aa7713f17", - "e597fa64-0a2d-4a12-b5ec-ff5ee2fc4289", - "d45eac3c-83bb-44db-82aa-d1b818948300" - ], - "columns": { - "d45eac3c-83bb-44db-82aa-d1b818948300": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-50f85297-0e80-4346-8a62-e12782abfa6b", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "de7c24f6-3c28-4fa5-b844-f15aa7713f17": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Inferences", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "d45eac3c-83bb-44db-82aa-d1b818948300", - "type": "column" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "50f85297-0e80-4346-8a62-e12782abfa6b": { + "columnOrder": [ + "1c9c1cbe-e591-4fb3-b731-7317af0bcd9b", + "acd0742c-2971-454d-8812-7f37a42102b2" + ], + "columns": { + "1c9c1cbe-e591-4fb3-b731-7317af0bcd9b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Inferences", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "acd0742c-2971-454d-8812-7f37a42102b2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vpn.inferences" + }, + "acd0742c-2971-454d-8812-7f37a42102b2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "vpn.inferences" + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "50f85297-0e80-4346-8a62-e12782abfa6b", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "acd0742c-2971-454d-8812-7f37a42102b2" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "1c9c1cbe-e591-4fb3-b731-7317af0bcd9b" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } }, - "e597fa64-0a2d-4a12-b5ec-ff5ee2fc4289": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "d" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": ["d45eac3c-83bb-44db-82aa-d1b818948300"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "8132d9fd-dd00-4f09-b3ba-525959e7cfab", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "de7c24f6-3c28-4fa5-b844-f15aa7713f17", - "xAccessor": "e597fa64-0a2d-4a12-b5ec-ff5ee2fc4289" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": true + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "241315f2-1624-4910-a79a-4be4628aba8a", + "w": 18, + "x": 11, + "y": 0 }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "panelIndex": "241315f2-1624-4910-a79a-4be4628aba8a", + "title": "Inference Type [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "b148063a-1b42-449f-9139-ad00039f9b91", - "w": 23, - "x": 25, - "y": 16 - }, - "panelIndex": "b148063a-1b42-449f-9139-ad00039f9b91", - "title": "Inferences Over Time [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-76c8bb51-4643-45de-9fc9-9377cabfba33", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "76c8bb51-4643-45de-9fc9-9377cabfba33": { - "columnOrder": [ - "9913d28b-150a-44ab-94a5-33ee523661f6", - "223048ab-2c63-4f2f-af7e-5bc78d95e2f0", - "be6d2976-dfba-4b7f-afcd-93cedf11f48f" - ], - "columns": { - "223048ab-2c63-4f2f-af7e-5bc78d95e2f0": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "ja3s", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "be6d2976-dfba-4b7f-afcd-93cedf11f48f", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "tls.server.ja3s" - }, - "9913d28b-150a-44ab-94a5-33ee523661f6": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "ja3", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "be6d2976-dfba-4b7f-afcd-93cedf11f48f", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d96ea5f4-9da8-4b60-ae32-68b85df0e198", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d96ea5f4-9da8-4b60-ae32-68b85df0e198": { + "columnOrder": [ + "7e248b47-d2f5-4819-958c-17c562da6ca5", + "b0217379-ed87-48c8-a419-52eaa530fe0c" + ], + "columns": { + "7e248b47-d2f5-4819-958c-17c562da6ca5": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b0217379-ed87-48c8-a419-52eaa530fe0c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "b0217379-ed87-48c8-a419-52eaa530fe0c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10000 - }, - "scale": "ordinal", - "sourceField": "tls.client.ja3" - }, - "be6d2976-dfba-4b7f-afcd-93cedf11f48f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "visualization": { + "columns": [ + { + "columnId": "7e248b47-d2f5-4819-958c-17c562da6ca5" + }, + { + "columnId": "b0217379-ed87-48c8-a419-52eaa530fe0c", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "d96ea5f4-9da8-4b60-ae32-68b85df0e198", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + } } - }, - "scale": "ratio", - "sourceField": "___records___" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 16, + "i": "7979cfb6-8f48-4a78-8c4d-97ca8b4c78bf", + "w": 19, + "x": 29, + "y": 0 }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "9913d28b-150a-44ab-94a5-33ee523661f6", - "isMetric": false, - "isTransposed": false - }, - { - "columnId": "223048ab-2c63-4f2f-af7e-5bc78d95e2f0", - "isMetric": false, - "isTransposed": false - }, - { - "alignment": "right", - "columnId": "be6d2976-dfba-4b7f-afcd-93cedf11f48f", - "isMetric": true, - "isTransposed": false - } - ], - "layerId": "76c8bb51-4643-45de-9fc9-9377cabfba33", - "layerType": "data", - "paging": { - "enabled": true, - "size": 10 - } - } + "panelIndex": "7979cfb6-8f48-4a78-8c4d-97ca8b4c78bf", + "title": "Top VPN Users [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "0eec6295-5a34-4eb4-aba5-946a083dcfb6", - "w": 48, - "x": 0, - "y": 33 - }, - "panelIndex": "0eec6295-5a34-4eb4-aba5-946a083dcfb6", - "title": "VPN JA3 Finger Prints [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-03c121a4-0295-4ca7-aff1-e30f25a83774", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "03c121a4-0295-4ca7-aff1-e30f25a83774": { - "columnOrder": [ - "92fb005e-9912-4c14-982e-33b58ea60683", - "ad9df102-dc72-47a4-9cce-1f87644d5a23", - "77569b39-56e4-486a-b14a-f4e3919c9a67", - "0379a54d-176b-4030-b94e-fc28edfbc210", - "7a7bb0d6-42e2-41f9-855d-a4bfcca93e77", - "5315f0fe-e2cd-44b9-9620-b04920071e11", - "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "f10335fe-dd2f-4f55-8370-4d6d9e1f528a", - "6227800b-4d37-4a36-b0c5-ca65b476bf17", - "89eb8aff-fcaa-472f-add1-f5909cc59579", - "6227800b-4d37-4a36-b0c5-ca65b476bf17X0", - "6227800b-4d37-4a36-b0c5-ca65b476bf17X1", - "6227800b-4d37-4a36-b0c5-ca65b476bf17X2" - ], - "columns": { - "0379a54d-176b-4030-b94e-fc28edfbc210": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Protocol", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 100 - }, - "scale": "ordinal", - "sourceField": "network.protocol" - }, - "2fecde63-46b7-4b50-b489-0d15ce4b0e5d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Sum of Source Bytes", - "operationType": "sum", - "params": { - "emptyAsNull": false, - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "source.bytes" - }, - "5315f0fe-e2cd-44b9-9620-b04920071e11": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Destination Country", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b": { + "columnOrder": [ + "4271c8dc-cd79-4f0b-8a76-899c1188bd77", + "a6abc4f3-33cc-4992-8d29-5933eab02294" + ], + "columns": { + "4271c8dc-cd79-4f0b-8a76-899c1188bd77": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "VPN Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a6abc4f3-33cc-4992-8d29-5933eab02294", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "vpn.name" + }, + "a6abc4f3-33cc-4992-8d29-5933eab02294": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "size": 100 - }, - "scale": "ordinal", - "sourceField": "destination.geo.country_iso_code" - }, - "6227800b-4d37-4a36-b0c5-ca65b476bf17": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total Bytes", - "operationType": "formula", - "params": { - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "formula": "sum(source.bytes)+sum(resp_bytes)", - "isFormulaBroken": false - }, - "references": [ - "6227800b-4d37-4a36-b0c5-ca65b476bf17X2" - ], - "scale": "ratio" - }, - "6227800b-4d37-4a36-b0c5-ca65b476bf17X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Total Bytes", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "source.bytes" - }, - "6227800b-4d37-4a36-b0c5-ca65b476bf17X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Total Bytes", - "operationType": "sum", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "resp_bytes" - }, - "6227800b-4d37-4a36-b0c5-ca65b476bf17X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Total Bytes", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "6227800b-4d37-4a36-b0c5-ca65b476bf17X0", - "6227800b-4d37-4a36-b0c5-ca65b476bf17X1" - ], - "location": { - "max": 33, - "min": 0 - }, - "name": "add", - "text": "sum(source.bytes)+sum(resp_bytes)", - "type": "function" + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "a6abc4f3-33cc-4992-8d29-5933eab02294" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "4271c8dc-cd79-4f0b-8a76-899c1188bd77" + ], + "truncateLegend": false + } + ], + "shape": "pie" } - }, - "references": [ - "6227800b-4d37-4a36-b0c5-ca65b476bf17X0", - "6227800b-4d37-4a36-b0c5-ca65b476bf17X1" - ], - "scale": "ratio" }, - "77569b39-56e4-486a-b14a-f4e3919c9a67": { - "customLabel": true, - "dataType": "number", - "isBucketed": true, - "label": "Destination Port", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "7b07885d-b4fc-4651-94d8-2a6373a52adf", + "w": 14, + "x": 11, + "y": 16 + }, + "panelIndex": "7b07885d-b4fc-4651-94d8-2a6373a52adf", + "title": "VPN Type [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8132d9fd-dd00-4f09-b3ba-525959e7cfab", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "8132d9fd-dd00-4f09-b3ba-525959e7cfab": { + "columnOrder": [ + "de7c24f6-3c28-4fa5-b844-f15aa7713f17", + "e597fa64-0a2d-4a12-b5ec-ff5ee2fc4289", + "d45eac3c-83bb-44db-82aa-d1b818948300" + ], + "columns": { + "d45eac3c-83bb-44db-82aa-d1b818948300": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "de7c24f6-3c28-4fa5-b844-f15aa7713f17": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Inferences", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d45eac3c-83bb-44db-82aa-d1b818948300", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "vpn.inferences" + }, + "e597fa64-0a2d-4a12-b5ec-ff5ee2fc4289": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "d" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 100 - }, - "scale": "ordinal", - "sourceField": "destination.port" + "visualization": { + "layers": [ + { + "accessors": [ + "d45eac3c-83bb-44db-82aa-d1b818948300" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8132d9fd-dd00-4f09-b3ba-525959e7cfab", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "de7c24f6-3c28-4fa5-b844-f15aa7713f17", + "xAccessor": "e597fa64-0a2d-4a12-b5ec-ff5ee2fc4289" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - "7a7bb0d6-42e2-41f9-855d-a4bfcca93e77": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Service", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "b148063a-1b42-449f-9139-ad00039f9b91", + "w": 23, + "x": 25, + "y": 16 + }, + "panelIndex": "b148063a-1b42-449f-9139-ad00039f9b91", + "title": "Inferences Over Time [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-76c8bb51-4643-45de-9fc9-9377cabfba33", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "76c8bb51-4643-45de-9fc9-9377cabfba33": { + "columnOrder": [ + "9913d28b-150a-44ab-94a5-33ee523661f6", + "223048ab-2c63-4f2f-af7e-5bc78d95e2f0", + "be6d2976-dfba-4b7f-afcd-93cedf11f48f" + ], + "columns": { + "223048ab-2c63-4f2f-af7e-5bc78d95e2f0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "ja3s", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be6d2976-dfba-4b7f-afcd-93cedf11f48f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "tls.server.ja3s" + }, + "9913d28b-150a-44ab-94a5-33ee523661f6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "ja3", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "be6d2976-dfba-4b7f-afcd-93cedf11f48f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "tls.client.ja3" + }, + "be6d2976-dfba-4b7f-afcd-93cedf11f48f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "secondaryFields": [], - "size": 100 - }, - "scale": "ordinal", - "sourceField": "proto" - }, - "89eb8aff-fcaa-472f-add1-f5909cc59579": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Connection", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "visualization": { + "columns": [ + { + "columnId": "9913d28b-150a-44ab-94a5-33ee523661f6", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "223048ab-2c63-4f2f-af7e-5bc78d95e2f0", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "be6d2976-dfba-4b7f-afcd-93cedf11f48f", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "76c8bb51-4643-45de-9fc9-9377cabfba33", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + } } - }, - "scale": "ratio", - "sourceField": "___records___" }, - "92fb005e-9912-4c14-982e-33b58ea60683": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "Source IP", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "0eec6295-5a34-4eb4-aba5-946a083dcfb6", + "w": 48, + "x": 0, + "y": 33 + }, + "panelIndex": "0eec6295-5a34-4eb4-aba5-946a083dcfb6", + "title": "VPN JA3 Finger Prints [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-03c121a4-0295-4ca7-aff1-e30f25a83774", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "03c121a4-0295-4ca7-aff1-e30f25a83774": { + "columnOrder": [ + "92fb005e-9912-4c14-982e-33b58ea60683", + "ad9df102-dc72-47a4-9cce-1f87644d5a23", + "77569b39-56e4-486a-b14a-f4e3919c9a67", + "0379a54d-176b-4030-b94e-fc28edfbc210", + "7a7bb0d6-42e2-41f9-855d-a4bfcca93e77", + "5315f0fe-e2cd-44b9-9620-b04920071e11", + "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "f10335fe-dd2f-4f55-8370-4d6d9e1f528a", + "6227800b-4d37-4a36-b0c5-ca65b476bf17", + "89eb8aff-fcaa-472f-add1-f5909cc59579", + "6227800b-4d37-4a36-b0c5-ca65b476bf17X0", + "6227800b-4d37-4a36-b0c5-ca65b476bf17X1", + "6227800b-4d37-4a36-b0c5-ca65b476bf17X2" + ], + "columns": { + "0379a54d-176b-4030-b94e-fc28edfbc210": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Protocol", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "2fecde63-46b7-4b50-b489-0d15ce4b0e5d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Sum of Source Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "source.bytes" + }, + "5315f0fe-e2cd-44b9-9620-b04920071e11": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Destination Country", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_iso_code" + }, + "6227800b-4d37-4a36-b0c5-ca65b476bf17": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Bytes", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "sum(source.bytes)+sum(resp_bytes)", + "isFormulaBroken": false + }, + "references": [ + "6227800b-4d37-4a36-b0c5-ca65b476bf17X2" + ], + "scale": "ratio" + }, + "6227800b-4d37-4a36-b0c5-ca65b476bf17X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "source.bytes" + }, + "6227800b-4d37-4a36-b0c5-ca65b476bf17X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "resp_bytes" + }, + "6227800b-4d37-4a36-b0c5-ca65b476bf17X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Bytes", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "6227800b-4d37-4a36-b0c5-ca65b476bf17X0", + "6227800b-4d37-4a36-b0c5-ca65b476bf17X1" + ], + "location": { + "max": 33, + "min": 0 + }, + "name": "add", + "text": "sum(source.bytes)+sum(resp_bytes)", + "type": "function" + } + }, + "references": [ + "6227800b-4d37-4a36-b0c5-ca65b476bf17X0", + "6227800b-4d37-4a36-b0c5-ca65b476bf17X1" + ], + "scale": "ratio" + }, + "77569b39-56e4-486a-b14a-f4e3919c9a67": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination Port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "destination.port" + }, + "7a7bb0d6-42e2-41f9-855d-a4bfcca93e77": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 100 + }, + "scale": "ordinal", + "sourceField": "proto" + }, + "89eb8aff-fcaa-472f-add1-f5909cc59579": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Connection", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "92fb005e-9912-4c14-982e-33b58ea60683": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "ad9df102-dc72-47a4-9cce-1f87644d5a23": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 100 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "f10335fe-dd2f-4f55-8370-4d6d9e1f528a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Sum of Destination Bytes", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "resp_bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "network.protocol: spicy*", + "disabled": false, + "index": "fb80dac7-c73c-4d9e-990f-9d9f2a9fd335", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"must\":[{\"wildcard\":{\"network.protocol\":\"spicy*\"}}]}}" + }, + "query": { + "bool": { + "must": [ + { + "wildcard": { + "network.protocol": "spicy*" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 100 - }, - "scale": "ordinal", - "sourceField": "source.ip" + "visualization": { + "columns": [ + { + "columnId": "92fb005e-9912-4c14-982e-33b58ea60683", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "ad9df102-dc72-47a4-9cce-1f87644d5a23", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "77569b39-56e4-486a-b14a-f4e3919c9a67", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "f10335fe-dd2f-4f55-8370-4d6d9e1f528a", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "89eb8aff-fcaa-472f-add1-f5909cc59579", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "0379a54d-176b-4030-b94e-fc28edfbc210", + "isMetric": false, + "isTransposed": false + }, + { + "collapseFn": "", + "columnId": "7a7bb0d6-42e2-41f9-855d-a4bfcca93e77", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "5315f0fe-e2cd-44b9-9620-b04920071e11", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "6227800b-4d37-4a36-b0c5-ca65b476bf17", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "03c121a4-0295-4ca7-aff1-e30f25a83774", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "sorting": { + "columnId": "6227800b-4d37-4a36-b0c5-ca65b476bf17", + "direction": "desc" + } + } }, - "ad9df102-dc72-47a4-9cce-1f87644d5a23": { - "customLabel": true, - "dataType": "ip", - "isBucketed": true, - "label": "Destination IP", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "type": "column" + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" + "meta": { + "alias": "network.protocol: spicy*", + "disabled": false, + "index": "fb80dac7-c73c-4d9e-990f-9d9f2a9fd335", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"must\":[{\"wildcard\":{\"network.protocol\":\"spicy*\"}}]}}" }, - "size": 100 - }, - "scale": "ordinal", - "sourceField": "destination.ip" - }, - "f10335fe-dd2f-4f55-8370-4d6d9e1f528a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Sum of Destination Bytes", - "operationType": "sum", - "params": { - "emptyAsNull": false, - "format": { - "id": "bytes", - "params": { - "decimals": 2 - } + "query": { + "bool": { + "must": [ + { + "wildcard": { + "network.protocol": "spicy*" + } + } + ] + } } - }, - "scale": "ratio", - "sourceField": "resp_bytes" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 18, + "i": "8600f87d-c2ea-41a2-b50d-e494e96beee3", + "w": 48, + "x": 0, + "y": 51 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "network.protocol: spicy*", - "disabled": false, - "index": "fb80dac7-c73c-4d9e-990f-9d9f2a9fd335", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"bool\":{\"must\":[{\"wildcard\":{\"network.protocol\":\"spicy*\"}}]}}" - }, - "query": { - "bool": { - "must": [ - { - "wildcard": { - "network.protocol": "spicy*" - } + "panelIndex": "8600f87d-c2ea-41a2-b50d-e494e96beee3", + "title": "Largest Transfers Between Host Pairs Over VPN [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] } - ] - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "columns": [ - { - "columnId": "92fb005e-9912-4c14-982e-33b58ea60683", - "isMetric": false, - "isTransposed": false - }, - { - "columnId": "ad9df102-dc72-47a4-9cce-1f87644d5a23", - "isMetric": false, - "isTransposed": false - }, - { - "columnId": "77569b39-56e4-486a-b14a-f4e3919c9a67", - "isMetric": false, - "isTransposed": false - }, - { - "columnId": "2fecde63-46b7-4b50-b489-0d15ce4b0e5d", - "isMetric": true, - "isTransposed": false - }, - { - "columnId": "f10335fe-dd2f-4f55-8370-4d6d9e1f528a", - "isMetric": true, - "isTransposed": false - }, - { - "columnId": "89eb8aff-fcaa-472f-add1-f5909cc59579", - "isMetric": true, - "isTransposed": false - }, - { - "columnId": "0379a54d-176b-4030-b94e-fc28edfbc210", - "isMetric": false, - "isTransposed": false - }, - { - "collapseFn": "", - "columnId": "7a7bb0d6-42e2-41f9-855d-a4bfcca93e77", - "isMetric": false, - "isTransposed": false - }, - { - "columnId": "5315f0fe-e2cd-44b9-9620-b04920071e11", - "isMetric": false, - "isTransposed": false - }, - { - "columnId": "6227800b-4d37-4a36-b0c5-ca65b476bf17", - "isMetric": true, - "isTransposed": false - } - ], - "layerId": "03c121a4-0295-4ca7-aff1-e30f25a83774", - "layerType": "data", - "paging": { - "enabled": true, - "size": 10 + }, + "rowsPerPage": 10 }, - "sorting": { - "columnId": "6227800b-4d37-4a36-b0c5-ca65b476bf17", - "direction": "desc" - } - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "enhancements": {} + "gridData": { + "h": 29, + "i": "7c6146fc-0124-4600-ae05-74789072e669", + "w": 48, + "x": 0, + "y": 69 + }, + "panelIndex": "7c6146fc-0124-4600-ae05-74789072e669", + "panelRefName": "panel_7c6146fc-0124-4600-ae05-74789072e669", + "title": "VPN Inference Log Data [Logs Corelight]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Corelight] VPN Insights", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T09:23:33.362Z", + "id": "corelight-023162b6-94da-4d8d-b1f6-de6192356cce", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "type": "index-pattern" + }, + { + "id": "corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef", + "name": "7c6146fc-0124-4600-ae05-74789072e669:panel_7c6146fc-0124-4600-ae05-74789072e669", + "type": "search" }, - "gridData": { - "h": 18, - "i": "8600f87d-c2ea-41a2-b50d-e494e96beee3", - "w": 48, - "x": 0, - "y": 51 + { + "id": "logs-*", + "name": "241315f2-1624-4910-a79a-4be4628aba8a:indexpattern-datasource-layer-50f85297-0e80-4346-8a62-e12782abfa6b", + "type": "index-pattern" }, - "panelIndex": "8600f87d-c2ea-41a2-b50d-e494e96beee3", - "title": "Largest Transfers Between Host Pairs Over VPN [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "description": "", - "enhancements": {}, - "rowsPerPage": 10 + { + "id": "logs-*", + "name": "7979cfb6-8f48-4a78-8c4d-97ca8b4c78bf:indexpattern-datasource-layer-d96ea5f4-9da8-4b60-ae32-68b85df0e198", + "type": "index-pattern" }, - "gridData": { - "h": 29, - "i": "7c6146fc-0124-4600-ae05-74789072e669", - "w": 48, - "x": 0, - "y": 69 + { + "id": "logs-*", + "name": "7b07885d-b4fc-4651-94d8-2a6373a52adf:indexpattern-datasource-layer-f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b", + "type": "index-pattern" }, - "panelIndex": "7c6146fc-0124-4600-ae05-74789072e669", - "panelRefName": "panel_7c6146fc-0124-4600-ae05-74789072e669", - "title": "VPN Inference Log Data [Logs Corelight]", - "type": "search" - } + { + "id": "logs-*", + "name": "b148063a-1b42-449f-9139-ad00039f9b91:indexpattern-datasource-layer-8132d9fd-dd00-4f09-b3ba-525959e7cfab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0eec6295-5a34-4eb4-aba5-946a083dcfb6:indexpattern-datasource-layer-76c8bb51-4643-45de-9fc9-9377cabfba33", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8600f87d-c2ea-41a2-b50d-e494e96beee3:indexpattern-datasource-layer-03c121a4-0295-4ca7-aff1-e30f25a83774", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_15c3dcbc-d25f-44e9-a9ad-7b773eaa0a8e:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_f4bcd288-056d-4cbf-abb7-7d3c327845af:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_7d61094e-24f9-42db-8d54-acd2e006aea4:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Logs Corelight] VPN Insights", - "version": 2 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T10:52:21.642Z", - "id": "corelight-023162b6-94da-4d8d-b1f6-de6192356cce", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "241315f2-1624-4910-a79a-4be4628aba8a:indexpattern-datasource-layer-50f85297-0e80-4346-8a62-e12782abfa6b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7979cfb6-8f48-4a78-8c4d-97ca8b4c78bf:indexpattern-datasource-layer-d96ea5f4-9da8-4b60-ae32-68b85df0e198", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7b07885d-b4fc-4651-94d8-2a6373a52adf:indexpattern-datasource-layer-f6cd6f8e-44cc-4099-a4e1-edc73e3e1f4b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b148063a-1b42-449f-9139-ad00039f9b91:indexpattern-datasource-layer-8132d9fd-dd00-4f09-b3ba-525959e7cfab", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0eec6295-5a34-4eb4-aba5-946a083dcfb6:indexpattern-datasource-layer-76c8bb51-4643-45de-9fc9-9377cabfba33", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "8600f87d-c2ea-41a2-b50d-e494e96beee3:indexpattern-datasource-layer-03c121a4-0295-4ca7-aff1-e30f25a83774", - "type": "index-pattern" - }, - { - "id": "corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef", - "name": "7c6146fc-0124-4600-ae05-74789072e669:panel_7c6146fc-0124-4600-ae05-74789072e669", - "type": "search" - }, - { - "id": "logs-*", - "name": "controlGroup_15c3dcbc-d25f-44e9-a9ad-7b773eaa0a8e:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_f4bcd288-056d-4cbf-abb7-7d3c327845af:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_7d61094e-24f9-42db-8d54-acd2e006aea4:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "10.2.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9.json b/packages/corelight/kibana/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9.json index 96beeed9c68..d73a46b489e 100644 --- a/packages/corelight/kibana/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9.json +++ b/packages/corelight/kibana/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "3d267d03-1066-487a-b6c9-ffdcae1941d2", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -33,7 +32,6 @@ "dataViewId": "logs-*", "existsSelected": false, "fieldName": "file.mime_type", - "id": "aa496d39-ac08-41a0-837b-8fccce345bb9", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -135,7 +133,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - **Files**\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - **Files**\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -480,7 +478,168 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "b5bdfd46-0352-4308-b594-75f9b1dc0bc9", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "f7619cff-3f07-439b-bb70-086277623759", + "key": "file.mime_type", + "negate": true, + "params": { + "query": "application/pkix-cert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "file.mime_type": "application/pkix-cert" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "4901d4e1-cc78-4ac2-947a-3fb128dd1a81", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "60ee415e-28fa-48dc-bdd1-143f8219a014", + "key": "file.mime_type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "file.mime_type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -588,10 +747,18 @@ "visualizationType": "lnsDatatable" }, "description": "Executables hidden by filename (Corelight threat hunting use case #7)", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.files*\r\n| WHERE event.dataset == \"files\" AND file.mime_type == \"application/x-dosexec\" AND (NOT file.name RLIKE \".*exe.*\")\r\n| LIMIT 10000\r\n| STATS COUNT() by file.name, file.mime_type \r\n| RENAME file.mime_type AS `Mime Type`, file.name AS Filename, `COUNT()` AS Count\r\n| SORT Count DESC\r\n| LIMIT 15\r\n| KEEP `Mime Type`, Filename, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -883,7 +1050,168 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "7ba3ef82-a999-4eb2-8952-918c66dfe0ac", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "93cb4c07-a68a-4c9c-949d-3a60a06ddd33", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "f99edf26-8f35-4944-a136-386a4e9236d2", + "key": "file.mime_type", + "negate": true, + "params": { + "query": "application/pkix-cert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "file.mime_type": "application/pkix-cert" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "f6eb4f73-8cb4-412d-a5a7-5b21981a6811", + "key": "file.mime_type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "file.mime_type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1156,7 +1484,127 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "5759ec8b-2424-4fba-be6a-96bc6da0cd90", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "9c51268e-315a-4270-aab0-c370f3461b91", + "key": "file.mime_type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "file.mime_type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1386,7 +1834,127 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "05c6758c-1d97-4315-9b6b-e5e298c8b973", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "bc08c59e-cb41-4d2e-8871-eab303e041c5", + "key": "file.mime_type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "file.mime_type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1615,7 +2183,127 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "ac7eb31a-de51-470f-9aee-ca8e0814bea8", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "9c51268e-315a-4270-aab0-c370f3461b91", + "key": "file.mime_type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "file.mime_type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1845,7 +2533,127 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "79439baa-afe1-4f91-875f-eea279b35006", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.mime_type", + "index": "bc08c59e-cb41-4d2e-8871-eab303e041c5", + "key": "file.mime_type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "file.mime_type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1861,12 +2669,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] Files ", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T09:47:52.997Z", + "created_at": "2026-01-06T09:23:34.387Z", "id": "corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9", - "managed": false, "references": [ { "id": "logs-*", @@ -1917,6 +2724,16 @@ "id": "logs-*", "name": "controlGroup_aa496d39-ac08-41a0-837b-8fccce345bb9:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba.json b/packages/corelight/kibana/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba.json index da0fdec1e64..530eb60f815 100644 --- a/packages/corelight/kibana/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba.json +++ b/packages/corelight/kibana/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "4549862d-38df-42ca-b2f8-a6af9513f195", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -136,7 +135,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - **RDP Inferences Overview**\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - **RDP Inferences Overview**\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -306,7 +305,40 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.inferences", + "index": "38b48857-aa90-41ed-93b7-06b52ae53421", + "key": "rdp.inferences", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "rdp.inferences" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 17, @@ -488,7 +520,40 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.inferences", + "index": "74d33498-ad3c-4061-83e9-97d60b11ae59", + "key": "rdp.inferences", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "rdp.inferences" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 17, @@ -594,8 +659,43 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "766034d0-3457-4fe8-b949-3de62b0df69f", + "key": "event.outcome", + "negate": false, + "params": { + "query": "success" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "success" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 14, @@ -704,8 +804,43 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": true, + "params": { + "query": "success" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "success" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 14, @@ -812,10 +947,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"rdp\" and observer.hostname IS NOT NULL and rdp.cookie IS NOT NULL and event.outcome IS NOT NULL\r\n| LIMIT 10000\r\n| STATS COUNT() by rdp.cookie, event.outcome \r\n| RENAME rdp.cookie as `Connecting User`, event.outcome as `Auth Success`, `COUNT()` as Count \r\n| SORT Count DESC\r\n| LIMIT 20\r\n| KEEP `Connecting User`, `Auth Success`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 14, @@ -958,7 +1101,19 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 14, @@ -974,7 +1129,11 @@ { "embeddableConfig": { "description": "", - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "rowsPerPage": 10 }, "gridData": { @@ -992,12 +1151,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] RDP Inferences Overview", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T10:09:36.577Z", + "created_at": "2026-01-06T09:23:30.323Z", "id": "corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba", - "managed": false, "references": [ { "id": "logs-*", @@ -1014,6 +1172,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern" }, + { + "id": "corelight-039807c4-9ec2-4778-b548-0e08877fb8d2", + "name": "957528ec-d710-45a9-ad1c-fe0ad6e805be:panel_957528ec-d710-45a9-ad1c-fe0ad6e805be", + "type": "search" + }, { "id": "logs-*", "name": "fce0a642-e5ca-4aa5-841a-fa38a93f295f:indexpattern-datasource-layer-5212acf0-6cbf-4a0d-ae00-8289aa08722b", @@ -1045,13 +1208,23 @@ "type": "index-pattern" }, { - "id": "corelight-039807c4-9ec2-4778-b548-0e08877fb8d2", - "name": "957528ec-d710-45a9-ad1c-fe0ad6e805be:panel_957528ec-d710-45a9-ad1c-fe0ad6e805be", - "type": "search" + "id": "logs-*", + "name": "controlGroup_4549862d-38df-42ca-b2f8-a6af9513f195:optionsListDataView", + "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_4549862d-38df-42ca-b2f8-a6af9513f195:optionsListDataView", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern" } ], diff --git a/packages/corelight/kibana/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11.json b/packages/corelight/kibana/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11.json index 1098a878260..17924df31a9 100644 --- a/packages/corelight/kibana/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11.json +++ b/packages/corelight/kibana/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11.json @@ -1,846 +1,994 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": { - "ignoreFilters": false, - "ignoreQuery": false, - "ignoreTimerange": false, - "ignoreValidations": false - }, - "panelsJSON": { - "2e26dda9-4629-418b-948f-d930abc2d268": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "source.ip", - "id": "2e26dda9-4629-418b-948f-d930abc2d268", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false }, - "title": "Source IP" - }, - "grow": true, - "order": 1, - "type": "optionsListControl", - "width": "medium" - }, - "3250c956-8432-4557-afc0-649c2e6be37f": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "intel.seen.indicator", - "id": "3250c956-8432-4557-afc0-649c2e6be37f", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Indicator" - }, - "grow": true, - "order": 4, - "type": "optionsListControl", - "width": "medium" - }, - "572a9344-4353-412d-8476-36fff1fa0cd3": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "destination.ip", - "id": "572a9344-4353-412d-8476-36fff1fa0cd3", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Destination IP" - }, - "grow": true, - "order": 2, - "type": "optionsListControl", - "width": "medium" - }, - "a8e04b33-0231-46ee-b6fc-cfc94adea468": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "sources", - "id": "a8e04b33-0231-46ee-b6fc-cfc94adea468", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Intel Source" - }, - "grow": true, - "order": 5, - "type": "optionsListControl", - "width": "medium" - }, - "cd3840ba-b9d5-4f8c-97c7-676725c045f5": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "intel.seen.indicator_type", - "id": "cd3840ba-b9d5-4f8c-97c7-676725c045f5", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Indicator Type" - }, - "grow": true, - "order": 0, - "type": "optionsListControl", - "width": "medium" - }, - "f789122e-05b5-43ed-b110-9b15ac9d24ad": { - "explicitInput": { - "dataViewId": "logs-*", - "exclude": false, - "existsSelected": false, - "fieldName": "destination.port", - "id": "f789122e-05b5-43ed-b110-9b15ac9d24ad", - "searchTechnique": "exact", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Destination Port" - }, - "grow": true, - "order": 3, - "type": "optionsListControl", - "width": "medium" - } - }, - "showApplySelections": false - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "intel" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - **Intel**\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)\n", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 33, - "i": "54dc8de8-c1ba-4346-83c3-a640bfa97576", - "w": 11, - "x": 0, - "y": 0 - }, - "panelIndex": "54dc8de8-c1ba-4346-83c3-a640bfa97576", - "title": "Table of Contents", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-51b17fd0-e0ee-4b06-94c2-775000fd4536", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "51b17fd0-e0ee-4b06-94c2-775000fd4536": { - "columnOrder": [ - "14f10711-e6e9-4e12-a2a9-8e287eacf6b9", - "da90c64e-3159-4332-a825-a0b7a9fde48f" - ], - "columns": { - "14f10711-e6e9-4e12-a2a9-8e287eacf6b9": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" + "panelsJSON": { + "2e26dda9-4629-418b-948f-d930abc2d268": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "source.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" }, - "da90c64e-3159-4332-a825-a0b7a9fde48f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Corelight Intel", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "event.type" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + "title": "Source IP" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" }, - "indexpattern": { - "layers": {} + "3250c956-8432-4557-afc0-649c2e6be37f": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "intel.seen.indicator", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Indicator" + }, + "grow": true, + "order": 4, + "type": "optionsListControl", + "width": "medium" }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": ["da90c64e-3159-4332-a825-a0b7a9fde48f"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] + "572a9344-4353-412d-8476-36fff1fa0cd3": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "destination.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Destination IP" }, - "layerId": "51b17fd0-e0ee-4b06-94c2-775000fd4536", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "14f10711-e6e9-4e12-a2a9-8e287eacf6b9" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": true + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "a8e04b33-0231-46ee-b6fc-cfc94adea468": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "sources", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Intel Source" + }, + "grow": true, + "order": 5, + "type": "optionsListControl", + "width": "medium" + }, + "cd3840ba-b9d5-4f8c-97c7-676725c045f5": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "intel.seen.indicator_type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Indicator Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "f789122e-05b5-43ed-b110-9b15ac9d24ad": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "destination.port", + "searchTechnique": "exact", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Destination Port" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + } }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "a8456378-79f5-42d0-ab62-1d340b433a42", - "w": 24, - "x": 11, - "y": 0 + "showApplySelections": false }, - "panelIndex": "a8456378-79f5-42d0-ab62-1d340b433a42", - "title": "Intel Logs Over Time [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-5e59c2cf-2751-46ea-8daa-6f105e954299", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "5e59c2cf-2751-46ea-8daa-6f105e954299": { - "columnOrder": [ - "d30b6d72-c707-44c4-9c13-eb039fdf891a", - "ab6b4514-8961-4b09-8e06-0603538397e1" - ], - "columns": { - "ab6b4514-8961-4b09-8e06-0603538397e1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "d30b6d72-c707-44c4-9c13-eb039fdf891a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Category", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "ab6b4514-8961-4b09-8e06-0603538397e1", - "type": "column" + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "intel.seen.indicator_type" + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "intel.seen.indicator_type", - "index": "45454710-8410-4c07-8454-590ccce7861d", - "key": "intel.seen.indicator_type", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "intel.seen.indicator_type" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "source.ip", - "index": "77393f3b-321d-4645-8263-cf0723961d4a", - "key": "source.ip", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "source.ip" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "destination.ip", - "index": "06b21536-794a-4ba4-bd8b-0aec878d0eb2", - "key": "destination.ip", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "destination.ip" + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - **Intel**\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} } - } }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "destination.port", - "index": "31da0e41-eb3b-4ce7-bdcb-0919308bbcab", - "key": "destination.port", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "destination.port" - } - } + "gridData": { + "h": 33, + "i": "54dc8de8-c1ba-4346-83c3-a640bfa97576", + "w": 11, + "x": 0, + "y": 0 }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "intel.seen.indicator", - "index": "0bad79d9-b08c-4eba-8d82-d68ad6f6364a", - "key": "intel.seen.indicator", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "intel.seen.indicator" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "panelIndex": "54dc8de8-c1ba-4346-83c3-a640bfa97576", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-51b17fd0-e0ee-4b06-94c2-775000fd4536", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "51b17fd0-e0ee-4b06-94c2-775000fd4536": { + "columnOrder": [ + "14f10711-e6e9-4e12-a2a9-8e287eacf6b9", + "da90c64e-3159-4332-a825-a0b7a9fde48f" + ], + "columns": { + "14f10711-e6e9-4e12-a2a9-8e287eacf6b9": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "da90c64e-3159-4332-a825-a0b7a9fde48f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Corelight Intel", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "da90c64e-3159-4332-a825-a0b7a9fde48f" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "51b17fd0-e0ee-4b06-94c2-775000fd4536", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "14f10711-e6e9-4e12-a2a9-8e287eacf6b9" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "5e59c2cf-2751-46ea-8daa-6f105e954299", - "layerType": "data", - "legendDisplay": "show", - "metrics": ["ab6b4514-8961-4b09-8e06-0603538397e1"], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": ["d30b6d72-c707-44c4-9c13-eb039fdf891a"], - "truncateLegend": false - } - ], - "shape": "pie" - } + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "a8456378-79f5-42d0-ab62-1d340b433a42", + "w": 24, + "x": 11, + "y": 0 + }, + "panelIndex": "a8456378-79f5-42d0-ab62-1d340b433a42", + "title": "Intel Logs Over Time [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "187aea9d-272d-420a-92dd-cd015b601c5b", - "w": 13, - "x": 35, - "y": 0 - }, - "panelIndex": "187aea9d-272d-420a-92dd-cd015b601c5b", - "title": "Indicators [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", - "name": "logs-corelight.various*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.various*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", - "timeField": "@timestamp", - "title": "logs-corelight.various*" - } - ], - "layers": { - "c1716752-8ff2-4d96-9cf1-0389233aa6e5": { - "columns": [ - { - "columnId": "Source IP", - "fieldName": "Source IP", - "inMetricDimension": true, - "meta": { - "esType": "ip", - "type": "ip" - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5e59c2cf-2751-46ea-8daa-6f105e954299", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5e59c2cf-2751-46ea-8daa-6f105e954299": { + "columnOrder": [ + "d30b6d72-c707-44c4-9c13-eb039fdf891a", + "ab6b4514-8961-4b09-8e06-0603538397e1" + ], + "columns": { + "ab6b4514-8961-4b09-8e06-0603538397e1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d30b6d72-c707-44c4-9c13-eb039fdf891a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ab6b4514-8961-4b09-8e06-0603538397e1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "intel.seen.indicator_type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "intel.seen.indicator_type", + "index": "45454710-8410-4c07-8454-590ccce7861d", + "key": "intel.seen.indicator_type", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "intel.seen.indicator_type" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "77393f3b-321d-4645-8263-cf0723961d4a", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "06b21536-794a-4ba4-bd8b-0aec878d0eb2", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "31da0e41-eb3b-4ce7-bdcb-0919308bbcab", + "key": "destination.port", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.port" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "intel.seen.indicator", + "index": "0bad79d9-b08c-4eba-8d82-d68ad6f6364a", + "key": "intel.seen.indicator", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "intel.seen.indicator" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "5e59c2cf-2751-46ea-8daa-6f105e954299", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "ab6b4514-8961-4b09-8e06-0603538397e1" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d30b6d72-c707-44c4-9c13-eb039fdf891a" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ { - "columnId": "Destination IP", - "fieldName": "Destination IP", - "inMetricDimension": true, - "meta": { - "esType": "ip", - "type": "ip" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "intel.seen.indicator_type", + "index": "45454710-8410-4c07-8454-590ccce7861d", + "key": "intel.seen.indicator_type", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "intel.seen.indicator_type" + } + } }, { - "columnId": "Port", - "fieldName": "Port", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "77393f3b-321d-4645-8263-cf0723961d4a", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } }, { - "columnId": "Indicator Type", - "fieldName": "Indicator Type", - "inMetricDimension": true, - "meta": { - "esType": "keyword", - "type": "string" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "06b21536-794a-4ba4-bd8b-0aec878d0eb2", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } }, { - "columnId": "Indicator", - "fieldName": "Indicator", - "inMetricDimension": true, - "meta": { - "esType": "keyword", - "type": "string" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "31da0e41-eb3b-4ce7-bdcb-0919308bbcab", + "key": "destination.port", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.port" + } + } }, { - "columnId": "44b7eb8e-29bf-4aca-9dec-1b0ae8ee7a64", - "fieldName": "Where", - "meta": { - "esType": "keyword", - "type": "string" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "intel.seen.indicator", + "index": "0bad79d9-b08c-4eba-8d82-d68ad6f6364a", + "key": "intel.seen.indicator", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "intel.seen.indicator" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "187aea9d-272d-420a-92dd-cd015b601c5b", + "w": 13, + "x": 35, + "y": 0 + }, + "panelIndex": "187aea9d-272d-420a-92dd-cd015b601c5b", + "title": "Indicators [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", + "name": "logs-corelight.various*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", + "timeField": "@timestamp", + "title": "logs-corelight.various*" + } + ], + "layers": { + "c1716752-8ff2-4d96-9cf1-0389233aa6e5": { + "columns": [ + { + "columnId": "Source IP", + "fieldName": "Source IP", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Destination IP", + "fieldName": "Destination IP", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Port", + "fieldName": "Port", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "Indicator Type", + "fieldName": "Indicator Type", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Indicator", + "fieldName": "Indicator", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "44b7eb8e-29bf-4aca-9dec-1b0ae8ee7a64", + "fieldName": "Where", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "e97053b9-4783-42f8-bc51-218e1bfc4332", + "fieldName": "Total Events", + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", + "query": { + "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"intel\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, destination.port, intel.seen.indicator_type, `intel.seen.where`, intel.seen.indicator\r\n| RENAME source.ip as `Source IP`, destination.ip as `Destination IP`, destination.port as Port, intel.seen.indicator_type as `Indicator Type`, intel.seen.indicator as Indicator, intel.seen.where as Where, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 10\r\n| KEEP `Source IP`, `Destination IP`, Port, `Indicator Type`, Indicator, Where, `Total Events`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"intel\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, destination.port, intel.seen.indicator_type, `intel.seen.where`, intel.seen.indicator\r\n| RENAME source.ip as `Source IP`, destination.ip as `Destination IP`, destination.port as Port, intel.seen.indicator_type as `Indicator Type`, intel.seen.indicator as Indicator, intel.seen.where as Where, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 10\r\n| KEEP `Source IP`, `Destination IP`, Port, `Indicator Type`, Indicator, Where, `Total Events`" + }, + "visualization": { + "columns": [ + { + "columnId": "Source IP" + }, + { + "columnId": "Destination IP" + }, + { + "columnId": "Port" + }, + { + "columnId": "Indicator Type" + }, + { + "columnId": "Indicator" + }, + { + "columnId": "44b7eb8e-29bf-4aca-9dec-1b0ae8ee7a64", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "e97053b9-4783-42f8-bc51-218e1bfc4332", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "c1716752-8ff2-4d96-9cf1-0389233aa6e5", + "layerType": "data" + } }, - { - "columnId": "e97053b9-4783-42f8-bc51-218e1bfc4332", - "fieldName": "Total Events", - "meta": { - "esType": "long", - "type": "number" - } + "title": "Table Source IP \u0026 Destination IP \u0026 Port \u0026 Indicator Type \u0026 Indicator", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ], - "index": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", - "query": { + }, + "filters": [], + "query": { "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"intel\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, destination.port, intel.seen.indicator_type, `intel.seen.where`, intel.seen.indicator\r\n| RENAME source.ip as `Source IP`, destination.ip as `Destination IP`, destination.port as Port, intel.seen.indicator_type as `Indicator Type`, intel.seen.indicator as Indicator, intel.seen.where as Where, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 10\r\n| KEEP `Source IP`, `Destination IP`, Port, `Indicator Type`, Indicator, Where, `Total Events`" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"intel\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, destination.port, intel.seen.indicator_type, `intel.seen.where`, intel.seen.indicator\r\n| RENAME source.ip as `Source IP`, destination.ip as `Destination IP`, destination.port as Port, intel.seen.indicator_type as `Indicator Type`, intel.seen.indicator as Indicator, intel.seen.where as Where, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 10\r\n| KEEP `Source IP`, `Destination IP`, Port, `Indicator Type`, Indicator, Where, `Total Events`" - }, - "visualization": { - "columns": [ - { - "columnId": "Source IP" - }, - { - "columnId": "Destination IP" - }, - { - "columnId": "Port" - }, - { - "columnId": "Indicator Type" - }, - { - "columnId": "Indicator" - }, - { - "columnId": "44b7eb8e-29bf-4aca-9dec-1b0ae8ee7a64", - "isMetric": true, - "isTransposed": false - }, - { - "columnId": "e97053b9-4783-42f8-bc51-218e1bfc4332", - "isMetric": true, - "isTransposed": false - } - ], - "layerId": "c1716752-8ff2-4d96-9cf1-0389233aa6e5", - "layerType": "data" - } + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "fffb5e5c-8dae-4afe-8f34-dfa73aba3497", + "w": 37, + "x": 11, + "y": 17 + }, + "panelIndex": "fffb5e5c-8dae-4afe-8f34-dfa73aba3497", + "title": "Intel Details [Logs Corelight]", + "type": "lens" }, - "title": "Table Source IP \u0026 Destination IP \u0026 Port \u0026 Indicator Type \u0026 Indicator", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {} + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "rowsPerPage": 10 + }, + "gridData": { + "h": 29, + "i": "242aacc6-7504-411a-8d27-d9e7f8e89436", + "w": 48, + "x": 0, + "y": 33 + }, + "panelIndex": "242aacc6-7504-411a-8d27-d9e7f8e89436", + "panelRefName": "panel_242aacc6-7504-411a-8d27-d9e7f8e89436", + "title": "Log Data [Logs Corelight]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Corelight] Intel", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T09:23:27.308Z", + "id": "corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "corelight-845d2914-3a55-4057-9dca-a3fd4e226d54", + "name": "242aacc6-7504-411a-8d27-d9e7f8e89436:panel_242aacc6-7504-411a-8d27-d9e7f8e89436", + "type": "search" + }, + { + "id": "logs-*", + "name": "a8456378-79f5-42d0-ab62-1d340b433a42:indexpattern-datasource-layer-51b17fd0-e0ee-4b06-94c2-775000fd4536", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "187aea9d-272d-420a-92dd-cd015b601c5b:indexpattern-datasource-layer-5e59c2cf-2751-46ea-8daa-6f105e954299", + "type": "index-pattern" }, - "gridData": { - "h": 16, - "i": "fffb5e5c-8dae-4afe-8f34-dfa73aba3497", - "w": 37, - "x": 11, - "y": 17 + { + "id": "logs-*", + "name": "controlGroup_cd3840ba-b9d5-4f8c-97c7-676725c045f5:optionsListDataView", + "type": "index-pattern" }, - "panelIndex": "fffb5e5c-8dae-4afe-8f34-dfa73aba3497", - "title": "Intel Details [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "description": "", - "enhancements": {}, - "rowsPerPage": 10 + { + "id": "logs-*", + "name": "controlGroup_2e26dda9-4629-418b-948f-d930abc2d268:optionsListDataView", + "type": "index-pattern" }, - "gridData": { - "h": 29, - "i": "242aacc6-7504-411a-8d27-d9e7f8e89436", - "w": 48, - "x": 0, - "y": 33 + { + "id": "logs-*", + "name": "controlGroup_572a9344-4353-412d-8476-36fff1fa0cd3:optionsListDataView", + "type": "index-pattern" }, - "panelIndex": "242aacc6-7504-411a-8d27-d9e7f8e89436", - "panelRefName": "panel_242aacc6-7504-411a-8d27-d9e7f8e89436", - "title": "Log Data [Logs Corelight]", - "type": "search" - } + { + "id": "logs-*", + "name": "controlGroup_f789122e-05b5-43ed-b110-9b15ac9d24ad:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_3250c956-8432-4557-afc0-649c2e6be37f:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_a8e04b33-0231-46ee-b6fc-cfc94adea468:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Logs Corelight] Intel", - "version": 2 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T12:35:59.183Z", - "id": "corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a8456378-79f5-42d0-ab62-1d340b433a42:indexpattern-datasource-layer-51b17fd0-e0ee-4b06-94c2-775000fd4536", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "187aea9d-272d-420a-92dd-cd015b601c5b:indexpattern-datasource-layer-5e59c2cf-2751-46ea-8daa-6f105e954299", - "type": "index-pattern" - }, - { - "id": "corelight-845d2914-3a55-4057-9dca-a3fd4e226d54", - "name": "242aacc6-7504-411a-8d27-d9e7f8e89436:panel_242aacc6-7504-411a-8d27-d9e7f8e89436", - "type": "search" - }, - { - "id": "logs-*", - "name": "controlGroup_cd3840ba-b9d5-4f8c-97c7-676725c045f5:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_2e26dda9-4629-418b-948f-d930abc2d268:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_572a9344-4353-412d-8476-36fff1fa0cd3:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_f789122e-05b5-43ed-b110-9b15ac9d24ad:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_3250c956-8432-4557-afc0-649c2e6be37f:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_a8e04b33-0231-46ee-b6fc-cfc94adea468:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "10.2.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde.json b/packages/corelight/kibana/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde.json index e4c1c41d6e4..af89979110f 100644 --- a/packages/corelight/kibana/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde.json +++ b/packages/corelight/kibana/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "source.ip", - "id": "283ff494-ed87-44c1-b0cf-9eb8fdce11c4", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -94,7 +93,7 @@ "description": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - **IP Interrogation**\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - **IP Interrogation**\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -241,10 +240,18 @@ "visualizationType": "lnsXY" }, "description": "Connections", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.conn*\r\n| limit 10000\r\n| where (source.ip is not null or destination.ip is not null) and destination.port not in (80, 8080 ,443)\r\n| stats values(destination.port), values(network.transport), count() by network.transport, destination.port\r\n| eval tp = concat(`values(network.transport)`,\"/\",to_string(`values(destination.port)`))\r\n| rename `count()` as Count, tp as `transport/port`\r\n| sort Count desc\r\n| limit 10\r\n| keep Count, `transport/port`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -364,10 +371,18 @@ "visualizationType": "lnsPie" }, "description": "Connections", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| LIMIT 10000\r\n| WHERE source.ip IS NOT NULL AND destination.ip IS NOT NULL\r\n| STATS VALUES(destination.ip) BY event.id\r\n| EVAL is_dest_internal_ip = CASE(CIDR_MATCH(`VALUES(destination.ip)`, \"10.0.0.0/8\")==\"true\",\"true\", CIDR_MATCH(`VALUES(destination.ip)`, \"172.16.0.0/12\")==\"true\",\"true\", CIDR_MATCH(`VALUES(destination.ip)`, \"192.168.0.0/16\")==\"true\",\"true\",\"false\")\r\n| EVAL ie=CASE(is_dest_internal_ip==\"true\", \"Internal\",is_dest_internal_ip==\"false\",\"External\",\"unknown\")\r\n| STATS COUNT() by ie\r\n| RENAME `COUNT()` as Count\r\n| KEEP Count,ie" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -510,10 +525,18 @@ "visualizationType": "lnsDatatable" }, "description": "Connections", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| LIMIT 10000\r\n| WHERE (source.ip IS NOT NULL or destination.ip IS NOT NULL) and source.ip not in (\"0.0.0.0\", \"255.255.255.255\") and destination.ip NOT IN (\"0.0.0.0\", \"255.255.255.255\", \"192.168.0.255\") and network.bytes IS NOT NULL\r\n| STATS values(source.ip), values(destination.ip), values(network.transport), values(destination.port), values(event.id), values(destination.geo.country_iso_code), sum(network.bytes) BY source.ip, destination.ip, event.id\r\n| EVAL tp = concat(`values(network.transport)`,\"/\", to_string(`values(destination.port)`))\r\n| SORT `sum(network.bytes)` DESC\r\n| LIMIT 10\r\n| RENAME `values(source.ip)` AS `Source IP`, `values(destination.ip)` AS `Destination IP`, tp AS Service, `values(event.id)` AS UID, `values(destination.geo.country_iso_code)` AS Country, `sum(network.bytes)` AS Bytes\r\n| KEEP `Source IP`,`Destination IP`, Service, UID, Country, Bytes" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -643,10 +666,18 @@ "visualizationType": "lnsDatatable" }, "description": "HTTP", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| LIMIT 10000\r\n| WHERE (source.ip IS NOT NULL or destination.ip IS NOT NULL) and http.request.method IS NOT NULL and url.path IS NOT NULL\r\n| STATS values(source.ip), values(destination.ip), values(http.request.method), values(url.path), count() BY source.ip, destination.ip, http.request.method, url.path\r\n| RENAME `values(destination.ip)` AS `Destination IP`, `values(source.ip)` AS `Source IP`, `values(http.request.method)` AS Method, url.path AS URI, `count()` AS Count\r\n| SORT Count DESC\r\n| LIMIT 10\r\n| KEEP `Destination IP`, `Source IP`, Method, URI, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -851,7 +882,80 @@ "visualizationType": "lnsPie" }, "description": "Corelight Data Sets", - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "444f7ca5-079b-430f-83f9-02e142da61ea", + "key": "event.dataset", + "negate": true, + "params": [ + "conn", + "conn_long", + "conn_red", + "http", + "asoc:nba:event" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red", + "http", + "asoc:nba:event" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + }, + { + "match_phrase": { + "event.dataset": "http" + } + }, + { + "match_phrase": { + "event.dataset": "asoc:nba:event" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1065,7 +1169,88 @@ "visualizationType": "lnsPie" }, "description": "HTTP", - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "e1d561aa-25f3-4fbb-ab01-4054b54d0c86", + "key": "event.dataset", + "negate": false, + "params": [ + "http", + "http_red", + "http2" + ], + "type": "phrases", + "value": [ + "http", + "http_red", + "http2" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "http" + } + }, + { + "match_phrase": { + "event.dataset": "http_red" + } + }, + { + "match_phrase": { + "event.dataset": "http2" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "76b26419-9095-4bf6-be35-c6871285ffa5", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1321,7 +1506,124 @@ "visualizationType": "lnsPie" }, "description": "HTTP", - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "a0e55d4a-d548-4d69-97f0-d43090275ba9", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "5f695c0d-e064-4010-8391-56f57ab7ae44", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "4a02769b-f355-4b0d-bd04-e5fa08518bbd", + "key": "destination.port", + "negate": false, + "params": [ + "80", + "8080", + "443" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.port": "80" + } + }, + { + "match_phrase": { + "destination.port": "8080" + } + }, + { + "match_phrase": { + "destination.port": "443" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1337,12 +1639,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] IP Interrogation", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T12:29:11.476Z", + "created_at": "2026-01-06T09:23:28.311Z", "id": "corelight-3a4a279f-f238-47de-90ba-f643c5647fde", - "managed": false, "references": [ { "id": "logs-*", @@ -1368,6 +1669,11 @@ "id": "logs-*", "name": "controlGroup_283ff494-ed87-44c1-b0cf-9eb8fdce11c4:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902.json b/packages/corelight/kibana/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902.json index ccad562a2ce..4a6fa34ff19 100644 --- a/packages/corelight/kibana/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902.json +++ b/packages/corelight/kibana/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "software.type", - "id": "33b707fd-5632-45e4-adde-3726f43184ac", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -32,7 +31,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "611612e4-c8a9-4e1a-a860-6069ae0f6eb6", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -50,7 +48,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "software.name", - "id": "7599eabd-b77e-4d04-b8e8-8b228997098a", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -70,7 +67,6 @@ "exclude": false, "existsSelected": false, "fieldName": "host_header", - "id": "97e450fd-b2c6-4502-aa23-4e5b0e032455", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -211,7 +207,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - **Software**\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - **Software**\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -361,7 +357,19 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -464,10 +472,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"software\" AND observer.hostname IS NOT NULL AND software.type IS NOT NULL\r\n| LIMIT 10000\r\n| EVAL major = CASE(version.major IS NOT NULL, TO_STRING(version.major),\"\")\r\n| EVAL minor = CASE(software.version.minor IS NOT NULL, CONCAT(\".\",TO_STRING(software.version.minor)),\"\")\r\n| EVAL Version = CONCAT(major,minor)\r\n| STATS COUNT() BY software.name, Version\r\n| RENAME `COUNT()` as Count, software.name as Name\r\n| SORT Count desc\r\n| LIMIT 10\r\n| KEEP Name, Version, Count\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -585,7 +601,19 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 17, @@ -601,7 +629,11 @@ { "embeddableConfig": { "description": "", - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "rowsPerPage": 10 }, "gridData": { @@ -619,12 +651,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] Software", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T09:51:23.302Z", + "created_at": "2026-01-06T09:23:40.457Z", "id": "corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902", - "managed": false, "references": [ { "id": "logs-*", @@ -646,6 +677,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern" }, + { + "id": "corelight-34498312-f418-4e47-9931-bc5fc46c0bff", + "name": "61d50e7c-6cd9-4b07-a60a-6f7f2b8b0be8:panel_61d50e7c-6cd9-4b07-a60a-6f7f2b8b0be8", + "type": "search" + }, { "id": "logs-*", "name": "0075eb75-678b-42d3-9fb8-1c4aa3799392:indexpattern-datasource-layer-8464528f-193e-4f3b-9cd6-5841fd337567", @@ -656,11 +692,6 @@ "name": "e1efe476-2256-4262-af95-40cb2311cea1:indexpattern-datasource-layer-8464528f-193e-4f3b-9cd6-5841fd337567", "type": "index-pattern" }, - { - "id": "corelight-34498312-f418-4e47-9931-bc5fc46c0bff", - "name": "61d50e7c-6cd9-4b07-a60a-6f7f2b8b0be8:panel_61d50e7c-6cd9-4b07-a60a-6f7f2b8b0be8", - "type": "search" - }, { "id": "logs-*", "name": "controlGroup_611612e4-c8a9-4e1a-a860-6069ae0f6eb6:optionsListDataView", @@ -680,6 +711,26 @@ "id": "logs-*", "name": "controlGroup_97e450fd-b2c6-4502-aa23-4e5b0e032455:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json b/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json index fc3a806ecb7..3f141c8d279 100644 --- a/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json +++ b/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "b7b4bc2e-98d1-453a-a412-a37228a386b1", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -114,7 +113,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- **Data Insights**\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - **Secure Channel Insights**\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- **Data Insights**\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - **Secure Channel Insights**\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -197,11 +196,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and ssl.\r\nvalidation_status == \"self signed certificate\"\r\n| stats values(destination.domain), values(ssl.validation_status), values(destination.ip) by destination.ip, destination.domain\r\n| rename `values(destination.domain)` as Subject, `values(destination.ip)` as Destination, `values(ssl.validation_status)` as Status\r\n| keep Subject, Destination, Status\r\n| stats count()\r\n| rename `count()` as `Self Signed Certs`\r\n| keep `Self Signed Certs`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 9, @@ -318,11 +325,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and tls.cipher is not null and (tls.cipher like \"*RC4*\" or tls.cipher like \"*DES*\" or tls.cipher like \"*3DES*\" or tls.cipher like \"*MD5*\" or tls.cipher like \"*NULL*\" or tls.cipher like \"*EXPORT*\")\r\n| stats count_distinct(tls.cipher)\r\n| rename `count_distinct(tls.cipher)` as `Less Secure Ciphers`\r\n| keep `Less Secure Ciphers`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 9, @@ -474,10 +489,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and ssl.\r\nvalidation_status == \"self signed certificate\"\r\n| stats values(destination.domain), values(ssl.validation_status), values(destination.ip) by destination.ip, destination.domain\r\n| rename `values(destination.domain)` as Subject, `values(destination.ip)` as `Destination IP`, `values(ssl.validation_status)` as Status\r\n| keep Subject, `Destination IP`, Status" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -596,10 +619,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and tls.cipher is not null and (tls.cipher like \"*RC4*\" or tls.cipher like \"*DES*\" or tls.cipher like \"*3DES*\" or tls.cipher like \"*MD5*\" or tls.cipher like \"*NULL*\" or tls.cipher like \"*EXPORT*\")\r\n| stats values(destination.ip), count_distinct(event.id), count() by tls.cipher\r\n| eval mv_last(`values(destination.ip)`)\r\n| rename `mv_last(``values(destination.ip)``)` as `Destination IP`, `count_distinct(event.id)` as `Unique Conns`, `count()` as Count, tls.cipher as Cipher\r\n| keep Cipher,`Destination IP`,`Unique Conns`,Count\r\n| sort `Unique Conns` desc, Count desc" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -676,11 +707,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"PKA\", \"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\r\n ssh.inferences == \"KS\", \"Interactive session\",\r\n ssh.inferences == \"AUTO\", \"The client was a script or automated utility and not driven by a user\",\r\n ssh.inferences == \"CTS\", \"The client likely already had an entry in its known_hosts file for this server\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, ssh.inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference,count\r\n| stats count()\r\n| rename `count()` as `Automated SSH Session Indicators`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 9, @@ -797,11 +836,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"AUTO\", \"The client is a script automated utility and not driven by a user\",\r\n ssh.inferences == \"KS\", \"Interactive session\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, ssh.inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference, Description,count\r\n| stats count()\r\n| rename `count()` as `Interactive Sessions and Keystrokes`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 9, @@ -992,10 +1039,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"PKA\", \"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\r\n ssh.inferences == \"KS\", \"Interactive session\",\r\n ssh.inferences == \"AUTO\", \"The client was a script or automated utility and not driven by a user\",\r\n ssh.inferences == \"CTS\", \"The client likely already had an entry in its known_hosts file for this server\"\r\n)\r\n| where Description is not null\r\n| rename event.id as UID, source.ip as `Source IP`, destination.ip as `Destination IP`, ssh.inferences as Inferences, `count()` as Count\r\n| keep UID , `Source IP`, `Destination IP`, Inferences,Description,Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1146,10 +1201,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"AUTO\", \"The client is a script automated utility and not driven by a user\",\r\n ssh.inferences == \"KS\", \"Interactive session\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences , Description\r\n| rename event.id as UID, source.ip as `Source IP`, destination.ip as `Destination IP`, ssh.inferences as Inference, `count()` as Count\r\n| keep UID, `Source IP`, `Destination IP`, Inference, Description, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1226,11 +1289,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"SFD\", \"This indicates a small file download.\",\r\n ssh.inferences == \"LFD\", \"This indicates a non interactive session where a file was possibly downloaded.\",\r\n ssh.inferences == \"SFU\", \"This indicates a small file upload.\",\r\n ssh.inferences == \"LFU\", \"This indicates a non interactive session where a file was possibly uploaded.\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, ssh.inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference, Description,count\r\n| stats count()\r\n| rename `count()` as `Possible File Uploaded`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -1347,11 +1418,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null and ssh.inferences in ( \"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\" )\r\n| stats count() by event.id,source.ip,destination.ip,ssh.inferences\r\n| stats count()\r\n| rename `count()` as `Potential Security Risks`\r\n| keep `Potential Security Risks`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -1542,10 +1621,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"SFD\", \"This indicates a small file download.\",\r\n ssh.inferences == \"LFD\", \"This indicates a non interactive session where a file was possibly downloaded.\",\r\n ssh.inferences == \"SFU\", \"This indicates a small file upload.\",\r\n ssh.inferences == \"LFU\", \"This indicates a non interactive session where a file was possibly uploaded.\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences , Description\r\n| rename event.id as UID, source.ip as `Source IP`, destination.ip as `Destination IP`, ssh.inferences as Inference, `count()` as Count\r\n| keep UID, `Source IP`, `Destination IP`, Inference, Description, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1683,10 +1770,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null and ssh.inferences in ( \"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\" )\r\n| stats count() by event.id,source.ip,destination.ip,ssh.inferences\r\n| rename event.id as UID, source.ip as `Source IP`, destination.ip as `Destination IP`,`count()` as Count, ssh.inferences as Inferences\r\n| keep UID, `Source IP`,`Destination IP`, Inferences, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1763,11 +1858,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences \r\n| eval Description =case(\r\n ssh.inferences == \"ABP\", \"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\r\n ssh.inferences == \"RSP\", \"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\r\n ssh.inferences == \"RSI\", \"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\r\n ssh.inferences == \"RSIA\", \"The inititation of the Reverse session happened very early in the packet stream, indicating automation\",\r\n ssh.inferences == \"RSL\", \"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\r\n ssh.inferences == \"RSK\", \"Keystrokes are detected within the Reverse tunnel\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, ssh.inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference,count\r\n| stats count()\r\n| rename `count()` as `Advanced Threat Indicators`\r\n| keep `Advanced Threat Indicators`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -1999,10 +2102,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, ssh.inferences\r\n| eval Description =case(\r\n ssh.inferences == \"ABP\", \"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\r\n ssh.inferences == \"RSP\", \"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\r\n ssh.inferences == \"RSI\", \"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\r\n ssh.inferences == \"RSIA\", \"The inititation of the Reverse session happened very early in the packet stream, indicating automation\",\r\n ssh.inferences == \"RSL\", \"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\r\n ssh.inferences == \"RSK\", \"Keystrokes are detected within the Reverse tunnel\"\r\n)\r\n| where Description is not null\r\n| rename event.id as UID, source.ip as `Source IP`, destination.ip as `Destination IP`, ssh.inferences as Inference, `count()` as Count\r\n| keep UID, `Source IP`, `Destination IP`, Inference, Count, Description" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -2213,8 +2324,145 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "tls.version", + "index": "logs-*", + "key": "tls.version", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "tls.version" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "a3f09cec-1608-42a0-a1b8-461fc24c5c84", + "key": "source.ip", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "800bb515-6c46-4ee1-a30f-e973d53d733c", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "600d7f5d-aef8-4a96-ba02-b5161cffb267", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "tls.version", + "index": "3390d8d3-eaa8-443f-930d-3b66b1a86d5f", + "key": "tls.version", + "negate": true, + "params": [ + "TLSv12", + "TLSv13", + "DTLSv12" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "tls.version": "TLSv12" + } + }, + { + "match_phrase": { + "tls.version": "TLSv13" + } + }, + { + "match_phrase": { + "tls.version": "DTLSv12" + } + } + ] + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -2322,10 +2570,18 @@ "visualizationType": "lnsDatatable" }, "description": "Classification based on Industry best practices", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.ssl-*\r\n| LIMIT 10000\r\n| WHERE observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname IS NOT NULL and tls.version IS NOT NULL\r\n| EVAL Classification = CASE(tls.version== \"TLSv13\",\"Most Secure (v1.3)\", tls.version== \"TLSv12\",\"Secure (v1.2)\",tls.version ==\"DTLSv12\", \"Secure (v1.2)\", tls.version ==\"unknown-64282\", \"Unknown\", \"Old Version \u003c (v1.2)\")\r\n| STATS COUNT_DISTINCT(event.id), VALUES(tls.version) by Classification, tls.version\r\n| RENAME `VALUES(tls.version)` as Version, `COUNT_DISTINCT(event.id)` as Counter\r\n| KEEP Version, Counter, Classification" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -2347,12 +2603,11 @@ "timeRestore": true, "timeTo": "now", "title": "[Logs Corelight] Secure Channel Insights", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-02-07T05:48:30.115Z", + "created_at": "2026-01-06T09:23:31.350Z", "id": "corelight-45197477-c13f-4e52-a5dd-fb4f53564963", - "managed": false, "references": [ { "id": "logs-*", diff --git a/packages/corelight/kibana/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17.json b/packages/corelight/kibana/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17.json index 2221fc9ef94..dca17698968 100644 --- a/packages/corelight/kibana/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17.json +++ b/packages/corelight/kibana/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "destination.port", - "id": "716b7efb-887b-41b6-9e26-3211630e5305", "searchTechnique": "exact", "selectedOptions": [ 53 @@ -34,7 +33,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "d6ddd074-8637-4e45-850b-1af34924737f", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -52,7 +50,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "dns.question.type", - "id": "f30e42d8-e9d4-44b1-bb10-9ca6c649c763", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -174,7 +171,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - **DNS**\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - **DNS**\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -432,7 +429,127 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "f5457800-6d5c-4a8f-b130-6d56936acc98", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "5b1a7d3e-64e1-4c38-be1b-d548d1c0ef23", + "key": "dns.question.type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "dns.question.type" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -524,10 +641,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns*\r\n| limit 10000\r\n| where event.dataset == \"dns\" and observer.hostname is not null and (source.ip not in (\"0.0.0.0\",\"255.255.255.255\") or destination.ip not in (\"0.0.0.0\",\"255.255.255.255\")) and dns.question.type is not null and dns.question.type != \"PTR\"\r\n| stats COUNT() by source.ip, dns.response_code, destination.domain, dns.question.type \r\n| stats COUNT() by destination.domain \r\n| rename destination.domain as Query,`COUNT()` as Count\r\n| sort Count desc\r\n| limit 10\r\n| keep Query, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -619,10 +744,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns*\r\n| limit 10000\r\n| where event.dataset == \"dns\" and observer.hostname is not null and (source.ip not in (\"0.0.0.0\",\"255.255.255.255\") or destination.ip not in (\"0.0.0.0\",\"255.255.255.255\")) and dns.question.type is not null and dns.question.type != \"PTR\" and dns.response_code == \"NXDOMAIN\"\r\n| stats COUNT() by source.ip, dns.response_code, destination.domain, dns.question.type \r\n| stats COUNT() by destination.domain \r\n| rename destination.domain as Query,`COUNT()` as Count\r\n| sort Count desc\r\n| limit 10\r\n| keep Query, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -874,7 +1007,149 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "284c4fe0-79f1-4138-a21f-7012a1e303c1", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "ae4a9a4f-363b-4b35-8da9-b5e6f2ff695c", + "key": "dns.question.type", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "dns.question.type" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.name", + "index": "f4802908-31ff-43b2-afe5-41f66abb27c6", + "key": "dns.question.name", + "negate": true, + "params": { + "query": "PTR" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "dns.question.name": "PTR" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1129,7 +1404,152 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT is_broadcast: true", + "disabled": false, + "index": "010d86aa-2f1d-4fde-b3c3-9998ca5c7873", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "source.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "source.ip": "255.255.255.255" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": true, + "params": [ + "0.0.0.0", + "255.255.255.255" + ], + "type": "phrases", + "value": [ + "0.0.0.0", + "255.255.255.255" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "destination.ip": "0.0.0.0" + } + }, + { + "match_phrase": { + "destination.ip": "255.255.255.255" + } + } + ] + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "deba2c9a-1a51-45e7-8a51-f1258e7537a0", + "key": "dns.question.type", + "negate": false, + "params": { + "query": "PTR" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "dns.question.type": "PTR" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "fe7d2e6a-abff-483c-910f-da812c762118", + "key": "dns.response_code", + "negate": false, + "params": { + "query": "NOERROR" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "dns.response_code": "NOERROR" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1296,7 +1716,64 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "58502378-aee5-46fc-900c-d5f7e3d8b2b1", + "key": "dns.question.type", + "negate": false, + "params": { + "query": "PTR" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "dns.question.type": "PTR" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "da32798d-4816-4197-989d-24fc24721ebc", + "key": "dns.response_code", + "negate": false, + "params": { + "query": "NXDOMAIN" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "dns.response_code": "NXDOMAIN" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1312,12 +1789,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] DNS", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T10:37:06.803Z", + "created_at": "2026-01-06T09:23:26.287Z", "id": "corelight-58885f47-95e1-4242-a1ee-783de69ace17", - "managed": false, "references": [ { "id": "logs-*", @@ -1368,6 +1844,21 @@ "id": "logs-*", "name": "controlGroup_f30e42d8-e9d4-44b1-bb10-9ca6c649c763:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08.json b/packages/corelight/kibana/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08.json index 3d57282c987..28ec978812e 100644 --- a/packages/corelight/kibana/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08.json +++ b/packages/corelight/kibana/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08.json @@ -1,904 +1,981 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": { - "ignoreFilters": false, - "ignoreQuery": false, - "ignoreTimerange": false, - "ignoreValidations": false - }, - "panelsJSON": { - "bb39b552-4c2b-4b68-8795-2491eaf35b1a": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "ssh.inferences", - "id": "bb39b552-4c2b-4b68-8795-2491eaf35b1a", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false }, - "title": "SSH Inferences" - }, - "grow": false, - "order": 0, - "type": "optionsListControl", - "width": "medium" - } - }, - "showApplySelections": false - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ssh" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "ssh" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "ssh.inferences", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "ssh.inferences", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "ssh.inferences" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "panelsJSON": { + "bb39b552-4c2b-4b68-8795-2491eaf35b1a": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "ssh.inferences", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "SSH Inferences" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "medium" } - } }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - **SSH Inferences Overview**\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 33, - "i": "4ea785f3-c65d-4bc2-9b41-a36c01d37ab5", - "w": 12, - "x": 0, - "y": 0 + "showApplySelections": false }, - "panelIndex": "4ea785f3-c65d-4bc2-9b41-a36c01d37ab5", - "title": "Table of Contents", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-718febea-e26f-4dce-9db6-fa22a037f563", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "718febea-e26f-4dce-9db6-fa22a037f563": { - "columnOrder": [ - "d6254c2b-cd76-47e4-9991-d7047325ff4d", - "5e1a2f42-651f-4a41-aac5-c870a68e3bcb" - ], - "columns": { - "5e1a2f42-651f-4a41-aac5-c870a68e3bcb": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" }, - "d6254c2b-cd76-47e4-9991-d7047325ff4d": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Inference Name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "5e1a2f42-651f-4a41-aac5-c870a68e3bcb", - "type": "column" + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ssh" }, - "size": 5 - }, - "scale": "ordinal", - "sourceField": "ssh.inferences" + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ssh" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "ssh.inferences", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "ssh.inferences", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "ssh.inferences" + } } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} + ], + "query": { + "language": "kuery", + "query": "" } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "718febea-e26f-4dce-9db6-fa22a037f563", - "layerType": "data", - "legendDisplay": "show", - "metrics": ["5e1a2f42-651f-4a41-aac5-c870a68e3bcb"], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": ["d6254c2b-cd76-47e4-9991-d7047325ff4d"], - "truncateLegend": false - } - ], - "shape": "pie" - } + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - **SSH Inferences Overview**\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 33, + "i": "4ea785f3-c65d-4bc2-9b41-a36c01d37ab5", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "4ea785f3-c65d-4bc2-9b41-a36c01d37ab5", + "title": "Table of Contents", + "type": "visualization" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "e16758c8-c2c5-47e8-bb55-5f77a378a5df", - "w": 14, - "x": 12, - "y": 0 - }, - "panelIndex": "e16758c8-c2c5-47e8-bb55-5f77a378a5df", - "title": "SSH Inferences [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4f5c75b1-71b1-400d-bdc8-cb4cab7cc971", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "4f5c75b1-71b1-400d-bdc8-cb4cab7cc971": { - "columnOrder": [ - "5e0e7251-e732-4243-b79a-e17511c17a51", - "730c746b-0ede-48be-8d8f-c784adc80214", - "e75caaae-c9d0-489a-acd2-a43af90d6095" - ], - "columns": { - "5e0e7251-e732-4243-b79a-e17511c17a51": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "InferenceName", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "e75caaae-c9d0-489a-acd2-a43af90d6095", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-718febea-e26f-4dce-9db6-fa22a037f563", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "718febea-e26f-4dce-9db6-fa22a037f563": { + "columnOrder": [ + "d6254c2b-cd76-47e4-9991-d7047325ff4d", + "5e1a2f42-651f-4a41-aac5-c870a68e3bcb" + ], + "columns": { + "5e1a2f42-651f-4a41-aac5-c870a68e3bcb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d6254c2b-cd76-47e4-9991-d7047325ff4d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Inference Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5e1a2f42-651f-4a41-aac5-c870a68e3bcb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "ssh.inferences" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "ssh.inferences" - }, - "730c746b-0ede-48be-8d8f-c784adc80214": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "d" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "e75caaae-c9d0-489a-acd2-a43af90d6095": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "718febea-e26f-4dce-9db6-fa22a037f563", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "5e1a2f42-651f-4a41-aac5-c870a68e3bcb" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d6254c2b-cd76-47e4-9991-d7047325ff4d" + ], + "truncateLegend": false + } + ], + "shape": "pie" } - }, - "scale": "ratio", - "sourceField": "___records___" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 15, + "i": "e16758c8-c2c5-47e8-bb55-5f77a378a5df", + "w": 14, + "x": 12, + "y": 0 }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": ["e75caaae-c9d0-489a-acd2-a43af90d6095"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "panelIndex": "e16758c8-c2c5-47e8-bb55-5f77a378a5df", + "title": "SSH Inferences [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4f5c75b1-71b1-400d-bdc8-cb4cab7cc971", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4f5c75b1-71b1-400d-bdc8-cb4cab7cc971": { + "columnOrder": [ + "5e0e7251-e732-4243-b79a-e17511c17a51", + "730c746b-0ede-48be-8d8f-c784adc80214", + "e75caaae-c9d0-489a-acd2-a43af90d6095" + ], + "columns": { + "5e0e7251-e732-4243-b79a-e17511c17a51": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "InferenceName", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e75caaae-c9d0-489a-acd2-a43af90d6095", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "ssh.inferences" + }, + "730c746b-0ede-48be-8d8f-c784adc80214": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "d" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e75caaae-c9d0-489a-acd2-a43af90d6095": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "e75caaae-c9d0-489a-acd2-a43af90d6095" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "4f5c75b1-71b1-400d-bdc8-cb4cab7cc971", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "5e0e7251-e732-4243-b79a-e17511c17a51", + "xAccessor": "730c746b-0ede-48be-8d8f-c784adc80214" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "4f5c75b1-71b1-400d-bdc8-cb4cab7cc971", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "5e0e7251-e732-4243-b79a-e17511c17a51", - "xAccessor": "730c746b-0ede-48be-8d8f-c784adc80214" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "43dfd2d2-6293-4928-abde-6d66793d5087", + "w": 22, + "x": 26, + "y": 0 }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "panelIndex": "43dfd2d2-6293-4928-abde-6d66793d5087", + "title": "SSH Inferences Over Time [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "43dfd2d2-6293-4928-abde-6d66793d5087", - "w": 22, - "x": 26, - "y": 0 - }, - "panelIndex": "43dfd2d2-6293-4928-abde-6d66793d5087", - "title": "SSH Inferences Over Time [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", - "name": "logs-corelight.various*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.various*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", - "timeField": "@timestamp", - "title": "logs-corelight.various*" - } - ], - "layers": { - "2016cfbb-07bb-4064-a06b-d029f268600a": { - "columns": [ - { - "columnId": "Source IP", - "fieldName": "Source IP", - "inMetricDimension": true, - "meta": { - "esType": "ip", - "type": "ip" - } - }, - { - "columnId": "HASSH Client", - "fieldName": "HASSH Client", - "inMetricDimension": true, - "meta": { - "esType": "keyword", - "type": "string" - } - }, - { - "columnId": "Destination IP", - "fieldName": "Destination IP", - "inMetricDimension": true, - "meta": { - "esType": "ip", - "type": "ip" - } - }, - { - "columnId": "HASSH Server", - "fieldName": "HASSH Server", - "inMetricDimension": true, - "meta": { - "esType": "keyword", - "type": "string" - } + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", + "name": "logs-corelight.various*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", + "timeField": "@timestamp", + "title": "logs-corelight.various*" + } + ], + "layers": { + "2016cfbb-07bb-4064-a06b-d029f268600a": { + "columns": [ + { + "columnId": "Source IP", + "fieldName": "Source IP", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "HASSH Client", + "fieldName": "HASSH Client", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Destination IP", + "fieldName": "Destination IP", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "HASSH Server", + "fieldName": "HASSH Server", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Total Events", + "fieldName": "Total Events", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", + "query": { + "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"ssh\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, ssh.hassh, ssh.hasshServer \r\n| RENAME source.ip as `Source IP`,ssh.hassh as `HASSH Client`, destination.ip as `Destination IP`, ssh.hasshServer as `HASSH Server`, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 5\r\n| KEEP `Source IP`, `HASSH Client`,`Destination IP`, `HASSH Server`, `Total Events`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"ssh\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, ssh.hassh, ssh.hasshServer \r\n| RENAME source.ip as `Source IP`,ssh.hassh as `HASSH Client`, destination.ip as `Destination IP`, ssh.hasshServer as `HASSH Server`, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 5\r\n| KEEP `Source IP`, `HASSH Client`,`Destination IP`, `HASSH Server`, `Total Events`" + }, + "visualization": { + "columns": [ + { + "columnId": "Source IP" + }, + { + "columnId": "HASSH Client" + }, + { + "columnId": "Destination IP" + }, + { + "columnId": "HASSH Server" + }, + { + "columnId": "Total Events" + } + ], + "layerId": "2016cfbb-07bb-4064-a06b-d029f268600a", + "layerType": "data" + } }, - { - "columnId": "Total Events", - "fieldName": "Total Events", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } + "title": "Table Source IP \u0026 HASSH Client \u0026 Destination IP \u0026 HASSH Server \u0026 Total Events", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ], - "index": "ac1dc77e86b8b0251ed701e409e8e3c4ccdacd779afb09dea00b75a2a346153d", - "query": { + }, + "filters": [], + "query": { "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"ssh\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, ssh.hassh, ssh.hasshServer \r\n| RENAME source.ip as `Source IP`,ssh.hassh as `HASSH Client`, destination.ip as `Destination IP`, ssh.hasshServer as `HASSH Server`, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 5\r\n| KEEP `Source IP`, `HASSH Client`,`Destination IP`, `HASSH Server`, `Total Events`" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "FROM logs-corelight.various*\r\n| WHERE event.dataset == \"ssh\"\r\n| LIMIT 10000\r\n| STATS COUNT() by source.ip, destination.ip, ssh.hassh, ssh.hasshServer \r\n| RENAME source.ip as `Source IP`,ssh.hassh as `HASSH Client`, destination.ip as `Destination IP`, ssh.hasshServer as `HASSH Server`, `COUNT()` as `Total Events`\r\n| SORT `Total Events` DESC\r\n| LIMIT 5\r\n| KEEP `Source IP`, `HASSH Client`,`Destination IP`, `HASSH Server`, `Total Events`" - }, - "visualization": { - "columns": [ - { - "columnId": "Source IP" - }, - { - "columnId": "HASSH Client" - }, - { - "columnId": "Destination IP" - }, - { - "columnId": "HASSH Server" - }, - { - "columnId": "Total Events" - } - ], - "layerId": "2016cfbb-07bb-4064-a06b-d029f268600a", - "layerType": "data" - } + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "32f133b4-36cc-4db5-9c1f-b7d1790636e2", + "w": 36, + "x": 12, + "y": 15 + }, + "panelIndex": "32f133b4-36cc-4db5-9c1f-b7d1790636e2", + "title": "HASSH Fingerprint Details [Logs Corelight]", + "type": "lens" }, - "title": "Table Source IP \u0026 HASSH Client \u0026 Destination IP \u0026 HASSH Server \u0026 Total Events", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "32f133b4-36cc-4db5-9c1f-b7d1790636e2", - "w": 36, - "x": 12, - "y": 15 - }, - "panelIndex": "32f133b4-36cc-4db5-9c1f-b7d1790636e2", - "title": "HASSH Fingerprint Details [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "name": "logs-corelight.various-*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.various-*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "timeField": "@timestamp", - "title": "logs-corelight.various-*" - } - ], - "layers": { - "46c8aa32-f485-46f8-ab3b-5f1f42d82690": { - "columns": [ - { - "columnId": "Source IP", - "fieldName": "Source IP", - "meta": { - "esType": "ip", - "type": "ip" - } - }, - { - "columnId": "Destination IP", - "fieldName": "Destination IP", - "meta": { - "esType": "ip", - "type": "ip" - } - }, - { - "columnId": "Inferences", - "fieldName": "Inferences", - "meta": { - "esType": "keyword", - "type": "string" - } + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "46c8aa32-f485-46f8-ab3b-5f1f42d82690": { + "columns": [ + { + "columnId": "Source IP", + "fieldName": "Source IP", + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Destination IP", + "fieldName": "Destination IP", + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Inferences", + "fieldName": "Inferences", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `count()` as Count\r\n| SORT Count desc\r\n| limit 5\r\n| keep `Source IP`, `Destination IP`, Inferences, Count\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `count()` as Count\r\n| SORT Count desc\r\n| limit 5\r\n| keep `Source IP`, `Destination IP`, Inferences, Count\r\n" + }, + "visualization": { + "columns": [ + { + "columnId": "Source IP" + }, + { + "columnId": "Destination IP" + }, + { + "columnId": "Inferences" + }, + { + "columnId": "Count" + } + ], + "layerId": "46c8aa32-f485-46f8-ab3b-5f1f42d82690", + "layerType": "data" + } }, - { - "columnId": "Count", - "fieldName": "Count", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } + "title": "Pie", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ], - "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "query": { + }, + "filters": [], + "query": { "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `count()` as Count\r\n| SORT Count desc\r\n| limit 5\r\n| keep `Source IP`, `Destination IP`, Inferences, Count\r\n" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `count()` as Count\r\n| SORT Count desc\r\n| limit 5\r\n| keep `Source IP`, `Destination IP`, Inferences, Count\r\n" - }, - "visualization": { - "columns": [ - { - "columnId": "Source IP" - }, - { - "columnId": "Destination IP" - }, - { - "columnId": "Inferences" - }, - { - "columnId": "Count" - } - ], - "layerId": "46c8aa32-f485-46f8-ab3b-5f1f42d82690", - "layerType": "data" - } + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "75a2e06c-bcc4-4aaa-9309-31fef6d7a6a9", + "w": 21, + "x": 0, + "y": 33 + }, + "panelIndex": "75a2e06c-bcc4-4aaa-9309-31fef6d7a6a9", + "title": "SSH Host Details [Logs Corelight]", + "type": "lens" }, - "title": "Pie", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "75a2e06c-bcc4-4aaa-9309-31fef6d7a6a9", - "w": 21, - "x": 0, - "y": 33 - }, - "panelIndex": "75a2e06c-bcc4-4aaa-9309-31fef6d7a6a9", - "title": "SSH Host Details [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "name": "logs-corelight.various-*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.various-*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "timeField": "@timestamp", - "title": "logs-corelight.various-*" - } - ], - "layers": { - "b6068c04-11b7-4de2-8e94-9d7a12884e66": { - "columns": [ - { - "columnId": "Source IP", - "fieldName": "Source IP", - "inMetricDimension": true, - "meta": { - "esType": "ip", - "type": "ip" - } - }, - { - "columnId": "Destination IP", - "fieldName": "Destination IP", - "inMetricDimension": true, - "meta": { - "esType": "ip", - "type": "ip" - } - }, - { - "columnId": "Host Key", - "fieldName": "Host Key", - "inMetricDimension": true, - "meta": { - "esType": "keyword", - "type": "string" - } - }, - { - "columnId": "Inferences", - "fieldName": "Inferences", - "inMetricDimension": true, - "meta": { - "esType": "keyword", - "type": "string" - } + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "b6068c04-11b7-4de2-8e94-9d7a12884e66": { + "columns": [ + { + "columnId": "Source IP", + "fieldName": "Source IP", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Destination IP", + "fieldName": "Destination IP", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Host Key", + "fieldName": "Host Key", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Inferences", + "fieldName": "Inferences", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null and ssh.host_key is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences), values(ssh.host_key) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `values(ssh.host_key)` as `Host Key`, `count()` as Count\r\n| SORT Count desc\r\n| keep `Source IP`, `Destination IP`, `Host Key`, Inferences, Count\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null and ssh.host_key is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences), values(ssh.host_key) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `values(ssh.host_key)` as `Host Key`, `count()` as Count\r\n| SORT Count desc\r\n| keep `Source IP`, `Destination IP`, `Host Key`, Inferences, Count\r\n" + }, + "visualization": { + "columns": [ + { + "columnId": "Source IP" + }, + { + "columnId": "Destination IP" + }, + { + "columnId": "Host Key" + }, + { + "columnId": "Inferences" + }, + { + "columnId": "Count" + } + ], + "layerId": "b6068c04-11b7-4de2-8e94-9d7a12884e66", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + } + } }, - { - "columnId": "Count", - "fieldName": "Count", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } + "title": "Table Source IP \u0026 Destination IP \u0026 Host Key \u0026 Inferences \u0026 Count", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ], - "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "query": { + }, + "filters": [], + "query": { "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null and ssh.host_key is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences), values(ssh.host_key) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `values(ssh.host_key)` as `Host Key`, `count()` as Count\r\n| SORT Count desc\r\n| keep `Source IP`, `Destination IP`, `Host Key`, Inferences, Count\r\n" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"ssh\" and ssh.inferences is not null and ssh.host_key is not null\r\n| limit 10000\r\n| stats count(), values(ssh.inferences), values(ssh.host_key) by source.ip, destination.ip\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(ssh.inferences)` as Inferences, `values(ssh.host_key)` as `Host Key`, `count()` as Count\r\n| SORT Count desc\r\n| keep `Source IP`, `Destination IP`, `Host Key`, Inferences, Count\r\n" - }, - "visualization": { - "columns": [ - { - "columnId": "Source IP" - }, - { - "columnId": "Destination IP" - }, - { - "columnId": "Host Key" - }, - { - "columnId": "Inferences" - }, - { - "columnId": "Count" - } - ], - "layerId": "b6068c04-11b7-4de2-8e94-9d7a12884e66", - "layerType": "data", - "paging": { - "enabled": true, - "size": 10 - } - } + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "1aee3097-a16f-444c-acd9-6df54485ac7a", + "w": 27, + "x": 21, + "y": 33 + }, + "panelIndex": "1aee3097-a16f-444c-acd9-6df54485ac7a", + "title": "Inferences for Hosts with Host_Key [Logs Corelight]", + "type": "lens" }, - "title": "Table Source IP \u0026 Destination IP \u0026 Host Key \u0026 Inferences \u0026 Count", - "type": "lens", - "visualizationType": "lnsDatatable" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {} + { + "embeddableConfig": { + "description": "SSH Inference Log Data", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "rowsPerPage": 10 + }, + "gridData": { + "h": 29, + "i": "77fd043f-23b8-4de2-a228-0b21d2b56682", + "w": 48, + "x": 0, + "y": 50 + }, + "panelIndex": "77fd043f-23b8-4de2-a228-0b21d2b56682", + "panelRefName": "panel_77fd043f-23b8-4de2-a228-0b21d2b56682", + "title": "Log Data [Logs Corelight]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Corelight] SSH Inferences Overview", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T09:23:41.472Z", + "id": "corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "corelight-a44be701-0e99-4b53-9073-b7720df40481", + "name": "77fd043f-23b8-4de2-a228-0b21d2b56682:panel_77fd043f-23b8-4de2-a228-0b21d2b56682", + "type": "search" }, - "gridData": { - "h": 17, - "i": "1aee3097-a16f-444c-acd9-6df54485ac7a", - "w": 27, - "x": 21, - "y": 33 + { + "id": "logs-*", + "name": "e16758c8-c2c5-47e8-bb55-5f77a378a5df:indexpattern-datasource-layer-718febea-e26f-4dce-9db6-fa22a037f563", + "type": "index-pattern" }, - "panelIndex": "1aee3097-a16f-444c-acd9-6df54485ac7a", - "title": "Inferences for Hosts with Host_Key [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "description": "SSH Inference Log Data", - "enhancements": {}, - "rowsPerPage": 10 + { + "id": "logs-*", + "name": "43dfd2d2-6293-4928-abde-6d66793d5087:indexpattern-datasource-layer-4f5c75b1-71b1-400d-bdc8-cb4cab7cc971", + "type": "index-pattern" }, - "gridData": { - "h": 29, - "i": "77fd043f-23b8-4de2-a228-0b21d2b56682", - "w": 48, - "x": 0, - "y": 50 + { + "id": "logs-*", + "name": "controlGroup_bb39b552-4c2b-4b68-8795-2491eaf35b1a:optionsListDataView", + "type": "index-pattern" }, - "panelIndex": "77fd043f-23b8-4de2-a228-0b21d2b56682", - "panelRefName": "panel_77fd043f-23b8-4de2-a228-0b21d2b56682", - "title": "Log Data [Logs Corelight]", - "type": "search" - } + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Logs Corelight] SSH Inferences Overview", - "version": 2 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T12:16:47.699Z", - "id": "corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e16758c8-c2c5-47e8-bb55-5f77a378a5df:indexpattern-datasource-layer-718febea-e26f-4dce-9db6-fa22a037f563", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "43dfd2d2-6293-4928-abde-6d66793d5087:indexpattern-datasource-layer-4f5c75b1-71b1-400d-bdc8-cb4cab7cc971", - "type": "index-pattern" - }, - { - "id": "corelight-a44be701-0e99-4b53-9073-b7720df40481", - "name": "77fd043f-23b8-4de2-a228-0b21d2b56682:panel_77fd043f-23b8-4de2-a228-0b21d2b56682", - "type": "search" - }, - { - "id": "logs-*", - "name": "controlGroup_bb39b552-4c2b-4b68-8795-2491eaf35b1a:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "10.2.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json b/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json index dc60e498d44..c7f2880c60a 100644 --- a/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json +++ b/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json @@ -1,7525 +1,10487 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": { - "ignoreFilters": false, - "ignoreQuery": false, - "ignoreTimerange": false, - "ignoreValidations": false - }, - "panelsJSON": { - "42578746-ab6b-48bc-b4b7-4453f4bbf187": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "observer.hostname", - "id": "42578746-ab6b-48bc-b4b7-4453f4bbf187", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false }, - "title": "Sensor" - }, - "grow": false, - "order": 0, - "type": "optionsListControl", - "width": "small" - } - }, - "showApplySelections": false - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "event.id", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "event.id" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- **Security Posture**\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 46, - "i": "717d6a38-d6c4-4540-a8f9-7f8d419f69b8", - "w": 12, - "x": 0, - "y": 0 - }, - "panelIndex": "717d6a38-d6c4-4540-a8f9-7f8d419f69b8", - "title": "Table of Contents", - "type": "visualization" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" + "panelsJSON": { + "42578746-ab6b-48bc-b4b7-4453f4bbf187": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "observer.hostname", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Sensor" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "small" } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "## Alert Insights", - "openLinksInNewTab": false }, - "title": "", - "type": "markdown", - "uiState": {} - } + "showApplySelections": false }, - "gridData": { - "h": 4, - "i": "48ea15bc-c977-4654-a5bd-7c030ab9530c", - "w": 36, - "x": 12, - "y": 0 - }, - "panelIndex": "48ea15bc-c977-4654-a5bd-7c030ab9530c", - "title": "", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-df498787-6442-4e25-9f74-8c78625cfbbf", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "df498787-6442-4e25-9f74-8c78625cfbbf": { - "columnOrder": ["c1bbc5fd-f721-455b-966b-09a7b1e0ceb5"], - "columns": { - "c1bbc5fd-f721-455b-966b-09a7b1e0ceb5": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "All Suricata Alerts", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" } - }, - "scale": "ratio", - "sourceField": "event.id" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "f30259e8-588d-43ba-82c3-e90c38ab986e", - "key": "event.dataset", - "negate": false, - "params": { - "query": "suricata_corelight" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "suricata_corelight" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "021765c3-7144-47dc-a9e8-a6658780799c", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "df498787-6442-4e25-9f74-8c78625cfbbf", - "layerType": "data", - "metricAccessor": "c1bbc5fd-f721-455b-966b-09a7b1e0ceb5" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "7d878c2d-f1ab-41a7-bb32-bdeec1ffdc8c", - "w": 10, - "x": 12, - "y": 4 - }, - "panelIndex": "7d878c2d-f1ab-41a7-bb32-bdeec1ffdc8c", - "title": "Suricata Alerts [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Source IPs", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.id", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "event.id" } - }, - "scale": "ratio", - "sourceField": "source.ip" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "54b85c28-2d24-4f06-a535-2ca2858c981a", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", - "key": "event.dataset", - "negate": false, - "params": { - "query": "suricata_corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "suricata_corelight" } - } + ], + "query": { + "language": "kuery", + "query": "" } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "trendlineSecondaryMetricAccessor": "bc342f7b-4f88-481a-acec-d566ed883c13", - "valueFontMode": "default" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true + } }, - "gridData": { - "h": 4, - "i": "4565d681-c2bc-495f-b81e-8de0c50c53cf", - "w": 8, - "x": 22, - "y": 4 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "4565d681-c2bc-495f-b81e-8de0c50c53cf", - "title": "Unique Source IPs [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Dest. IPs", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "destination.ip" + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "19a4e984-83c0-4ab7-b633-a2d73579e9cb", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", - "key": "event.dataset", - "negate": false, - "params": { - "query": "suricata_corelight" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "suricata_corelight" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "trendlineSecondaryMetricAccessor": "bc342f7b-4f88-481a-acec-d566ed883c13", - "valueFontMode": "default" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "f11b1714-11be-470f-a254-16de8bc012f9", - "w": 9, - "x": 30, - "y": 4 - }, - "panelIndex": "f11b1714-11be-470f-a254-16de8bc012f9", - "title": "Unique Dest. IPs [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Signatures", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } } - }, - "scale": "ratio", - "sourceField": "rule.signature_id" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- **Security Posture**\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} } - } }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 46, + "i": "717d6a38-d6c4-4540-a8f9-7f8d419f69b8", + "w": 12, + "x": 0, + "y": 0 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "9520c5db-0b83-4929-bda9-8ad0f0f74387", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", - "key": "event.dataset", - "negate": false, - "params": { - "query": "suricata_corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "suricata_corelight" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "trendlineSecondaryMetricAccessor": "bc342f7b-4f88-481a-acec-d566ed883c13", - "valueFontMode": "default" - } + "panelIndex": "717d6a38-d6c4-4540-a8f9-7f8d419f69b8", + "title": "Table of Contents", + "type": "visualization" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "abf210b6-6468-4ddd-a1e9-1f9674fa485a", - "w": 9, - "x": 39, - "y": 4 - }, - "panelIndex": "abf210b6-6468-4ddd-a1e9-1f9674fa485a", - "title": "Unique Signatures [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f": { - "columnOrder": [ - "725e430b-5db2-4dce-a571-ec03a89b4e21", - "042f1307-63df-4962-915d-4b2deadd0d01" - ], - "columns": { - "042f1307-63df-4962-915d-4b2deadd0d01": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Suricata Alerts", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } } - }, - "scale": "ratio", - "sourceField": "event.id" }, - "725e430b-5db2-4dce-a571-ec03a89b4e21": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "h" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "## Alert Insights", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} } - } }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 4, + "i": "48ea15bc-c977-4654-a5bd-7c030ab9530c", + "w": 36, + "x": 12, + "y": 0 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "da320bc3-1d01-493b-9143-564f20e3d135", - "key": "event.dataset", - "negate": false, - "params": { - "query": "suricata_corelight" + "panelIndex": "48ea15bc-c977-4654-a5bd-7c030ab9530c", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-df498787-6442-4e25-9f74-8c78625cfbbf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "df498787-6442-4e25-9f74-8c78625cfbbf": { + "columnOrder": [ + "c1bbc5fd-f721-455b-966b-09a7b1e0ceb5" + ], + "columns": { + "c1bbc5fd-f721-455b-966b-09a7b1e0ceb5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "All Suricata Alerts", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "f30259e8-588d-43ba-82c3-e90c38ab986e", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "021765c3-7144-47dc-a9e8-a6658780799c", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "df498787-6442-4e25-9f74-8c78625cfbbf", + "layerType": "data", + "metricAccessor": "c1bbc5fd-f721-455b-966b-09a7b1e0ceb5" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "suricata_corelight" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "curveType": "LINEAR", - "emphasizeFitting": true, - "endValue": "Nearest", - "fittingFunction": "None", - "layers": [ - { - "accessors": ["042f1307-63df-4962-915d-4b2deadd0d01"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "725e430b-5db2-4dce-a571-ec03a89b4e21" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 10, - "i": "296e71e6-816e-4553-8b53-e277741cab08", - "w": 26, - "x": 22, - "y": 8 - }, - "panelIndex": "296e71e6-816e-4553-8b53-e277741cab08", - "title": "Suricata Alerts [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Messages excluding Intel", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "f30259e8-588d-43ba-82c3-e90c38ab986e", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } } - }, - "scale": "ratio", - "sourceField": "event.id" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "Not notice.note: Intel.*", - "disabled": false, - "index": "b2060a39-fbee-4cc9-8f1c-04df1faa3b09", - "key": "query", - "negate": false, - "type": "custom", - "value": "{\"bool\":{\"must_not\":[{\"regexp\":{\"notice.note\":{\"flags\":\"ALL\",\"value\":\"Intel.*\"}}}]}}" - }, - "query": { - "bool": { - "must_not": [ + }, { - "regexp": { - "notice.note": { - "flags": "ALL", - "value": "Intel.*" + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "021765c3-7144-47dc-a9e8-a6658780799c", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } } - } } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "source.ip", - "index": "55191a81-7ecb-4732-8401-cd67a9e63d45", - "key": "source.ip", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "source.ip" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "d004f7fd-cafa-40cf-b949-47202068d283", - "key": "event.dataset", - "negate": false, - "params": { - "query": "notice" + ], + "query": { + "language": "kuery", + "query": "" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "notice" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "valueFontMode": "default" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "db10f425-f12b-43a3-9db1-34fd1b93287a", - "w": 10, - "x": 12, - "y": 18 - }, - "panelIndex": "db10f425-f12b-43a3-9db1-34fd1b93287a", - "title": "Notices [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "filter": { - "language": "kuery", - "query": "" - }, - "isBucketed": false, - "label": "Attack Count", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "event.id" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "notice.note: ATTACK::.*", - "disabled": false, - "index": "5cdadd8b-f5f4-4521-94fd-a127f4f39db7", - "key": "query", - "negate": false, - "type": "custom" - }, - "query": { - "regexp": { - "notice.note": { - "flags": "ALL", - "value": "ATTACK::.*" - } - } - } + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "source.ip", - "index": "55191a81-7ecb-4732-8401-cd67a9e63d45", - "key": "source.ip", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "source.ip" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } + "gridData": { + "h": 14, + "i": "7d878c2d-f1ab-41a7-bb32-bdeec1ffdc8c", + "w": 10, + "x": 12, + "y": 4 }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "d004f7fd-cafa-40cf-b949-47202068d283", - "key": "event.dataset", - "negate": false, - "params": { - "query": "notice" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "notice" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "valueFontMode": "default" - } + "panelIndex": "7d878c2d-f1ab-41a7-bb32-bdeec1ffdc8c", + "title": "Suricata Alerts [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "22db030e-3be1-473c-a49b-2635390e9419", - "w": 7, - "x": 22, - "y": 18 - }, - "panelIndex": "22db030e-3be1-473c-a49b-2635390e9419", - "title": "Attack Count [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "SSL Certs. Issues", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Source IPs", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "54b85c28-2d24-4f06-a535-2ca2858c981a", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "trendlineSecondaryMetricAccessor": "bc342f7b-4f88-481a-acec-d566ed883c13", + "valueFontMode": "default" } - }, - "scale": "ratio", - "sourceField": "event.id" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "notice.note", - "index": "c51ddc09-9dfb-46f0-89ec-5a3c2276d3dd", - "key": "notice.note", - "negate": false, - "params": [ - "SSL::Certificate_Expired", - "SSL::Invalid_Server_Cert", - "SSL::Old_Version" - ], - "type": "phrases" - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "notice.note": "SSL::Certificate_Expired" - } }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ { - "match_phrase": { - "notice.note": "SSL::Invalid_Server_Cert" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "54b85c28-2d24-4f06-a535-2ca2858c981a", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, { - "match_phrase": { - "notice.note": "SSL::Old_Version" - } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "d004f7fd-cafa-40cf-b949-47202068d283", - "key": "event.dataset", - "negate": false, - "params": { - "query": "notice" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "notice" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "valueFontMode": "default" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "58e67657-fd2d-489b-9742-60dfe2979c0b", - "w": 7, - "x": 29, - "y": 18 - }, - "panelIndex": "58e67657-fd2d-489b-9742-60dfe2979c0b", - "title": "SSL Certs. Issues [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Meterpreter Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } } - }, - "scale": "ratio", - "sourceField": "event.id" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "notice.note", - "index": "01f96915-a2a1-43aa-82bd-93a495dbd7f5", - "key": "notice.note", - "negate": false, - "params": { - "query": "MeterpreterDetection::Meterpreter_Detected" + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "notice.note": "MeterpreterDetection::Meterpreter_Detected" - } - } + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } + "gridData": { + "h": 4, + "i": "4565d681-c2bc-495f-b81e-8de0c50c53cf", + "w": 8, + "x": 22, + "y": 4 }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "d004f7fd-cafa-40cf-b949-47202068d283", - "key": "event.dataset", - "negate": false, - "params": { - "query": "notice" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "notice" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "valueFontMode": "default" - } + "panelIndex": "4565d681-c2bc-495f-b81e-8de0c50c53cf", + "title": "Unique Source IPs [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "753224ec-ddb9-474b-bd82-682c1eb24fe1", - "w": 6, - "x": 36, - "y": 18 - }, - "panelIndex": "753224ec-ddb9-474b-bd82-682c1eb24fe1", - "title": "Meterpreter Count [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Note Count", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "notice.note" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "d004f7fd-cafa-40cf-b949-47202068d283", - "key": "event.dataset", - "negate": false, - "params": { - "query": "notice" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "notice" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "valueFontMode": "default" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "e4e146ee-682b-454a-9296-920357fb6e6f", - "w": 6, - "x": 42, - "y": 18 - }, - "panelIndex": "e4e146ee-682b-454a-9296-920357fb6e6f", - "title": "Int. Message Count [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f": { - "columnOrder": [ - "725e430b-5db2-4dce-a571-ec03a89b4e21", - "042f1307-63df-4962-915d-4b2deadd0d01" - ], - "columns": { - "042f1307-63df-4962-915d-4b2deadd0d01": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Notes", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Dest. IPs", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "destination.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "19a4e984-83c0-4ab7-b633-a2d73579e9cb", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "trendlineSecondaryMetricAccessor": "bc342f7b-4f88-481a-acec-d566ed883c13", + "valueFontMode": "default" } - }, - "scale": "ratio", - "sourceField": "event.id" }, - "725e430b-5db2-4dce-a571-ec03a89b4e21": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "h" - }, - "scale": "interval", - "sourceField": "@timestamp" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "Not notice.note: Intel.*", - "disabled": false, - "index": "7abf972e-5262-4a3a-b76a-9e68a8768358", - "key": "query", - "negate": false, - "type": "custom" - }, - "query": { - "bool": { - "must_not": [ + }, + "filters": [ { - "regexp": { - "notice.note": { - "flags": "ALL", - "value": "Intel.*" + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "19a4e984-83c0-4ab7-b633-a2d73579e9cb", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } } - } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "5d754a81-c212-495b-bcca-072b1fe41ba7", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "114a2b2d-ee02-4e87-92f2-09811a13dd7a", - "key": "event.dataset", - "negate": false, - "params": { - "query": "notice" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "notice" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "curveType": "LINEAR", - "emphasizeFitting": true, - "endValue": "Nearest", - "fittingFunction": "None", - "layers": [ - { - "accessors": ["042f1307-63df-4962-915d-4b2deadd0d01"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ + }, { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } + } } - ] + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" }, - "layerId": "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "725e430b-5db2-4dce-a571-ec03a89b4e21" - } - ], - "legend": { - "isVisible": true, - "position": "right" + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "gridData": { + "h": 4, + "i": "f11b1714-11be-470f-a254-16de8bc012f9", + "w": 9, + "x": 30, + "y": 4 + }, + "panelIndex": "f11b1714-11be-470f-a254-16de8bc012f9", + "title": "Unique Dest. IPs [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 10, - "i": "d0d242fc-1339-4905-951a-aa6414d138e5", - "w": 26, - "x": 22, - "y": 22 - }, - "panelIndex": "d0d242fc-1339-4905-951a-aa6414d138e5", - "title": "Notices [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "2f1a7688-ceef-4972-abf3-a0c1fade953e": { - "columnOrder": ["aec5431f-777a-4a87-a10c-549cdf81ec13"], - "columns": { - "aec5431f-777a-4a87-a10c-549cdf81ec13": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Intel Indicators", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "event.id" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "ba9ca2de-47ae-4045-9252-38d5cdfce8e5", - "key": "event.dataset", - "negate": false, - "params": { - "query": "intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "intel" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "icon": "empty", - "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", - "layerType": "data", - "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", - "showBar": false, - "valueFontMode": "default" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "dfa2dfa9-0737-4a4d-9a3a-d83794735a57", - "w": 10, - "x": 12, - "y": 32 - }, - "panelIndex": "dfa2dfa9-0737-4a4d-9a3a-d83794735a57", - "title": "Threat Intel [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c": { - "columnOrder": ["e82dddda-2b5a-4537-99f5-14fcabd42513"], - "columns": { - "e82dddda-2b5a-4537-99f5-14fcabd42513": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique Indicators", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Signatures", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "rule.signature_id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "9520c5db-0b83-4929-bda9-8ad0f0f74387", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "trendlineSecondaryMetricAccessor": "bc342f7b-4f88-481a-acec-d566ed883c13", + "valueFontMode": "default" } - }, - "scale": "ratio", - "sourceField": "intel.seen.indicator" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "layerType": "data", - "metricAccessor": "e82dddda-2b5a-4537-99f5-14fcabd42513" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "a60c7606-8988-4755-8b3e-17816a006021", - "w": 8, - "x": 22, - "y": 32 - }, - "panelIndex": "a60c7606-8988-4755-8b3e-17816a006021", - "title": "Unique Indicators [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c": { - "columnOrder": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513", - "e82dddda-2b5a-4537-99f5-14fcabd42513X0", - "e82dddda-2b5a-4537-99f5-14fcabd42513X1", - "e82dddda-2b5a-4537-99f5-14fcabd42513X2" - ], - "columns": { - "e82dddda-2b5a-4537-99f5-14fcabd42513": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Avg Alerts Per Indicator", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - }, - "formula": "count()/unique_count(intel.seen.indicator)", - "isFormulaBroken": false - }, - "references": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513X2" - ], - "scale": "ratio" - }, - "e82dddda-2b5a-4537-99f5-14fcabd42513X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Avg Alerts Per Indicator", - "operationType": "count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "___records___" }, - "e82dddda-2b5a-4537-99f5-14fcabd42513X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Avg Alerts Per Indicator", - "operationType": "unique_count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "intel.seen.indicator" - }, - "e82dddda-2b5a-4537-99f5-14fcabd42513X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Avg Alerts Per Indicator", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513X0", - "e82dddda-2b5a-4537-99f5-14fcabd42513X1" - ], - "location": { - "max": 42, - "min": 0 - }, - "name": "divide", - "text": "count()/unique_count(intel.seen.indicator)", - "type": "function" - } - }, - "references": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513X0", - "e82dddda-2b5a-4537-99f5-14fcabd42513X1" - ], - "scale": "ratio" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "intel" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "layerType": "data", - "metricAccessor": "e82dddda-2b5a-4537-99f5-14fcabd42513" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "d8f0712b-9a85-44d6-b8c2-c0e1791ce336", - "w": 9, - "x": 30, - "y": 32 - }, - "panelIndex": "d8f0712b-9a85-44d6-b8c2-c0e1791ce336", - "title": "Avg Alerts Per Indicator [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c": { - "columnOrder": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513", - "e82dddda-2b5a-4537-99f5-14fcabd42513X0", - "e82dddda-2b5a-4537-99f5-14fcabd42513X1", - "e82dddda-2b5a-4537-99f5-14fcabd42513X2" - ], - "columns": { - "e82dddda-2b5a-4537-99f5-14fcabd42513": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Avg Alerts Per Source IP", - "operationType": "formula", - "params": { - "format": { - "id": "number", - "params": { - "decimals": 2 - } - }, - "formula": "count()/unique_count(source.ip)", - "isFormulaBroken": false - }, - "references": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513X2" - ], - "scale": "ratio" - }, - "e82dddda-2b5a-4537-99f5-14fcabd42513X0": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Avg Alerts Per Source IP", - "operationType": "count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "e82dddda-2b5a-4537-99f5-14fcabd42513X1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Avg Alerts Per Source IP", - "operationType": "unique_count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "source.ip" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "9520c5db-0b83-4929-bda9-8ad0f0f74387", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "e82dddda-2b5a-4537-99f5-14fcabd42513X2": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Part of Avg Alerts Per Source IP", - "operationType": "math", - "params": { - "tinymathAst": { - "args": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513X0", - "e82dddda-2b5a-4537-99f5-14fcabd42513X1" - ], - "location": { - "max": 31, - "min": 0 - }, - "name": "divide", - "text": "count()/unique_count(source.ip)", - "type": "function" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "1c95f0d6-d87b-42f8-a6b8-edd61bd18798", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } } - }, - "references": [ - "e82dddda-2b5a-4537-99f5-14fcabd42513X0", - "e82dddda-2b5a-4537-99f5-14fcabd42513X1" - ], - "scale": "ratio" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } + "gridData": { + "h": 4, + "i": "abf210b6-6468-4ddd-a1e9-1f9674fa485a", + "w": 9, + "x": 39, + "y": 4 }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", - "key": "event.dataset", - "negate": false, - "params": { - "query": "intel" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "intel" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "layerType": "data", - "metricAccessor": "e82dddda-2b5a-4537-99f5-14fcabd42513" - } + "panelIndex": "abf210b6-6468-4ddd-a1e9-1f9674fa485a", + "title": "Unique Signatures [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 4, - "i": "f2415ea7-fa2c-4643-b9fc-ee90446f42b5", - "w": 9, - "x": 39, - "y": 32 - }, - "panelIndex": "f2415ea7-fa2c-4643-b9fc-ee90446f42b5", - "title": "Avg Alerts Per Source IP [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f": { - "columnOrder": [ - "725e430b-5db2-4dce-a571-ec03a89b4e21", - "042f1307-63df-4962-915d-4b2deadd0d01" - ], - "columns": { - "042f1307-63df-4962-915d-4b2deadd0d01": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Intel Alerts", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f": { + "columnOrder": [ + "725e430b-5db2-4dce-a571-ec03a89b4e21", + "042f1307-63df-4962-915d-4b2deadd0d01" + ], + "columns": { + "042f1307-63df-4962-915d-4b2deadd0d01": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Suricata Alerts", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "725e430b-5db2-4dce-a571-ec03a89b4e21": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "da320bc3-1d01-493b-9143-564f20e3d135", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "042f1307-63df-4962-915d-4b2deadd0d01" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "725e430b-5db2-4dce-a571-ec03a89b4e21" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide" } - }, - "scale": "ratio", - "sourceField": "___records___" }, - "725e430b-5db2-4dce-a571-ec03a89b4e21": { - "customLabel": false, - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "h" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "8862f193-7b06-46b0-a064-b10893c39b51", - "key": "event.dataset", - "negate": false, - "params": { - "query": "intel" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "intel" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "5d754a81-c212-495b-bcca-072b1fe41ba7", - "key": "observer.hostname", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "curveType": "LINEAR", - "emphasizeFitting": true, - "endValue": "Nearest", - "fittingFunction": "None", - "layers": [ - { - "accessors": ["042f1307-63df-4962-915d-4b2deadd0d01"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "xAccessor": "725e430b-5db2-4dce-a571-ec03a89b4e21" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "area", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 10, - "i": "423e7108-582c-4d2d-9353-fb4631a4d1a3", - "w": 26, - "x": 22, - "y": 36 - }, - "panelIndex": "423e7108-582c-4d2d-9353-fb4631a4d1a3", - "title": "Threat Intel [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "## Encrypted Traffic Hygiene", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "e6e50895-288c-414e-9f61-f91fd3d6522e", - "w": 48, - "x": 0, - "y": 46 - }, - "panelIndex": "e6e50895-288c-414e-9f61-f91fd3d6522e", - "title": "", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", - "name": "logs-corelight.ssl-*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.ssl-*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", - "timeField": "@timestamp", - "title": "logs-corelight.ssl-*" - } - ], - "layers": { - "ea0c7073-f69f-4603-b8e5-11d31aa5ddd1": { - "columns": [ + "filters": [ { - "columnId": "Self Signed Certs", - "fieldName": "Self Signed Certs", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } - } - ], - "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", - "query": { - "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" - }, - "visualization": { - "layerId": "ea0c7073-f69f-4603-b8e5-11d31aa5ddd1", - "layerType": "data", - "metricAccessor": "Self Signed Certs" - } - }, - "title": "Metric", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "149ee3b3-379e-4bd3-a06a-0f9f9c5ca0da", - "w": 16, - "x": 0, - "y": 50 - }, - "panelIndex": "149ee3b3-379e-4bd3-a06a-0f9f9c5ca0da", - "title": "Self Signed Certs [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-17987725-38cf-441b-80f5-bfac6ffdd8f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-bc293d4e-883c-49c6-b57d-21b1018e67d9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5918839a-d5a1-4a87-8971-05283f0052f3", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "17987725-38cf-441b-80f5-bfac6ffdd8f9": { - "columnOrder": [ - "80271d84-9144-4479-9551-98012acc1398", - "bf80f01f-4adb-4f7a-a134-60a1c912d002" - ], - "columns": { - "80271d84-9144-4479-9551-98012acc1398": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "bf80f01f-4adb-4f7a-a134-60a1c912d002": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Certs w/ Low Keys", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "da320bc3-1d01-493b-9143-564f20e3d135", + "key": "event.dataset", + "negate": false, + "params": { + "query": "suricata_corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "suricata_corelight" + } } - }, - "scale": "ratio", - "sourceField": "file.hash.sha256" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "linkToLayers": ["bc293d4e-883c-49c6-b57d-21b1018e67d9"], - "sampling": 1 + ], + "query": { + "language": "kuery", + "query": "" }, - "bc293d4e-883c-49c6-b57d-21b1018e67d9": { - "columnOrder": ["a9e1df93-0853-41f0-ae45-4bcc39f6ecfa"], - "columns": { - "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Certs w/ Low Keys", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "file.hash.sha256" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 10, + "i": "296e71e6-816e-4553-8b53-e277741cab08", + "w": 26, + "x": 22, + "y": 8 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5918839a-d5a1-4a87-8971-05283f0052f3", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "x509" - }, - "type": "phrase" + "panelIndex": "296e71e6-816e-4553-8b53-e277741cab08", + "title": "Suricata Alerts [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Messages excluding Intel", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Not notice.note: Intel.*", + "disabled": false, + "index": "b2060a39-fbee-4cc9-8f1c-04df1faa3b09", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"must_not\":[{\"regexp\":{\"notice.note\":{\"flags\":\"ALL\",\"value\":\"Intel.*\"}}}]}}" + }, + "query": { + "bool": { + "must_not": [ + { + "regexp": { + "notice.note": { + "flags": "ALL", + "value": "Intel.*" + } + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "55191a81-7ecb-4732-8401-cd67a9e63d45", + "key": "source.ip", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "valueFontMode": "default" + } }, - "query": { - "match_phrase": { - "event.dataset": "x509" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Not notice.note: Intel.*", + "disabled": false, + "index": "b2060a39-fbee-4cc9-8f1c-04df1faa3b09", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"must_not\":[{\"regexp\":{\"notice.note\":{\"flags\":\"ALL\",\"value\":\"Intel.*\"}}}]}}" + }, + "query": { + "bool": { + "must_not": [ + { + "regexp": { + "notice.note": { + "flags": "ALL", + "value": "Intel.*" + } + } + } + ] + } + } }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "55191a81-7ecb-4732-8401-cd67a9e63d45", + "key": "source.ip", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "file.x509.public_key_size", - "index": "logs-*", - "key": "file.x509.public_key_size", - "negate": false, - "params": { - "lt": "2048" - }, - "type": "range", - "value": { - "lt": "2048" - } + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "query": { - "range": { - "file.x509.public_key_size": { - "lt": "2048" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } } - } } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "bc293d4e-883c-49c6-b57d-21b1018e67d9", - "layerType": "data", - "metricAccessor": "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa", - "showBar": false, - "trendlineLayerId": "17987725-38cf-441b-80f5-bfac6ffdd8f9", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "bf80f01f-4adb-4f7a-a134-60a1c912d002", - "trendlineTimeAccessor": "80271d84-9144-4479-9551-98012acc1398" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "9ac116d2-1c6e-409f-8634-c296d2589f92", - "w": 16, - "x": 16, - "y": 50 - }, - "panelIndex": "9ac116d2-1c6e-409f-8634-c296d2589f92", - "title": "Certs w/ Low Keys [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", - "name": "logs-corelight.x509-*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.x509-*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", - "timeField": "@timestamp", - "title": "logs-corelight.x509-*" - } - ], - "layers": { - "aa51a893-8b6e-4fce-a459-06190e23a89e": { - "columns": [ - { - "columnId": "Expiring Certs.", - "fieldName": "Expiring Certs.", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } - } - ], - "index": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", - "query": { - "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" - }, - "visualization": { - "layerId": "aa51a893-8b6e-4fce-a459-06190e23a89e", - "layerType": "data", - "metricAccessor": "Expiring Certs." - } + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "db10f425-f12b-43a3-9db1-34fd1b93287a", + "w": 10, + "x": 12, + "y": 18 + }, + "panelIndex": "db10f425-f12b-43a3-9db1-34fd1b93287a", + "title": "Notices [Logs Corelight]", + "type": "lens" }, - "title": "Metric", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "955936a0-8d1d-49b7-a91b-3af34349a60a", - "w": 16, - "x": 32, - "y": 50 - }, - "panelIndex": "955936a0-8d1d-49b7-a91b-3af34349a60a", - "title": "Expiring Certs. [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d": { - "columnOrder": [ - "d922e855-cbcb-40ed-9330-9e478a1dcd80", - "4b080a83-e997-4ece-a465-20c01c790d63" - ], - "columns": { - "4b080a83-e997-4ece-a465-20c01c790d63": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "d922e855-cbcb-40ed-9330-9e478a1dcd80": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "TLS Versions", - "operationType": "filters", - "params": { + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "" + }, + "isBucketed": false, + "label": "Attack Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, "filters": [ - { - "input": { - "language": "kuery", - "query": "\"tls.version\" : \"TLSv13\" " - }, - "label": "Most Secure" - }, - { - "input": { - "language": "kuery", - "query": "tls.version : \"TLSv12\" or tls.version : \"DTLSv12\"" - }, - "label": "Secure" - }, - { - "input": { - "language": "kuery", - "query": "tls.version : unknown-64282" - }, - "label": "Unknown" - }, - { - "input": { - "language": "kuery", - "query": "NOT (tls.version : \"TLSv12\" and tls.version : \"DTLSv12\" and \"tls.version\" : \"TLSv12\" and tls.version : unknown-64282)" - }, - "label": "Old Version" - } - ] - }, - "scale": "ordinal" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "ba8ba542-f4ea-432b-b9e4-56f02cecb7d7", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "notice.note: ATTACK::.*", + "disabled": false, + "index": "5cdadd8b-f5f4-4521-94fd-a127f4f39db7", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "regexp": { + "notice.note": { + "flags": "ALL", + "value": "ATTACK::.*" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "55191a81-7ecb-4732-8401-cd67a9e63d45", + "key": "source.ip", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "valueFontMode": "default" + } }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "tls" - }, - "type": "phrase" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "notice.note: ATTACK::.*", + "disabled": false, + "index": "5cdadd8b-f5f4-4521-94fd-a127f4f39db7", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "regexp": { + "notice.note": { + "flags": "ALL", + "value": "ATTACK::.*" + } + } + } }, - "query": { - "match_phrase": { - "event.dataset": "tls" - } - } - }, - { - "$state": { - "store": "appState" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "55191a81-7ecb-4732-8401-cd67a9e63d45", + "key": "source.ip", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } } - ] + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" }, - "layerId": "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", - "layerType": "data", - "legendDisplay": "show", - "metrics": ["4b080a83-e997-4ece-a465-20c01c790d63"], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": ["d922e855-cbcb-40ed-9330-9e478a1dcd80"], - "truncateLegend": false - } - ], - "shape": "pie" - } + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "22db030e-3be1-473c-a49b-2635390e9419", + "w": 7, + "x": 22, + "y": 18 + }, + "panelIndex": "22db030e-3be1-473c-a49b-2635390e9419", + "title": "Attack Count [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "2eab540d-c7cd-4a10-b705-98cf81bff3f6", - "w": 24, - "x": 0, - "y": 62 - }, - "panelIndex": "2eab540d-c7cd-4a10-b705-98cf81bff3f6", - "title": "TLS Versions [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "209a539e-6ce4-41e8-a3b7-9b4bce41794e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d": { - "columnOrder": [ - "d922e855-cbcb-40ed-9330-9e478a1dcd80", - "4b080a83-e997-4ece-a465-20c01c790d63" - ], - "columns": { - "4b080a83-e997-4ece-a465-20c01c790d63": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "d922e855-cbcb-40ed-9330-9e478a1dcd80": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "TLS Versions", - "operationType": "filters", - "params": { + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "SSL Certs. Issues", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, "filters": [ - { - "input": { - "language": "kuery", - "query": "\"tls.version\" : \"TLSv13\" " - }, - "label": "Most Secure" - }, - { - "input": { - "language": "kuery", - "query": "tls.version : \"TLSv12\" or tls.version : \"DTLSv12\"" - }, - "label": "Secure" - }, - { - "input": { - "language": "kuery", - "query": "tls.version : \"unknown-64282\"" - }, - "label": "Unknown" - }, - { - "input": { - "language": "kuery", - "query": "NOT (tls.version : \"TLSv12\" and tls.version : \"DTLSv12\" and \"tls.version\" : \"TLSv12\" and tls.version : unknown-64282)" - }, - "label": "Old Version" - } - ] - }, - "scale": "ordinal" - } - }, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "209a539e-6ce4-41e8-a3b7-9b4bce41794e", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "tls" - }, - "type": "phrase" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "notice.note", + "index": "c51ddc09-9dfb-46f0-89ec-5a3c2276d3dd", + "key": "notice.note", + "negate": false, + "params": [ + "SSL::Certificate_Expired", + "SSL::Invalid_Server_Cert", + "SSL::Old_Version" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "notice.note": "SSL::Certificate_Expired" + } + }, + { + "match_phrase": { + "notice.note": "SSL::Invalid_Server_Cert" + } + }, + { + "match_phrase": { + "notice.note": "SSL::Old_Version" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "valueFontMode": "default" + } }, - "query": { - "match_phrase": { - "event.dataset": "tls" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "notice.note", + "index": "c51ddc09-9dfb-46f0-89ec-5a3c2276d3dd", + "key": "notice.note", + "negate": false, + "params": [ + "SSL::Certificate_Expired", + "SSL::Invalid_Server_Cert", + "SSL::Old_Version" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "notice.note": "SSL::Certificate_Expired" + } + }, + { + "match_phrase": { + "notice.note": "SSL::Invalid_Server_Cert" + } + }, + { + "match_phrase": { + "notice.note": "SSL::Old_Version" + } + } + ] + } + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": ["4b080a83-e997-4ece-a465-20c01c790d63"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } } - ] + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" }, - "layerId": "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", - "layerType": "data", - "seriesType": "bar_stacked", - "xAccessor": "d922e855-cbcb-40ed-9330-9e478a1dcd80" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": false + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 4, + "i": "58e67657-fd2d-489b-9742-60dfe2979c0b", + "w": 7, + "x": 29, + "y": 18 }, - "valueLabels": "show" - } + "panelIndex": "58e67657-fd2d-489b-9742-60dfe2979c0b", + "title": "SSL Certs. Issues [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4", - "w": 24, - "x": 24, - "y": 62 - }, - "panelIndex": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4", - "title": "Internal TLS Version Profile [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-3a8fc291-604b-469a-b1f0-04af963f3bdb", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "3a8fc291-604b-469a-b1f0-04af963f3bdb": { - "columnOrder": [ - "7b489b22-614b-47a5-aa30-3386198a88cb", - "14c6d6bb-79e4-4f06-ba48-5d369e446cd4" - ], - "columns": { - "14c6d6bb-79e4-4f06-ba48-5d369e446cd4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Encrypted Traffic", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Meterpreter Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "notice.note", + "index": "01f96915-a2a1-43aa-82bd-93a495dbd7f5", + "key": "notice.note", + "negate": false, + "params": { + "query": "MeterpreterDetection::Meterpreter_Detected" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "notice.note": "MeterpreterDetection::Meterpreter_Detected" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "valueFontMode": "default" } - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "7b489b22-614b-47a5-aa30-3386198a88cb": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "h" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "5ec12ef5-06e7-451b-b5af-4320d1a9a19b", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "tls" - }, - "type": "phrase" }, - "query": { - "match_phrase": { - "event.dataset": "tls" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "notice.note", + "index": "01f96915-a2a1-43aa-82bd-93a495dbd7f5", + "key": "notice.note", + "negate": false, + "params": { + "query": "MeterpreterDetection::Meterpreter_Detected" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "notice.note": "MeterpreterDetection::Meterpreter_Detected" + } + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": ["14c6d6bb-79e4-4f06-ba48-5d369e446cd4"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } } - ] + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" }, - "layerId": "3a8fc291-604b-469a-b1f0-04af963f3bdb", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "7b489b22-614b-47a5-aa30-3386198a88cb" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": false + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 4, + "i": "753224ec-ddb9-474b-bd82-682c1eb24fe1", + "w": 6, + "x": 36, + "y": 18 }, - "valueLabels": "hide" - } + "panelIndex": "753224ec-ddb9-474b-bd82-682c1eb24fe1", + "title": "Meterpreter Count [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "96ea21c5-b69c-422b-a146-5e603cb86fc4", - "w": 48, - "x": 0, - "y": 77 - }, - "panelIndex": "96ea21c5-b69c-422b-a146-5e603cb86fc4", - "title": "Encrypted Traffic Over Time [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "## Unencrypted Traffic Hygiene - Indicators", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "a628c097-bb3c-4293-a2fe-079733a79a77", - "w": 48, - "x": 0, - "y": 92 - }, - "panelIndex": "a628c097-bb3c-4293-a2fe-079733a79a77", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-86bf3a2f-1ace-4808-98ea-397ca4104587", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3dfb3090-5395-444a-b3c5-5ff9f4829845", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "86bf3a2f-1ace-4808-98ea-397ca4104587": { - "columnOrder": [ - "496ca09e-ad41-458f-b6e0-8fc244dfecf6", - "5b837993-b266-4681-89a2-3013546b6d46" - ], - "columns": { - "496ca09e-ad41-458f-b6e0-8fc244dfecf6": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "5b837993-b266-4681-89a2-3013546b6d46": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unencrypted Connections", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Note Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "notice.note" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "valueFontMode": "default" } - }, - "scale": "ratio", - "sourceField": "event.id" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "linkToLayers": ["9bfe18c9-d1a3-4896-bed6-c1a097ce8d87"], - "sampling": 1 }, - "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87": { - "columnOrder": ["50aafda0-86ae-42c4-92eb-7172304d9122"], - "columns": { - "50aafda0-86ae-42c4-92eb-7172304d9122": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unencrypted Connections", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "d004f7fd-cafa-40cf-b949-47202068d283", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } } - }, - "scale": "ratio", - "sourceField": "event.id" } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 4, + "i": "e4e146ee-682b-454a-9296-920357fb6e6f", + "w": 6, + "x": 42, + "y": 18 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3dfb3090-5395-444a-b3c5-5ff9f4829845", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "etc_viz" - }, - "type": "phrase" + "panelIndex": "e4e146ee-682b-454a-9296-920357fb6e6f", + "title": "Int. Message Count [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f": { + "columnOrder": [ + "725e430b-5db2-4dce-a571-ec03a89b4e21", + "042f1307-63df-4962-915d-4b2deadd0d01" + ], + "columns": { + "042f1307-63df-4962-915d-4b2deadd0d01": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Notes", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "725e430b-5db2-4dce-a571-ec03a89b4e21": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Not notice.note: Intel.*", + "disabled": false, + "index": "7abf972e-5262-4a3a-b76a-9e68a8768358", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "bool": { + "must_not": [ + { + "regexp": { + "notice.note": { + "flags": "ALL", + "value": "Intel.*" + } + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "5d754a81-c212-495b-bcca-072b1fe41ba7", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "114a2b2d-ee02-4e87-92f2-09811a13dd7a", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "042f1307-63df-4962-915d-4b2deadd0d01" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "725e430b-5db2-4dce-a571-ec03a89b4e21" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - "query": { - "match_phrase": { - "event.dataset": "etc_viz" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "Not notice.note: Intel.*", + "disabled": false, + "index": "7abf972e-5262-4a3a-b76a-9e68a8768358", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "bool": { + "must_not": [ + { + "regexp": { + "notice.note": { + "flags": "ALL", + "value": "Intel.*" + } + } + } + ] + } + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "5d754a81-c212-495b-bcca-072b1fe41ba7", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "query": { - "exists": { - "field": "observer.hostname" - } + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "114a2b2d-ee02-4e87-92f2-09811a13dd7a", + "key": "event.dataset", + "negate": false, + "params": { + "query": "notice" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "notice" + } + } } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", - "layerType": "data", - "metricAccessor": "50aafda0-86ae-42c4-92eb-7172304d9122", - "showBar": false, - "trendlineLayerId": "86bf3a2f-1ace-4808-98ea-397ca4104587", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "5b837993-b266-4681-89a2-3013546b6d46", - "trendlineTimeAccessor": "496ca09e-ad41-458f-b6e0-8fc244dfecf6" - } + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 10, + "i": "d0d242fc-1339-4905-951a-aa6414d138e5", + "w": 26, + "x": 22, + "y": 22 + }, + "panelIndex": "d0d242fc-1339-4905-951a-aa6414d138e5", + "title": "Notices [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "32fe97ea-4e8a-48ab-a02a-b527bc130376", - "w": 12, - "x": 0, - "y": 96 - }, - "panelIndex": "32fe97ea-4e8a-48ab-a02a-b527bc130376", - "title": "Unencrypted Connections [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-85cde827-d782-4cc5-a2e9-06ec5c176314", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9a0d8c7f-ac67-49e7-9542-3bd9863eed85", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2ec1de96-42ef-4638-9c08-dc21120daa95", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a634d260-6f56-4e35-82f6-37bb46227dfe", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "85cde827-d782-4cc5-a2e9-06ec5c176314": { - "columnOrder": ["9b518df5-b067-41ae-a9fb-ade72ce7f894"], - "columns": { - "9b518df5-b067-41ae-a9fb-ade72ce7f894": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "SMB v1 Connections", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2f1a7688-ceef-4972-abf3-a0c1fade953e": { + "columnOrder": [ + "aec5431f-777a-4a87-a10c-549cdf81ec13" + ], + "columns": { + "aec5431f-777a-4a87-a10c-549cdf81ec13": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Intel Indicators", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "ba9ca2de-47ae-4045-9252-38d5cdfce8e5", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "icon": "empty", + "layerId": "2f1a7688-ceef-4972-abf3-a0c1fade953e", + "layerType": "data", + "metricAccessor": "aec5431f-777a-4a87-a10c-549cdf81ec13", + "showBar": false, + "valueFontMode": "default" } - }, - "scale": "ratio", - "sourceField": "___records___" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "destination.port", - "index": "9a0d8c7f-ac67-49e7-9542-3bd9863eed85", - "key": "destination.port", - "negate": false, - "params": { - "query": "139" }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "destination.port": "139" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "2ec1de96-42ef-4638-9c08-dc21120daa95", - "key": "event.dataset", - "negate": false, - "params": ["smb_files", "smb_mapping"], - "type": "phrases", - "value": ["smb_files", "smb_mapping"] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ + "filters": [ { - "match_phrase": { - "event.dataset": "smb_files" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "ba9ca2de-47ae-4045-9252-38d5cdfce8e5", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } }, { - "match_phrase": { - "event.dataset": "smb_mapping" - } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "a634d260-6f56-4e35-82f6-37bb46227dfe", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layerId": "85cde827-d782-4cc5-a2e9-06ec5c176314", - "layerType": "data", - "metricAccessor": "9b518df5-b067-41ae-a9fb-ade72ce7f894" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "1536e399-6fa5-4c67-8cf6-879887c82662", - "w": 12, - "x": 12, - "y": 96 - }, - "panelIndex": "1536e399-6fa5-4c67-8cf6-879887c82662", - "title": "SMB v1 Connections [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b49f0771-93f3-4c27-9748-204bc03d4f42", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0b079edd-048e-4c1b-9a02-e01af8675bb1", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "b49f0771-93f3-4c27-9748-204bc03d4f42": { - "columnOrder": [ - "0ddfbf0d-62eb-4348-af13-5eb9aaff6912", - "20356d37-2d65-48b1-9926-61c6fbc346d3" - ], - "columns": { - "0ddfbf0d-62eb-4348-af13-5eb9aaff6912": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "20356d37-2d65-48b1-9926-61c6fbc346d3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Telnet Sessions", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "8523aff5-d4c3-4500-b4ea-05b81021ac6f", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } } - }, - "scale": "ratio", - "sourceField": "___records___" } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "linkToLayers": ["ba4af475-eb29-4ff6-a6dd-04d8175fb81b"], - "sampling": 1 + ], + "query": { + "language": "kuery", + "query": "" }, - "ba4af475-eb29-4ff6-a6dd-04d8175fb81b": { - "columnOrder": ["da6fd550-ba6d-4a30-8c2d-33f46a955dc4"], - "columns": { - "da6fd550-ba6d-4a30-8c2d-33f46a955dc4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Telnet Sessions", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 14, + "i": "dfa2dfa9-0737-4a4d-9a3a-d83794735a57", + "w": 10, + "x": 12, + "y": 32 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "0b079edd-048e-4c1b-9a02-e01af8675bb1", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" + "panelIndex": "dfa2dfa9-0737-4a4d-9a3a-d83794735a57", + "title": "Threat Intel [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c": { + "columnOrder": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513" + ], + "columns": { + "e82dddda-2b5a-4537-99f5-14fcabd42513": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Indicators", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "intel.seen.indicator" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "layerType": "data", + "metricAccessor": "e82dddda-2b5a-4537-99f5-14fcabd42513" + } }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": ["conn", "conn_long", "conn_red"], - "type": "phrases", - "value": ["conn", "conn_long", "conn_red"] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.dataset": "conn" - } - }, - { - "match_phrase": { - "event.dataset": "conn_long" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" } - }, - { + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { "match_phrase": { - "event.dataset": "conn_red" + "event.dataset": "intel" } - } - ] - } + } } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "destination.port", - "index": "logs-*", - "key": "destination.port", - "negate": false, - "params": { - "query": "23" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "destination.port": "23" - } - } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "ba4af475-eb29-4ff6-a6dd-04d8175fb81b", - "layerType": "data", - "metricAccessor": "da6fd550-ba6d-4a30-8c2d-33f46a955dc4", - "showBar": false, - "trendlineLayerId": "b49f0771-93f3-4c27-9748-204bc03d4f42", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "20356d37-2d65-48b1-9926-61c6fbc346d3", - "trendlineTimeAccessor": "0ddfbf0d-62eb-4348-af13-5eb9aaff6912" - } + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "a60c7606-8988-4755-8b3e-17816a006021", + "w": 8, + "x": 22, + "y": 32 + }, + "panelIndex": "a60c7606-8988-4755-8b3e-17816a006021", + "title": "Unique Indicators [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "55bac572-9e7e-4580-b674-a4a7a51b4be4", - "w": 12, - "x": 24, - "y": 96 - }, - "panelIndex": "55bac572-9e7e-4580-b674-a4a7a51b4be4", - "title": "Telnet Sessions [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-3dab57e3-501b-44f3-b26e-ea81181d3096", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "3dab57e3-501b-44f3-b26e-ea81181d3096": { - "columnOrder": [ - "016a9807-af3d-4e32-ba73-d9c3679387d6", - "52486aed-4c5f-4ec0-8909-86662ea24984" - ], - "columns": { - "016a9807-af3d-4e32-ba73-d9c3679387d6": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "52486aed-4c5f-4ec0-8909-86662ea24984": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "FTP Sessions", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "type": "index-pattern" } - }, - "scale": "ratio", - "sourceField": "___records___" + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c": { + "columnOrder": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513", + "e82dddda-2b5a-4537-99f5-14fcabd42513X0", + "e82dddda-2b5a-4537-99f5-14fcabd42513X1", + "e82dddda-2b5a-4537-99f5-14fcabd42513X2" + ], + "columns": { + "e82dddda-2b5a-4537-99f5-14fcabd42513": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Avg Alerts Per Indicator", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } + }, + "formula": "count()/unique_count(intel.seen.indicator)", + "isFormulaBroken": false + }, + "references": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513X2" + ], + "scale": "ratio" + }, + "e82dddda-2b5a-4537-99f5-14fcabd42513X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Avg Alerts Per Indicator", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e82dddda-2b5a-4537-99f5-14fcabd42513X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Avg Alerts Per Indicator", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "intel.seen.indicator" + }, + "e82dddda-2b5a-4537-99f5-14fcabd42513X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Avg Alerts Per Indicator", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513X0", + "e82dddda-2b5a-4537-99f5-14fcabd42513X1" + ], + "location": { + "max": 42, + "min": 0 + }, + "name": "divide", + "text": "count()/unique_count(intel.seen.indicator)", + "type": "function" + } + }, + "references": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513X0", + "e82dddda-2b5a-4537-99f5-14fcabd42513X1" + ], + "scale": "ratio" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "layerType": "data", + "metricAccessor": "e82dddda-2b5a-4537-99f5-14fcabd42513" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "linkToLayers": ["ba4af475-eb29-4ff6-a6dd-04d8175fb81b"], - "sampling": 1 }, - "ba4af475-eb29-4ff6-a6dd-04d8175fb81b": { - "columnOrder": ["da6fd550-ba6d-4a30-8c2d-33f46a955dc4"], - "columns": { - "da6fd550-ba6d-4a30-8c2d-33f46a955dc4": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "FTP Sessions", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } } - }, - "scale": "ratio", - "sourceField": "___records___" } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 4, + "i": "d8f0712b-9a85-44d6-b8c2-c0e1791ce336", + "w": 9, + "x": 30, + "y": 32 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" + "panelIndex": "d8f0712b-9a85-44d6-b8c2-c0e1791ce336", + "title": "Avg Alerts Per Indicator [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c": { + "columnOrder": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513", + "e82dddda-2b5a-4537-99f5-14fcabd42513X0", + "e82dddda-2b5a-4537-99f5-14fcabd42513X1", + "e82dddda-2b5a-4537-99f5-14fcabd42513X2" + ], + "columns": { + "e82dddda-2b5a-4537-99f5-14fcabd42513": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Avg Alerts Per Source IP", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 2 + } + }, + "formula": "count()/unique_count(source.ip)", + "isFormulaBroken": false + }, + "references": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513X2" + ], + "scale": "ratio" + }, + "e82dddda-2b5a-4537-99f5-14fcabd42513X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Avg Alerts Per Source IP", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e82dddda-2b5a-4537-99f5-14fcabd42513X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Avg Alerts Per Source IP", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "source.ip" + }, + "e82dddda-2b5a-4537-99f5-14fcabd42513X2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Avg Alerts Per Source IP", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513X0", + "e82dddda-2b5a-4537-99f5-14fcabd42513X1" + ], + "location": { + "max": 31, + "min": 0 + }, + "name": "divide", + "text": "count()/unique_count(source.ip)", + "type": "function" + } + }, + "references": [ + "e82dddda-2b5a-4537-99f5-14fcabd42513X0", + "e82dddda-2b5a-4537-99f5-14fcabd42513X1" + ], + "scale": "ratio" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "layerType": "data", + "metricAccessor": "e82dddda-2b5a-4537-99f5-14fcabd42513" + } }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "ftp" - }, - "type": "phrase" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6509a2c4-d895-4b20-afde-d292f1c957ea", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } }, - "query": { - "match_phrase": { - "event.dataset": "ftp" - } + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "416337fa-589c-4f35-a7f5-1dba3bdf55c6", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } } - }, - { - "$state": { - "store": "appState" + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "f2415ea7-fa2c-4643-b9fc-ee90446f42b5", + "w": 9, + "x": 39, + "y": 32 + }, + "panelIndex": "f2415ea7-fa2c-4643-b9fc-ee90446f42b5", + "title": "Avg Alerts Per Source IP [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f": { + "columnOrder": [ + "725e430b-5db2-4dce-a571-ec03a89b4e21", + "042f1307-63df-4962-915d-4b2deadd0d01" + ], + "columns": { + "042f1307-63df-4962-915d-4b2deadd0d01": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Intel Alerts", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "725e430b-5db2-4dce-a571-ec03a89b4e21": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "8862f193-7b06-46b0-a064-b10893c39b51", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "5d754a81-c212-495b-bcca-072b1fe41ba7", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "LINEAR", + "emphasizeFitting": true, + "endValue": "Nearest", + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "042f1307-63df-4962-915d-4b2deadd0d01" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "xAccessor": "725e430b-5db2-4dce-a571-ec03a89b4e21" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide" + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "8862f193-7b06-46b0-a064-b10893c39b51", + "key": "event.dataset", + "negate": false, + "params": { + "query": "intel" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "intel" + } + } }, - "query": { - "exists": { - "field": "observer.hostname" - } + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "5d754a81-c212-495b-bcca-072b1fe41ba7", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "ba4af475-eb29-4ff6-a6dd-04d8175fb81b", - "layerType": "data", - "metricAccessor": "da6fd550-ba6d-4a30-8c2d-33f46a955dc4", - "showBar": false, - "trendlineLayerId": "3dab57e3-501b-44f3-b26e-ea81181d3096", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "52486aed-4c5f-4ec0-8909-86662ea24984", - "trendlineTimeAccessor": "016a9807-af3d-4e32-ba73-d9c3679387d6" - } + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 10, + "i": "423e7108-582c-4d2d-9353-fb4631a4d1a3", + "w": 26, + "x": 22, + "y": 36 + }, + "panelIndex": "423e7108-582c-4d2d-9353-fb4631a4d1a3", + "title": "Threat Intel [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "c05df282-f5e3-4635-89d9-2c3824b7c713", - "w": 12, - "x": 36, - "y": 96 - }, - "panelIndex": "c05df282-f5e3-4635-89d9-2c3824b7c713", - "title": "FTP Sessions [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-a43b081c-d4f3-4e85-926b-1297b06b22e0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "3c3ae6fa-719c-4286-b6fd-0a9df3ac5115", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "a43b081c-d4f3-4e85-926b-1297b06b22e0": { - "columnOrder": [ - "e504a2f7-bb66-4e9f-81d1-548068486084", - "a11e393b-4048-43c5-9cb9-fd556d726cca", - "4d96e75b-914a-4251-a830-2336592d52ad" - ], - "columns": { - "4d96e75b-914a-4251-a830-2336592d52ad": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } } - }, - "scale": "ratio", - "sourceField": "___records___" }, - "a11e393b-4048-43c5-9cb9-fd556d726cca": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "h" - }, - "scale": "interval", - "sourceField": "@timestamp" + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "## Encrypted Traffic Hygiene", + "openLinksInNewTab": false }, - "e504a2f7-bb66-4e9f-81d1-548068486084": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Service", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "4d96e75b-914a-4251-a830-2336592d52ad", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "network.protocol" - } - }, - "incompleteColumns": {}, - "sampling": 1 + "title": "", + "type": "markdown", + "uiState": {} } - } }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 4, + "i": "e6e50895-288c-414e-9f61-f91fd3d6522e", + "w": 48, + "x": 0, + "y": 46 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "3c3ae6fa-719c-4286-b6fd-0a9df3ac5115", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": ["conn", "conn_long", "conn_red"], - "type": "phrases", - "value": ["conn", "conn_long", "conn_red"] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "event.dataset": "conn" - } - }, - { - "match_phrase": { - "event.dataset": "conn_long" + "panelIndex": "e6e50895-288c-414e-9f61-f91fd3d6522e", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "name": "logs-corelight.ssl-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.ssl-*", + "type": "esql" } - }, - { - "match_phrase": { - "event.dataset": "conn_red" + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "timeField": "@timestamp", + "title": "logs-corelight.ssl-*" + } + ], + "layers": { + "ea0c7073-f69f-4603-b8e5-11d31aa5ddd1": { + "columns": [ + { + "columnId": "Self Signed Certs", + "fieldName": "Self Signed Certs", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" + }, + "timeField": "@timestamp" + } + } } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": false, - "type": "exists", - "value": "exists" + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" + }, + "visualization": { + "layerId": "ea0c7073-f69f-4603-b8e5-11d31aa5ddd1", + "layerType": "data", + "metricAccessor": "Self Signed Certs" + } }, - "query": { - "exists": { - "field": "network.protocol" - } + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": true, - "params": [ - "ssl", - "tls", - "ssh", - "https", - "dtls", - "spicy_ipsec_ike_udp", - "spicy_ipsec_udp", - "spicy_stun_tcp" - ], - "type": "phrases", - "value": [ - "ssl", - "tls", - "ssh", - "https", - "dtls", - "spicy_ipsec_ike_udp", - "spicy_ipsec_udp", - "spicy_stun_tcp" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "network.protocol": "ssl" - } - }, - { - "match_phrase": { - "network.protocol": "tls" - } - }, - { - "match_phrase": { - "network.protocol": "ssh" - } - }, - { - "match_phrase": { - "network.protocol": "https" - } - }, - { - "match_phrase": { - "network.protocol": "dtls" - } - }, - { - "match_phrase": { - "network.protocol": "spicy_ipsec_ike_udp" - } - }, - { - "match_phrase": { - "network.protocol": "spicy_ipsec_udp" + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "149ee3b3-379e-4bd3-a06a-0f9f9c5ca0da", + "w": 16, + "x": 0, + "y": 50 + }, + "panelIndex": "149ee3b3-379e-4bd3-a06a-0f9f9c5ca0da", + "title": "Self Signed Certs [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-17987725-38cf-441b-80f5-bfac6ffdd8f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bc293d4e-883c-49c6-b57d-21b1018e67d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5918839a-d5a1-4a87-8971-05283f0052f3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "17987725-38cf-441b-80f5-bfac6ffdd8f9": { + "columnOrder": [ + "80271d84-9144-4479-9551-98012acc1398", + "bf80f01f-4adb-4f7a-a134-60a1c912d002" + ], + "columns": { + "80271d84-9144-4479-9551-98012acc1398": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bf80f01f-4adb-4f7a-a134-60a1c912d002": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Certs w/ Low Keys", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "file.hash.sha256" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "bc293d4e-883c-49c6-b57d-21b1018e67d9" + ], + "sampling": 1 + }, + "bc293d4e-883c-49c6-b57d-21b1018e67d9": { + "columnOrder": [ + "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa" + ], + "columns": { + "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Certs w/ Low Keys", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "file.hash.sha256" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} } - }, - { - "match_phrase": { - "network.protocol": "spicy_stun_tcp" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5918839a-d5a1-4a87-8971-05283f0052f3", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "x509" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "x509" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.x509.public_key_size", + "index": "logs-*", + "key": "file.x509.public_key_size", + "negate": false, + "params": { + "lt": "2048" + }, + "type": "range", + "value": { + "lt": "2048" + } + }, + "query": { + "range": { + "file.x509.public_key_size": { + "lt": "2048" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } - ] - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": true, - "params": { - "query": "ssl,http" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "network.protocol": "ssl,http" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": true, - "params": { - "query": "http,ssl" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "network.protocol": "http,ssl" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": true, - "params": { - "query": "ssl,xmpp" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "network.protocol": "ssl,xmpp" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": true, - "params": { - "query": "spicy_ipsec_ike_udp,spicy_ipsec_udp" - }, - "type": "phrase" + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "bc293d4e-883c-49c6-b57d-21b1018e67d9", + "layerType": "data", + "metricAccessor": "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa", + "showBar": false, + "trendlineLayerId": "17987725-38cf-441b-80f5-bfac6ffdd8f9", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "bf80f01f-4adb-4f7a-a134-60a1c912d002", + "trendlineTimeAccessor": "80271d84-9144-4479-9551-98012acc1398" + } }, - "query": { - "match_phrase": { - "network.protocol": "spicy_ipsec_ike_udp,spicy_ipsec_udp" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.protocol", - "index": "logs-*", - "key": "network.protocol", - "negate": true, - "params": { - "query": "krb,krb_tcp" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "network.protocol": "krb,krb_tcp" - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "x509" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "x509" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.x509.public_key_size", + "index": "logs-*", + "key": "file.x509.public_key_size", + "negate": false, + "params": { + "lt": "2048" + }, + "type": "range", + "value": { + "lt": "2048" + } + }, + "query": { + "range": { + "file.x509.public_key_size": { + "lt": "2048" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 12, + "i": "9ac116d2-1c6e-409f-8634-c296d2589f92", + "w": 16, + "x": 16, + "y": 50 }, - "layers": [ - { - "accessors": ["4d96e75b-914a-4251-a830-2336592d52ad"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "panelIndex": "9ac116d2-1c6e-409f-8634-c296d2589f92", + "title": "Certs w/ Low Keys [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", + "name": "logs-corelight.x509-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.x509-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", + "timeField": "@timestamp", + "title": "logs-corelight.x509-*" + } + ], + "layers": { + "aa51a893-8b6e-4fce-a459-06190e23a89e": { + "columns": [ + { + "columnId": "Expiring Certs.", + "fieldName": "Expiring Certs.", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", + "query": { + "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" + }, + "visualization": { + "layerId": "aa51a893-8b6e-4fce-a459-06190e23a89e", + "layerType": "data", + "metricAccessor": "Expiring Certs." + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "a43b081c-d4f3-4e85-926b-1297b06b22e0", - "layerType": "data", - "position": "top", - "seriesType": "area", - "showGridlines": false, - "splitAccessor": "e504a2f7-bb66-4e9f-81d1-548068486084", - "xAccessor": "a11e393b-4048-43c5-9cb9-fd556d726cca" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": true + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "preferredSeriesType": "area", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 12, + "i": "955936a0-8d1d-49b7-a91b-3af34349a60a", + "w": 16, + "x": 32, + "y": 50 }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "ee6608a6-a905-4e49-acd2-18a119dc633a", - "w": 48, - "x": 0, - "y": 108 - }, - "panelIndex": "ee6608a6-a905-4e49-acd2-18a119dc633a", - "title": "Top Unencrypted Protocols Used [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "## DNS Hygiene", - "openLinksInNewTab": false + "panelIndex": "955936a0-8d1d-49b7-a91b-3af34349a60a", + "title": "Expiring Certs. [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "35079c39-3ce8-47ae-8ccf-77c92e44345e", - "w": 48, - "x": 0, - "y": 124 - }, - "panelIndex": "35079c39-3ce8-47ae-8ccf-77c92e44345e", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-66267767-efdd-44d5-b1f9-df14b732b457", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "66267767-efdd-44d5-b1f9-df14b732b457": { - "columnOrder": [ - "419606b4-2184-442d-8c6c-2c5c515ce3b6", - "f25b1da0-8365-484b-9a55-e123f0bbfe17" - ], - "columns": { - "419606b4-2184-442d-8c6c-2c5c515ce3b6": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "f25b1da0-8365-484b-9a55-e123f0bbfe17": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed DNS Queries", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d": { + "columnOrder": [ + "d922e855-cbcb-40ed-9330-9e478a1dcd80", + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "columns": { + "4b080a83-e997-4ece-a465-20c01c790d63": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d922e855-cbcb-40ed-9330-9e478a1dcd80": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "TLS Versions", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"tls.version\" : \"TLSv13\" " + }, + "label": "Most Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : \"TLSv12\" or tls.version : \"DTLSv12\"" + }, + "label": "Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : unknown-64282" + }, + "label": "Unknown" + }, + { + "input": { + "language": "kuery", + "query": "NOT (tls.version : \"TLSv12\" and tls.version : \"DTLSv12\" and \"tls.version\" : \"TLSv12\" and tls.version : unknown-64282)" + }, + "label": "Old Version" + } + ] + }, + "scale": "ordinal" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ba8ba542-f4ea-432b-b9e4-56f02cecb7d7", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d922e855-cbcb-40ed-9330-9e478a1dcd80" + ], + "truncateLegend": false + } + ], + "shape": "pie" } - }, - "scale": "ratio", - "sourceField": "dns.response_code" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "linkToLayers": ["d4281ac5-0f1f-408e-b630-0496df8a6abd"], - "sampling": 1 }, - "d4281ac5-0f1f-408e-b630-0496df8a6abd": { - "columnOrder": ["bf395d6a-f13a-420b-af21-92f5d7524e0d"], - "columns": { - "bf395d6a-f13a-420b-af21-92f5d7524e0d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Failed DNS Queries", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "dns.response_code" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ba8ba542-f4ea-432b-b9e4-56f02cecb7d7", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 15, + "i": "2eab540d-c7cd-4a10-b705-98cf81bff3f6", + "w": 24, + "x": 0, + "y": 62 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "d9855a4e-7726-4400-8cf3-0be9a0fcfa2f", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "dns" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "dns" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "dns.response_code", - "index": "logs-*", - "key": "dns.response_code", - "negate": false, - "params": [ - "SERVFAIL", - "REFUSED", - "FORMERR", - "NOTIMP", - "NOTAUTH" - ], - "type": "phrases", - "value": [ - "SERVFAIL", - "REFUSED", - "FORMERR", - "NOTIMP", - "NOTAUTH" - ] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "dns.response_code": "SERVFAIL" - } - }, - { - "match_phrase": { - "dns.response_code": "REFUSED" - } - }, - { - "match_phrase": { - "dns.response_code": "FORMERR" - } - }, - { - "match_phrase": { - "dns.response_code": "NOTIMP" + "panelIndex": "2eab540d-c7cd-4a10-b705-98cf81bff3f6", + "title": "TLS Versions [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "209a539e-6ce4-41e8-a3b7-9b4bce41794e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d": { + "columnOrder": [ + "d922e855-cbcb-40ed-9330-9e478a1dcd80", + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "columns": { + "4b080a83-e997-4ece-a465-20c01c790d63": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d922e855-cbcb-40ed-9330-9e478a1dcd80": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "TLS Versions", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"tls.version\" : \"TLSv13\" " + }, + "label": "Most Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : \"TLSv12\" or tls.version : \"DTLSv12\"" + }, + "label": "Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : \"unknown-64282\"" + }, + "label": "Unknown" + }, + { + "input": { + "language": "kuery", + "query": "NOT (tls.version : \"TLSv12\" and tls.version : \"DTLSv12\" and \"tls.version\" : \"TLSv12\" and tls.version : unknown-64282)" + }, + "label": "Old Version" + } + ] + }, + "scale": "ordinal" + } + }, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} } - }, - { - "match_phrase": { - "dns.response_code": "NOTAUTH" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "209a539e-6ce4-41e8-a3b7-9b4bce41794e", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } - ] - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", - "layerType": "data", - "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", - "showBar": false, - "trendlineLayerId": "66267767-efdd-44d5-b1f9-df14b732b457", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "f25b1da0-8365-484b-9a55-e123f0bbfe17", - "trendlineTimeAccessor": "419606b4-2184-442d-8c6c-2c5c515ce3b6" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "29799cca-01ae-4c3f-911d-d07b116968eb", - "w": 12, - "x": 0, - "y": 128 - }, - "panelIndex": "29799cca-01ae-4c3f-911d-d07b116968eb", - "title": "Failed DNS Queries [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-071618ce-0873-4d00-ad7c-002474b23ceb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "071618ce-0873-4d00-ad7c-002474b23ceb": { - "columnOrder": [ - "0f9ca953-058a-4cc1-b046-3179b9a86232", - "c381d089-e693-481b-af25-375b5cbff6ef" - ], - "columns": { - "0f9ca953-058a-4cc1-b046-3179b9a86232": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "c381d089-e693-481b-af25-375b5cbff6ef": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unusual Qtypes", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "d922e855-cbcb-40ed-9330-9e478a1dcd80" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" } - }, - "scale": "ratio", - "sourceField": "___records___" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "linkToLayers": ["d4281ac5-0f1f-408e-b630-0496df8a6abd"], - "sampling": 1 }, - "d4281ac5-0f1f-408e-b630-0496df8a6abd": { - "columnOrder": ["bf395d6a-f13a-420b-af21-92f5d7524e0d"], - "columns": { - "bf395d6a-f13a-420b-af21-92f5d7524e0d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unusual Qtypes", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 15, + "i": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4", + "w": 24, + "x": 24, + "y": 62 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "57907480-ca4a-4cb2-b1bd-e25b7e025fff", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "dns" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "dns" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "dns.question.type", - "index": "logs-*", - "key": "dns.question.type", - "negate": false, - "params": ["AXFR", "IXFR", "ANY", "TXT"], - "type": "phrases", - "value": ["AXFR", "IXFR", "ANY", "TXT"] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { - "match_phrase": { - "dns.question.type": "AXFR" - } - }, - { - "match_phrase": { - "dns.question.type": "IXFR" - } - }, - { - "match_phrase": { - "dns.question.type": "ANY" + "panelIndex": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4", + "title": "Internal TLS Version Profile [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3a8fc291-604b-469a-b1f0-04af963f3bdb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3a8fc291-604b-469a-b1f0-04af963f3bdb": { + "columnOrder": [ + "7b489b22-614b-47a5-aa30-3386198a88cb", + "14c6d6bb-79e4-4f06-ba48-5d369e446cd4" + ], + "columns": { + "14c6d6bb-79e4-4f06-ba48-5d369e446cd4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Encrypted Traffic", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "7b489b22-614b-47a5-aa30-3386198a88cb": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} } - }, - { - "match_phrase": { - "dns.question.type": "TXT" + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5ec12ef5-06e7-451b-b5af-4320d1a9a19b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } - ] - } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "14c6d6bb-79e4-4f06-ba48-5d369e446cd4" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3a8fc291-604b-469a-b1f0-04af963f3bdb", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "7b489b22-614b-47a5-aa30-3386198a88cb" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5ec12ef5-06e7-451b-b5af-4320d1a9a19b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", - "layerType": "data", - "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", - "showBar": false, - "trendlineLayerId": "071618ce-0873-4d00-ad7c-002474b23ceb", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "c381d089-e693-481b-af25-375b5cbff6ef", - "trendlineTimeAccessor": "0f9ca953-058a-4cc1-b046-3179b9a86232" - } + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "96ea21c5-b69c-422b-a146-5e603cb86fc4", + "w": 48, + "x": 0, + "y": 77 + }, + "panelIndex": "96ea21c5-b69c-422b-a146-5e603cb86fc4", + "title": "Encrypted Traffic Over Time [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b", - "w": 12, - "x": 12, - "y": 128 - }, - "panelIndex": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b", - "title": "Unusual Qtypes [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-ec2d913a-dfac-492b-8897-0684cb5e8384", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b8977309-8b15-43e2-a989-d584a507e76c", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "d4281ac5-0f1f-408e-b630-0496df8a6abd": { - "columnOrder": ["bf395d6a-f13a-420b-af21-92f5d7524e0d"], - "columns": { - "bf395d6a-f13a-420b-af21-92f5d7524e0d": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "NXDOMAIN Responses", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "incompleteColumns": {}, - "sampling": 1 }, - "ec2d913a-dfac-492b-8897-0684cb5e8384": { - "columnOrder": [ - "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61", - "0aa08f02-f75e-4c1f-ab8b-1348751a830e" - ], - "columns": { - "0aa08f02-f75e-4c1f-ab8b-1348751a830e": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "NXDOMAIN Responses", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } } - }, - "scale": "ratio", - "sourceField": "___records___" }, - "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "linkToLayers": ["d4281ac5-0f1f-408e-b630-0496df8a6abd"], - "sampling": 1 + "description": "", + "params": { + "fontSize": 12, + "markdown": "## Unencrypted Traffic Hygiene - Indicators", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} } - } }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 4, + "i": "a628c097-bb3c-4293-a2fe-079733a79a77", + "w": 48, + "x": 0, + "y": 92 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "b8977309-8b15-43e2-a989-d584a507e76c", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" + "panelIndex": "a628c097-bb3c-4293-a2fe-079733a79a77", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-86bf3a2f-1ace-4808-98ea-397ca4104587", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3dfb3090-5395-444a-b3c5-5ff9f4829845", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "86bf3a2f-1ace-4808-98ea-397ca4104587": { + "columnOrder": [ + "496ca09e-ad41-458f-b6e0-8fc244dfecf6", + "5b837993-b266-4681-89a2-3013546b6d46" + ], + "columns": { + "496ca09e-ad41-458f-b6e0-8fc244dfecf6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "5b837993-b266-4681-89a2-3013546b6d46": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unencrypted Connections", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87" + ], + "sampling": 1 + }, + "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87": { + "columnOrder": [ + "50aafda0-86ae-42c4-92eb-7172304d9122" + ], + "columns": { + "50aafda0-86ae-42c4-92eb-7172304d9122": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unencrypted Connections", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3dfb3090-5395-444a-b3c5-5ff9f4829845", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "etc_viz" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "etc_viz" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", + "layerType": "data", + "metricAccessor": "50aafda0-86ae-42c4-92eb-7172304d9122", + "showBar": false, + "trendlineLayerId": "86bf3a2f-1ace-4808-98ea-397ca4104587", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "5b837993-b266-4681-89a2-3013546b6d46", + "trendlineTimeAccessor": "496ca09e-ad41-458f-b6e0-8fc244dfecf6" + } }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "dns" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "dns" - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "etc_viz" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "etc_viz" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "32fe97ea-4e8a-48ab-a02a-b527bc130376", + "w": 12, + "x": 0, + "y": 96 + }, + "panelIndex": "32fe97ea-4e8a-48ab-a02a-b527bc130376", + "title": "Unencrypted Connections [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-85cde827-d782-4cc5-a2e9-06ec5c176314", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9a0d8c7f-ac67-49e7-9542-3bd9863eed85", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ec1de96-42ef-4638-9c08-dc21120daa95", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a634d260-6f56-4e35-82f6-37bb46227dfe", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "85cde827-d782-4cc5-a2e9-06ec5c176314": { + "columnOrder": [ + "9b518df5-b067-41ae-a9fb-ade72ce7f894" + ], + "columns": { + "9b518df5-b067-41ae-a9fb-ade72ce7f894": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "SMB v1 Connections", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "9a0d8c7f-ac67-49e7-9542-3bd9863eed85", + "key": "destination.port", + "negate": false, + "params": { + "query": "139" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "destination.port": "139" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "2ec1de96-42ef-4638-9c08-dc21120daa95", + "key": "event.dataset", + "negate": false, + "params": [ + "smb_files", + "smb_mapping" + ], + "type": "phrases", + "value": [ + "smb_files", + "smb_mapping" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "smb_files" + } + }, + { + "match_phrase": { + "event.dataset": "smb_mapping" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "a634d260-6f56-4e35-82f6-37bb46227dfe", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "85cde827-d782-4cc5-a2e9-06ec5c176314", + "layerType": "data", + "metricAccessor": "9b518df5-b067-41ae-a9fb-ade72ce7f894" + } }, - "query": { - "exists": { - "field": "observer.hostname" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "dns.response_code", - "index": "logs-*", - "key": "dns.response_code", - "negate": false, - "params": ["NXDOMAIN", "NO ERROR"], - "type": "phrases", - "value": ["NXDOMAIN", "NO ERROR"] - }, - "query": { - "bool": { - "minimum_should_match": 1, - "should": [ - { + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "logs-*", + "key": "destination.port", + "negate": false, + "params": { + "query": "139" + }, + "type": "phrase" + }, + "query": { "match_phrase": { - "dns.response_code": "NXDOMAIN" + "destination.port": "139" } - }, - { - "match_phrase": { - "dns.response_code": "NO ERROR" + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "smb_files", + "smb_mapping" + ], + "type": "phrases", + "value": [ + "smb_files", + "smb_mapping" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "smb_files" + } + }, + { + "match_phrase": { + "event.dataset": "smb_mapping" + } + } + ] } - } - ] - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#FFFFFF", - "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", - "layerType": "data", - "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", - "showBar": false, - "trendlineLayerId": "ec2d913a-dfac-492b-8897-0684cb5e8384", - "trendlineLayerType": "metricTrendline", - "trendlineMetricAccessor": "0aa08f02-f75e-4c1f-ab8b-1348751a830e", - "trendlineTimeAccessor": "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a", - "w": 12, - "x": 24, - "y": 128 - }, - "panelIndex": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a", - "title": "NXDOMAIN Responses [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", - "name": "logs-corelight.conn-*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.conn-*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", - "timeField": "@timestamp", - "title": "logs-corelight.conn-*" - } - ], - "layers": { - "de0b257f-0377-4bb9-af1b-7d20dd1167a2": { - "columns": [ + } + }, { - "columnId": "Internal DNS Servers", - "fieldName": "Internal DNS Servers", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } } - ], - "index": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", - "query": { - "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" - }, - "visualization": { - "layerId": "de0b257f-0377-4bb9-af1b-7d20dd1167a2", - "layerType": "data", - "metricAccessor": "Internal DNS Servers" - } - }, - "title": "Metric", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 12, - "i": "6fa2127f-76a0-4cf4-aeb5-023a409617c0", - "w": 12, - "x": 36, - "y": 128 - }, - "panelIndex": "6fa2127f-76a0-4cf4-aeb5-023a409617c0", - "title": "Internal DNS Server [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "description": "", - "layerListJSON": [ - { - "alpha": 1, - "id": "7b7288b0-fc66-447a-bf87-ca75657077c1", - "includeInFitToBounds": true, - "label": null, - "locale": "autoselect", - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "isAutoSelect": true, - "lightModeDefault": "road_map_desaturated", - "type": "EMS_TMS" - }, - "style": { - "color": "", - "type": "EMS_VECTOR_TILE" + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "type": "EMS_VECTOR_TILE", - "visible": true - }, - { - "alpha": 0.75, - "disableTooltips": false, - "id": "7b5c7da7-406a-42b5-94d2-ab72f2c41241", - "includeInFitToBounds": true, - "joins": [ - { - "leftField": "iso2", - "right": { - "applyForceRefresh": true, - "applyGlobalQuery": true, - "applyGlobalTime": true, - "id": "9fd3b304-7881-47a0-acaf-8f181f818c92", - "indexPatternRefName": "layer_1_join_0_index_pattern", - "metrics": [ - { - "type": "count" - } - ], - "term": "destination.geo.country_iso_code", - "type": "ES_TERM_SOURCE" - } - } - ], - "label": null, - "maxZoom": 24, - "minZoom": 0, - "sourceDescriptor": { - "id": "world_countries", - "tooltipProperties": ["iso2"], - "type": "EMS_FILE" + "gridData": { + "h": 12, + "i": "1536e399-6fa5-4c67-8cf6-879887c82662", + "w": 12, + "x": 12, + "y": 96 }, - "style": { - "isTimeAware": true, - "properties": { - "fillColor": { - "options": { - "color": "Yellow to Red", - "colorCategory": "palette_0", - "field": { - "name": "__kbnjoin__count__9fd3b304-7881-47a0-acaf-8f181f818c92", - "origin": "join" - }, - "fieldMetaOptions": { - "isEnabled": true, - "sigma": 3 + "panelIndex": "1536e399-6fa5-4c67-8cf6-879887c82662", + "title": "SMB v1 Connections [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b49f0771-93f3-4c27-9748-204bc03d4f42", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0b079edd-048e-4c1b-9a02-e01af8675bb1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b49f0771-93f3-4c27-9748-204bc03d4f42": { + "columnOrder": [ + "0ddfbf0d-62eb-4348-af13-5eb9aaff6912", + "20356d37-2d65-48b1-9926-61c6fbc346d3" + ], + "columns": { + "0ddfbf0d-62eb-4348-af13-5eb9aaff6912": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "20356d37-2d65-48b1-9926-61c6fbc346d3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Telnet Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b" + ], + "sampling": 1 + }, + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b": { + "columnOrder": [ + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4" + ], + "columns": { + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Telnet Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0b079edd-048e-4c1b-9a02-e01af8675bb1", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "logs-*", + "key": "destination.port", + "negate": false, + "params": { + "query": "23" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "destination.port": "23" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "layerType": "data", + "metricAccessor": "da6fd550-ba6d-4a30-8c2d-33f46a955dc4", + "showBar": false, + "trendlineLayerId": "b49f0771-93f3-4c27-9748-204bc03d4f42", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "20356d37-2d65-48b1-9926-61c6fbc346d3", + "trendlineTimeAccessor": "0ddfbf0d-62eb-4348-af13-5eb9aaff6912" + } }, - "type": "ORDINAL" - }, - "type": "DYNAMIC" - }, - "icon": { - "options": { - "value": "marker" - }, - "type": "STATIC" - }, - "iconOrientation": { - "options": { - "orientation": 0 - }, - "type": "STATIC" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" }, - "iconSize": { - "options": { - "size": 6 - }, - "type": "STATIC" - }, - "labelBorderColor": { - "options": { - "color": "#FFFFFF" - }, - "type": "STATIC" - }, - "labelBorderSize": { - "options": { - "size": "SMALL" - } - }, - "labelColor": { - "options": { - "color": "#000000" - }, - "type": "STATIC" - }, - "labelPosition": { - "options": { - "position": "CENTER" - } - }, - "labelSize": { - "options": { - "size": 14 - }, - "type": "STATIC" - }, - "labelText": { - "options": { - "field": { - "name": "__kbnjoin__count__9fd3b304-7881-47a0-acaf-8f181f818c92", - "origin": "join" + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "type": "DYNAMIC" - }, - "labelZoomRange": { - "options": { - "maxZoom": 24, - "minZoom": 0, - "useLayerZoomRange": true - } - }, - "lineColor": { - "options": { - "color": "#3d3d3d" - }, - "type": "STATIC" }, - "lineWidth": { - "options": { - "size": 1 - }, - "type": "STATIC" - }, - "symbolizeAs": { - "options": { - "value": "circle" - } - } - }, - "type": "VECTOR" - }, - "type": "GEOJSON_VECTOR", - "visible": true - } - ], - "mapStateJSON": { - "adHocDataViews": [], - "center": { - "lat": 48.09839, - "lon": 38.19049 - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "logs-*", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "dns" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "dns" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "logs-*", + "key": "destination.port", + "negate": false, + "params": { + "query": "23" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "destination.port": "23" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "query": { - "language": "kuery", - "query": "" - }, - "refreshConfig": { - "interval": 60000, - "isPaused": true - }, - "settings": { - "autoFitToDataBounds": false, - "backgroundColor": "#ffffff", - "browserLocation": { - "zoom": 2 + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "customIcons": [], - "disableInteractive": false, - "disableTooltipControl": false, - "fixedLocation": { - "lat": 0, - "lon": 0, - "zoom": 2 + "gridData": { + "h": 12, + "i": "55bac572-9e7e-4580-b674-a4a7a51b4be4", + "w": 12, + "x": 24, + "y": 96 }, - "hideLayerControl": false, - "hideToolbarOverlay": false, - "hideViewControl": false, - "initialLocation": "LAST_SAVED_LOCATION", - "keydownScrollZoom": false, - "maxZoom": 24, - "minZoom": 0, - "showScaleControl": false, - "showSpatialFilters": true, - "showTimesliderToggleButton": true, - "spatialFiltersAlpa": 0.3, - "spatialFiltersFillColor": "#DA8B45", - "spatialFiltersLineColor": "#DA8B45" - }, - "timeFilters": { - "from": "now-15y", - "to": "now" - }, - "zoom": 1.4 + "panelIndex": "55bac572-9e7e-4580-b674-a4a7a51b4be4", + "title": "Telnet Sessions [Logs Corelight]", + "type": "lens" }, - "title": "", - "uiStateJSON": { - "isLayerTOCOpen": true, - "openTOCDetails": ["7b5c7da7-406a-42b5-94d2-ab72f2c41241"] - } - }, - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hiddenLayers": [], - "isLayerTOCOpen": false, - "mapBuffer": { - "maxLat": 85.05113, - "maxLon": 270, - "minLat": -66.51326, - "minLon": -270 - }, - "mapCenter": { - "lat": 48.09839, - "lon": 38.19049, - "zoom": 1.4 - }, - "openTOCDetails": ["7b5c7da7-406a-42b5-94d2-ab72f2c41241"] - }, - "gridData": { - "h": 16, - "i": "89bdbbdd-970b-48f0-b467-454690ac31ba", - "w": 48, - "x": 0, - "y": 140 - }, - "panelIndex": "89bdbbdd-970b-48f0-b467-454690ac31ba", - "title": "Geolocation of DNS Responses [Logs Corelight]", - "type": "map" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "hidePanelTitles": true, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "## Remote Management Hygiene", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "26018340-67af-4538-b428-d8d46f43eaa5", - "w": 48, - "x": 0, - "y": 156 - }, - "panelIndex": "26018340-67af-4538-b428-d8d46f43eaa5", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "26f1e5e7-9541-4f11-82c6-fd14f199c8a9": { - "columnOrder": [ - "830012a1-ead9-47d0-a1b9-c730c12d2f03", - "4efb03c4-7bfb-467b-95d1-f2f597a54474" - ], - "columns": { - "4efb03c4-7bfb-467b-95d1-f2f597a54474": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3dab57e3-501b-44f3-b26e-ea81181d3096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3dab57e3-501b-44f3-b26e-ea81181d3096": { + "columnOrder": [ + "016a9807-af3d-4e32-ba73-d9c3679387d6", + "52486aed-4c5f-4ec0-8909-86662ea24984" + ], + "columns": { + "016a9807-af3d-4e32-ba73-d9c3679387d6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "52486aed-4c5f-4ec0-8909-86662ea24984": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "FTP Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b" + ], + "sampling": 1 + }, + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b": { + "columnOrder": [ + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4" + ], + "columns": { + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "FTP Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ftp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ftp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "layerType": "data", + "metricAccessor": "da6fd550-ba6d-4a30-8c2d-33f46a955dc4", + "showBar": false, + "trendlineLayerId": "3dab57e3-501b-44f3-b26e-ea81181d3096", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "52486aed-4c5f-4ec0-8909-86662ea24984", + "trendlineTimeAccessor": "016a9807-af3d-4e32-ba73-d9c3679387d6" } - }, - "scale": "ratio", - "sourceField": "___records___" }, - "830012a1-ead9-47d0-a1b9-c730c12d2f03": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Top VPN destinations", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "4efb03c4-7bfb-467b-95d1-f2f597a54474", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "destination.geo.country_name" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ftp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ftp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 12, + "i": "c05df282-f5e3-4635-89d9-2c3824b7c713", + "w": 12, + "x": 36, + "y": 96 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "vpn" - }, - "type": "phrase" + "panelIndex": "c05df282-f5e3-4635-89d9-2c3824b7c713", + "title": "FTP Sessions [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a43b081c-d4f3-4e85-926b-1297b06b22e0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3c3ae6fa-719c-4286-b6fd-0a9df3ac5115", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a43b081c-d4f3-4e85-926b-1297b06b22e0": { + "columnOrder": [ + "e504a2f7-bb66-4e9f-81d1-548068486084", + "a11e393b-4048-43c5-9cb9-fd556d726cca", + "4d96e75b-914a-4251-a830-2336592d52ad" + ], + "columns": { + "4d96e75b-914a-4251-a830-2336592d52ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "a11e393b-4048-43c5-9cb9-fd556d726cca": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e504a2f7-bb66-4e9f-81d1-548068486084": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4d96e75b-914a-4251-a830-2336592d52ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3c3ae6fa-719c-4286-b6fd-0a9df3ac5115", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.protocol" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": [ + "ssl", + "tls", + "ssh", + "https", + "dtls", + "spicy_ipsec_ike_udp", + "spicy_ipsec_udp", + "spicy_stun_tcp" + ], + "type": "phrases", + "value": [ + "ssl", + "tls", + "ssh", + "https", + "dtls", + "spicy_ipsec_ike_udp", + "spicy_ipsec_udp", + "spicy_stun_tcp" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "network.protocol": "ssl" + } + }, + { + "match_phrase": { + "network.protocol": "tls" + } + }, + { + "match_phrase": { + "network.protocol": "ssh" + } + }, + { + "match_phrase": { + "network.protocol": "https" + } + }, + { + "match_phrase": { + "network.protocol": "dtls" + } + }, + { + "match_phrase": { + "network.protocol": "spicy_ipsec_ike_udp" + } + }, + { + "match_phrase": { + "network.protocol": "spicy_ipsec_udp" + } + }, + { + "match_phrase": { + "network.protocol": "spicy_stun_tcp" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "ssl,http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "ssl,http" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "http,ssl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "http,ssl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "ssl,xmpp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "ssl,xmpp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "spicy_ipsec_ike_udp,spicy_ipsec_udp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "spicy_ipsec_ike_udp,spicy_ipsec_udp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "krb,krb_tcp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "krb,krb_tcp" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4d96e75b-914a-4251-a830-2336592d52ad" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "a43b081c-d4f3-4e85-926b-1297b06b22e0", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "e504a2f7-bb66-4e9f-81d1-548068486084", + "xAccessor": "a11e393b-4048-43c5-9cb9-fd556d726cca" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } }, - "query": { - "match_phrase": { - "event.dataset": "vpn" - } + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.protocol" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": [ + "ssl", + "tls", + "ssh", + "https", + "dtls", + "spicy_ipsec_ike_udp", + "spicy_ipsec_udp", + "spicy_stun_tcp" + ], + "type": "phrases", + "value": [ + "ssl", + "tls", + "ssh", + "https", + "dtls", + "spicy_ipsec_ike_udp", + "spicy_ipsec_udp", + "spicy_stun_tcp" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "network.protocol": "ssl" + } + }, + { + "match_phrase": { + "network.protocol": "tls" + } + }, + { + "match_phrase": { + "network.protocol": "ssh" + } + }, + { + "match_phrase": { + "network.protocol": "https" + } + }, + { + "match_phrase": { + "network.protocol": "dtls" + } + }, + { + "match_phrase": { + "network.protocol": "spicy_ipsec_ike_udp" + } + }, + { + "match_phrase": { + "network.protocol": "spicy_ipsec_udp" + } + }, + { + "match_phrase": { + "network.protocol": "spicy_stun_tcp" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "ssl,http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "ssl,http" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "http,ssl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "http,ssl" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "ssl,xmpp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "ssl,xmpp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "spicy_ipsec_ike_udp,spicy_ipsec_udp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "spicy_ipsec_ike_udp,spicy_ipsec_udp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "krb,krb_tcp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "krb,krb_tcp" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 16, + "i": "ee6608a6-a905-4e49-acd2-18a119dc633a", + "w": 48, + "x": 0, + "y": 108 }, - "layers": [ - { - "accessors": ["4efb03c4-7bfb-467b-95d1-f2f597a54474"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "panelIndex": "ee6608a6-a905-4e49-acd2-18a119dc633a", + "title": "Top Unencrypted Protocols Used [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "26f1e5e7-9541-4f11-82c6-fd14f199c8a9", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal_stacked", - "showGridlines": false, - "xAccessor": "830012a1-ead9-47d0-a1b9-c730c12d2f03" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": false + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "## DNS Hygiene", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } }, - "preferredSeriesType": "bar_horizontal_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 4, + "i": "35079c39-3ce8-47ae-8ccf-77c92e44345e", + "w": 48, + "x": 0, + "y": 124 }, - "valueLabels": "show" - } + "panelIndex": "35079c39-3ce8-47ae-8ccf-77c92e44345e", + "type": "visualization" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d", - "w": 48, - "x": 0, - "y": 160 - }, - "panelIndex": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d", - "title": "Top VPN destinations by Country [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "26f1e5e7-9541-4f11-82c6-fd14f199c8a9": { - "columnOrder": [ - "212b9fd6-2b67-4044-beda-34a878fd7cb3", - "6f9821bc-ee05-4453-b430-4ed07b6ce616" - ], - "columns": { - "212b9fd6-2b67-4044-beda-34a878fd7cb3": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Top 10 Country Name", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "6f9821bc-ee05-4453-b430-4ed07b6ce616", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "destination.geo.country_name" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66267767-efdd-44d5-b1f9-df14b732b457", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "66267767-efdd-44d5-b1f9-df14b732b457": { + "columnOrder": [ + "419606b4-2184-442d-8c6c-2c5c515ce3b6", + "f25b1da0-8365-484b-9a55-e123f0bbfe17" + ], + "columns": { + "419606b4-2184-442d-8c6c-2c5c515ce3b6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f25b1da0-8365-484b-9a55-e123f0bbfe17": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed DNS Queries", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.response_code" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "linkToLayers": [ + "d4281ac5-0f1f-408e-b630-0496df8a6abd" + ], + "sampling": 1 + }, + "d4281ac5-0f1f-408e-b630-0496df8a6abd": { + "columnOrder": [ + "bf395d6a-f13a-420b-af21-92f5d7524e0d" + ], + "columns": { + "bf395d6a-f13a-420b-af21-92f5d7524e0d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed DNS Queries", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.response_code" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d9855a4e-7726-4400-8cf3-0be9a0fcfa2f", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", + "layerType": "data", + "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", + "showBar": false, + "trendlineLayerId": "66267767-efdd-44d5-b1f9-df14b732b457", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "f25b1da0-8365-484b-9a55-e123f0bbfe17", + "trendlineTimeAccessor": "419606b4-2184-442d-8c6c-2c5c515ce3b6" + } }, - "6f9821bc-ee05-4453-b430-4ed07b6ce616": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "___records___" + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d9855a4e-7726-4400-8cf3-0be9a0fcfa2f", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 12, + "i": "29799cca-01ae-4c3f-911d-d07b116968eb", + "w": 12, + "x": 0, + "y": 128 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "vpn" - }, - "type": "phrase" + "panelIndex": "29799cca-01ae-4c3f-911d-d07b116968eb", + "title": "Failed DNS Queries [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-071618ce-0873-4d00-ad7c-002474b23ceb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "071618ce-0873-4d00-ad7c-002474b23ceb": { + "columnOrder": [ + "0f9ca953-058a-4cc1-b046-3179b9a86232", + "c381d089-e693-481b-af25-375b5cbff6ef" + ], + "columns": { + "0f9ca953-058a-4cc1-b046-3179b9a86232": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c381d089-e693-481b-af25-375b5cbff6ef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Qtypes", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "linkToLayers": [ + "d4281ac5-0f1f-408e-b630-0496df8a6abd" + ], + "sampling": 1 + }, + "d4281ac5-0f1f-408e-b630-0496df8a6abd": { + "columnOrder": [ + "bf395d6a-f13a-420b-af21-92f5d7524e0d" + ], + "columns": { + "bf395d6a-f13a-420b-af21-92f5d7524e0d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Qtypes", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "57907480-ca4a-4cb2-b1bd-e25b7e025fff", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", + "layerType": "data", + "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", + "showBar": false, + "trendlineLayerId": "071618ce-0873-4d00-ad7c-002474b23ceb", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "c381d089-e693-481b-af25-375b5cbff6ef", + "trendlineTimeAccessor": "0f9ca953-058a-4cc1-b046-3179b9a86232" + } }, - "query": { - "match_phrase": { - "event.dataset": "vpn" - } + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "observer.hostname" - } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "57907480-ca4a-4cb2-b1bd-e25b7e025fff", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - } ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 12, + "i": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b", + "w": 12, + "x": 12, + "y": 128 }, - "layers": [ - { - "accessors": ["6f9821bc-ee05-4453-b430-4ed07b6ce616"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ + "panelIndex": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b", + "title": "Unusual Qtypes [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2d913a-dfac-492b-8897-0684cb5e8384", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8977309-8b15-43e2-a989-d584a507e76c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d4281ac5-0f1f-408e-b630-0496df8a6abd": { + "columnOrder": [ + "bf395d6a-f13a-420b-af21-92f5d7524e0d" + ], + "columns": { + "bf395d6a-f13a-420b-af21-92f5d7524e0d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "NXDOMAIN Responses", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + }, + "ec2d913a-dfac-492b-8897-0684cb5e8384": { + "columnOrder": [ + "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61", + "0aa08f02-f75e-4c1f-ab8b-1348751a830e" + ], + "columns": { + "0aa08f02-f75e-4c1f-ab8b-1348751a830e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "NXDOMAIN Responses", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "d4281ac5-0f1f-408e-b630-0496df8a6abd" + ], + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b8977309-8b15-43e2-a989-d584a507e76c", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "NXDOMAIN", + "NO ERROR" + ], + "type": "phrases", + "value": [ + "NXDOMAIN", + "NO ERROR" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "NXDOMAIN" + } + }, + { + "match_phrase": { + "dns.response_code": "NO ERROR" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", + "layerType": "data", + "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", + "showBar": false, + "trendlineLayerId": "ec2d913a-dfac-492b-8897-0684cb5e8384", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "0aa08f02-f75e-4c1f-ab8b-1348751a830e", + "trendlineTimeAccessor": "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "NXDOMAIN", + "NO ERROR" + ], + "type": "phrases", + "value": [ + "NXDOMAIN", + "NO ERROR" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "NXDOMAIN" + } + }, + { + "match_phrase": { + "dns.response_code": "NO ERROR" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - ] + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" }, - "layerId": "26f1e5e7-9541-4f11-82c6-fd14f199c8a9", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal_percentage_stacked", - "showGridlines": false, - "splitAccessor": "212b9fd6-2b67-4044-beda-34a878fd7cb3" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "showSingleSeries": false + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "preferredSeriesType": "bar_horizontal_percentage_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 12, + "i": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a", + "w": 12, + "x": 24, + "y": 128 }, - "valueLabels": "show" - } + "panelIndex": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a", + "title": "NXDOMAIN Responses [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "5ab5369a-3203-444a-a6df-c6e53a2012d9", - "w": 48, - "x": 0, - "y": 176 - }, - "panelIndex": "5ab5369a-3203-444a-a6df-c6e53a2012d9", - "title": "Percentage of Top VPN Destinations by Country [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-21891190-3fbe-4509-b194-a3b4d9de210e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "21891190-3fbe-4509-b194-a3b4d9de210e": { - "columnOrder": [ - "d51d895a-e07e-4c6e-abcb-adb341992490", - "d12a96af-d3e0-4deb-a399-7e915cb41e3a", - "2277bb8e-b9c9-41db-bedd-33aa905a38d9" - ], - "columns": { - "2277bb8e-b9c9-41db-bedd-33aa905a38d9": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "name": "logs-corelight.conn-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "timeField": "@timestamp", + "title": "logs-corelight.conn-*" + } + ], + "layers": { + "de0b257f-0377-4bb9-af1b-7d20dd1167a2": { + "columns": [ + { + "columnId": "Internal DNS Servers", + "fieldName": "Internal DNS Servers", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" + }, + "visualization": { + "layerId": "de0b257f-0377-4bb9-af1b-7d20dd1167a2", + "layerType": "data", + "metricAccessor": "Internal DNS Servers" } - }, - "scale": "ratio", - "sourceField": "___records___" }, - "d12a96af-d3e0-4deb-a399-7e915cb41e3a": { - "dataType": "date", - "isBucketed": true, - "label": "@timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "h" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "d51d895a-e07e-4c6e-abcb-adb341992490": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Auth Success", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "2277bb8e-b9c9-41db-bedd-33aa905a38d9", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 2 - }, - "scale": "ordinal", - "sourceField": "event.outcome" + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "sampling": 1 - } - } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 12, + "i": "6fa2127f-76a0-4cf4-aeb5-023a409617c0", + "w": 12, + "x": 36, + "y": 128 }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "4d08dd32-2d05-4ae8-b983-359e174f07f1", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "observer.vendor", - "index": "logs-*", - "key": "observer.vendor", - "negate": false, - "params": { - "query": "Corelight" - }, - "type": "phrase" + "panelIndex": "6fa2127f-76a0-4cf4-aeb5-023a409617c0", + "title": "Internal DNS Server [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "7b7288b0-fc66-447a-bf87-ca75657077c1", + "includeInFitToBounds": true, + "label": null, + "locale": "autoselect", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map_desaturated", + "type": "EMS_TMS" + }, + "style": { + "color": "", + "type": "EMS_VECTOR_TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "disableTooltips": false, + "id": "7b5c7da7-406a-42b5-94d2-ab72f2c41241", + "includeInFitToBounds": true, + "joins": [ + { + "leftField": "iso2", + "right": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "id": "9fd3b304-7881-47a0-acaf-8f181f818c92", + "indexPatternRefName": "layer_1_join_0_index_pattern", + "metrics": [ + { + "type": "count" + } + ], + "term": "destination.geo.country_iso_code", + "type": "ES_TERM_SOURCE" + } + } + ], + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "id": "world_countries", + "tooltipProperties": [ + "iso2" + ], + "type": "EMS_FILE" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "Yellow to Red", + "colorCategory": "palette_0", + "field": { + "name": "__kbnjoin__count__9fd3b304-7881-47a0-acaf-8f181f818c92", + "origin": "join" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "type": "ORDINAL" + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelPosition": { + "options": { + "position": "CENTER" + } + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "field": { + "name": "__kbnjoin__count__9fd3b304-7881-47a0-acaf-8f181f818c92", + "origin": "join" + } + }, + "type": "DYNAMIC" + }, + "labelZoomRange": { + "options": { + "maxZoom": 24, + "minZoom": 0, + "useLayerZoomRange": true + } + }, + "lineColor": { + "options": { + "color": "#3d3d3d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "GEOJSON_VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "adHocDataViews": [], + "center": { + "lat": 48.09839, + "lon": 38.19049 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 60000, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "customIcons": [], + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "keydownScrollZoom": false, + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-15y", + "to": "now" + }, + "zoom": 1.4 }, - "query": { - "match_phrase": { - "observer.vendor": "Corelight" - } + "title": "", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [ + "7b5c7da7-406a-42b5-94d2-ab72f2c41241" + ] } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "event.dataset", - "index": "logs-*", - "key": "event.dataset", - "negate": false, - "params": { - "query": "rdp" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.dataset": "rdp" - } + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - { - "$state": { - "store": "appState" + }, + "hiddenLayers": [], + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 85.05113, + "maxLon": 270, + "minLat": -66.51326, + "minLon": -270 + }, + "mapCenter": { + "lat": 48.09839, + "lon": 38.19049, + "zoom": 1.4 + }, + "openTOCDetails": [ + "7b5c7da7-406a-42b5-94d2-ab72f2c41241" + ] + }, + "gridData": { + "h": 16, + "i": "89bdbbdd-970b-48f0-b467-454690ac31ba", + "w": 48, + "x": 0, + "y": 140 + }, + "panelIndex": "89bdbbdd-970b-48f0-b467-454690ac31ba", + "title": "Geolocation of DNS Responses [Logs Corelight]", + "type": "map" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - "meta": { - "alias": null, - "disabled": false, - "field": "observer.hostname", - "index": "logs-*", - "key": "observer.hostname", - "negate": false, - "type": "exists", - "value": "exists" + "description": "", + "params": { + "fontSize": 12, + "markdown": "## Remote Management Hygiene", + "openLinksInNewTab": false }, - "query": { - "exists": { - "field": "observer.hostname" - } + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "26018340-67af-4538-b428-d8d46f43eaa5", + "w": 48, + "x": 0, + "y": 156 + }, + "panelIndex": "26018340-67af-4538-b428-d8d46f43eaa5", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "26f1e5e7-9541-4f11-82c6-fd14f199c8a9": { + "columnOrder": [ + "830012a1-ead9-47d0-a1b9-c730c12d2f03", + "4efb03c4-7bfb-467b-95d1-f2f597a54474" + ], + "columns": { + "4efb03c4-7bfb-467b-95d1-f2f597a54474": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "830012a1-ead9-47d0-a1b9-c730c12d2f03": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top VPN destinations", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4efb03c4-7bfb-467b-95d1-f2f597a54474", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_name" + } + }, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4efb03c4-7bfb-467b-95d1-f2f597a54474" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "830012a1-ead9-47d0-a1b9-c730c12d2f03" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": ["2277bb8e-b9c9-41db-bedd-33aa905a38d9"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ + }, + "filters": [ { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - ] + ], + "query": { + "language": "kuery", + "query": "" }, - "layerId": "21891190-3fbe-4509-b194-a3b4d9de210e", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "d51d895a-e07e-4c6e-abcb-adb341992490", - "xAccessor": "d12a96af-d3e0-4deb-a399-7e915cb41e3a" - } - ], - "legend": { - "isVisible": true, - "position": "right" + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d", + "w": 48, + "x": 0, + "y": 160 }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide" - } + "panelIndex": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d", + "title": "Top VPN destinations by Country [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "c19bc596-61ef-4f39-b512-18356caee0dc", - "w": 48, - "x": 0, - "y": 192 - }, - "panelIndex": "c19bc596-61ef-4f39-b512-18356caee0dc", - "title": "RDP Authentication Attempts [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [], - "state": { - "adHocDataViews": { - "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { - "allowHidden": false, - "allowNoIndex": false, - "fieldFormats": {}, - "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "name": "logs-corelight.various-*", - "runtimeFieldMap": {}, - "sourceFilters": [], - "timeFieldName": "@timestamp", - "title": "logs-corelight.various-*", - "type": "esql" - } - }, - "datasourceStates": { - "textBased": { - "indexPatternRefs": [ - { - "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "timeField": "@timestamp", - "title": "logs-corelight.various-*" - } - ], - "layers": { - "8ad58f8f-a262-4c45-84d3-ca1329f6aee2": { - "columns": [ - { - "columnId": "Count", - "fieldName": "Count", - "inMetricDimension": true, - "meta": { - "esType": "long", - "type": "number" - } + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "26f1e5e7-9541-4f11-82c6-fd14f199c8a9": { + "columnOrder": [ + "212b9fd6-2b67-4044-beda-34a878fd7cb3", + "6f9821bc-ee05-4453-b430-4ed07b6ce616" + ], + "columns": { + "212b9fd6-2b67-4044-beda-34a878fd7cb3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 Country Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6f9821bc-ee05-4453-b430-4ed07b6ce616", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_name" + }, + "6f9821bc-ee05-4453-b430-4ed07b6ce616": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6f9821bc-ee05-4453-b430-4ed07b6ce616" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_percentage_stacked", + "showGridlines": false, + "splitAccessor": "212b9fd6-2b67-4044-beda-34a878fd7cb3" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal_percentage_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ { - "columnId": "@timestamp", - "fieldName": "@timestamp", - "meta": { - "esType": "date", - "type": "date" - } + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - ], - "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", - "query": { - "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as Count\r\n| keep Count,@timestamp" - }, - "timeField": "@timestamp" - } - } - } - }, - "filters": [], - "query": { - "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as Count\r\n| keep Count,@timestamp" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 + "gridData": { + "h": 16, + "i": "5ab5369a-3203-444a-a6df-c6e53a2012d9", + "w": 48, + "x": 0, + "y": 176 }, - "layers": [ - { - "accessors": ["Count"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ + "panelIndex": "5ab5369a-3203-444a-a6df-c6e53a2012d9", + "title": "Percentage of Top VPN Destinations by Country [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-21891190-3fbe-4509-b194-a3b4d9de210e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "21891190-3fbe-4509-b194-a3b4d9de210e": { + "columnOrder": [ + "d51d895a-e07e-4c6e-abcb-adb341992490", + "d12a96af-d3e0-4deb-a399-7e915cb41e3a", + "2277bb8e-b9c9-41db-bedd-33aa905a38d9" + ], + "columns": { + "2277bb8e-b9c9-41db-bedd-33aa905a38d9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d12a96af-d3e0-4deb-a399-7e915cb41e3a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d51d895a-e07e-4c6e-abcb-adb341992490": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Auth Success", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2277bb8e-b9c9-41db-bedd-33aa905a38d9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 2 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4d08dd32-2d05-4ae8-b983-359e174f07f1", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "2277bb8e-b9c9-41db-bedd-33aa905a38d9" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "21891190-3fbe-4509-b194-a3b4d9de210e", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "d51d895a-e07e-4c6e-abcb-adb341992490", + "xAccessor": "d12a96af-d3e0-4deb-a399-7e915cb41e3a" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4d08dd32-2d05-4ae8-b983-359e174f07f1", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} } - ] + ], + "query": { + "language": "kuery", + "query": "" }, - "layerId": "8ad58f8f-a262-4c45-84d3-ca1329f6aee2", - "layerType": "data", - "seriesType": "line", - "xAccessor": "@timestamp" - } - ], - "legend": { - "isVisible": true, - "position": "right" + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true + "gridData": { + "h": 16, + "i": "c19bc596-61ef-4f39-b512-18356caee0dc", + "w": 48, + "x": 0, + "y": 192 }, - "valueLabels": "hide" - } + "panelIndex": "c19bc596-61ef-4f39-b512-18356caee0dc", + "title": "RDP Authentication Attempts [Logs Corelight]", + "type": "lens" }, - "title": "Bar vertical stacked", - "type": "lens", - "visualizationType": "lnsXY" - }, - "disabledActions": ["OPEN_FLYOUT_ADD_DRILLDOWN"], - "enhancements": {} + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "8ad58f8f-a262-4c45-84d3-ca1329f6aee2": { + "columns": [ + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "@timestamp", + "fieldName": "@timestamp", + "meta": { + "esType": "date", + "type": "date" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as Count\r\n| keep Count,@timestamp" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as Count\r\n| keep Count,@timestamp" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "Count" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8ad58f8f-a262-4c45-84d3-ca1329f6aee2", + "layerType": "data", + "seriesType": "line", + "xAccessor": "@timestamp" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Bar vertical stacked", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as Count\r\n| keep Count,@timestamp" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 19, + "i": "b88e5afc-74f6-45df-ac1a-19655138a7d3", + "w": 48, + "x": 0, + "y": 208 + }, + "panelIndex": "b88e5afc-74f6-45df-ac1a-19655138a7d3", + "title": "VPN Connections [Logs Corelight]", + "type": "lens" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Corelight] Security Posture", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T09:23:37.426Z", + "id": "corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d878c2d-f1ab-41a7-bb32-bdeec1ffdc8c:indexpattern-datasource-layer-df498787-6442-4e25-9f74-8c78625cfbbf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4565d681-c2bc-495f-b81e-8de0c50c53cf:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f11b1714-11be-470f-a254-16de8bc012f9:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "abf210b6-6468-4ddd-a1e9-1f9674fa485a:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" }, - "gridData": { - "h": 19, - "i": "b88e5afc-74f6-45df-ac1a-19655138a7d3", - "w": 48, - "x": 0, - "y": 208 + { + "id": "logs-*", + "name": "296e71e6-816e-4553-8b53-e277741cab08:indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "type": "index-pattern" }, - "panelIndex": "b88e5afc-74f6-45df-ac1a-19655138a7d3", - "title": "VPN Connections [Logs Corelight]", - "type": "lens" - } + { + "id": "logs-*", + "name": "db10f425-f12b-43a3-9db1-34fd1b93287a:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "22db030e-3be1-473c-a49b-2635390e9419:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "58e67657-fd2d-489b-9742-60dfe2979c0b:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "753224ec-ddb9-474b-bd82-682c1eb24fe1:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e4e146ee-682b-454a-9296-920357fb6e6f:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d0d242fc-1339-4905-951a-aa6414d138e5:indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dfa2dfa9-0737-4a4d-9a3a-d83794735a57:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a60c7606-8988-4755-8b3e-17816a006021:indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d8f0712b-9a85-44d6-b8c2-c0e1791ce336:indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f2415ea7-fa2c-4643-b9fc-ee90446f42b5:indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "423e7108-582c-4d2d-9353-fb4631a4d1a3:indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:indexpattern-datasource-layer-17987725-38cf-441b-80f5-bfac6ffdd8f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:indexpattern-datasource-layer-bc293d4e-883c-49c6-b57d-21b1018e67d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:5918839a-d5a1-4a87-8971-05283f0052f3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2eab540d-c7cd-4a10-b705-98cf81bff3f6:indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4:indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4:209a539e-6ce4-41e8-a3b7-9b4bce41794e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "96ea21c5-b69c-422b-a146-5e603cb86fc4:indexpattern-datasource-layer-3a8fc291-604b-469a-b1f0-04af963f3bdb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:indexpattern-datasource-layer-86bf3a2f-1ace-4808-98ea-397ca4104587", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:indexpattern-datasource-layer-9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:3dfb3090-5395-444a-b3c5-5ff9f4829845", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1536e399-6fa5-4c67-8cf6-879887c82662:indexpattern-datasource-layer-85cde827-d782-4cc5-a2e9-06ec5c176314", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1536e399-6fa5-4c67-8cf6-879887c82662:9a0d8c7f-ac67-49e7-9542-3bd9863eed85", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1536e399-6fa5-4c67-8cf6-879887c82662:2ec1de96-42ef-4638-9c08-dc21120daa95", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1536e399-6fa5-4c67-8cf6-879887c82662:a634d260-6f56-4e35-82f6-37bb46227dfe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:indexpattern-datasource-layer-b49f0771-93f3-4c27-9748-204bc03d4f42", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:0b079edd-048e-4c1b-9a02-e01af8675bb1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:indexpattern-datasource-layer-3dab57e3-501b-44f3-b26e-ea81181d3096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ee6608a6-a905-4e49-acd2-18a119dc633a:indexpattern-datasource-layer-a43b081c-d4f3-4e85-926b-1297b06b22e0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ee6608a6-a905-4e49-acd2-18a119dc633a:3c3ae6fa-719c-4286-b6fd-0a9df3ac5115", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29799cca-01ae-4c3f-911d-d07b116968eb:indexpattern-datasource-layer-66267767-efdd-44d5-b1f9-df14b732b457", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29799cca-01ae-4c3f-911d-d07b116968eb:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b:indexpattern-datasource-layer-071618ce-0873-4d00-ad7c-002474b23ceb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:indexpattern-datasource-layer-ec2d913a-dfac-492b-8897-0684cb5e8384", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:b8977309-8b15-43e2-a989-d584a507e76c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "89bdbbdd-970b-48f0-b467-454690ac31ba:layer_1_join_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d:indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ab5369a-3203-444a-a6df-c6e53a2012d9:indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c19bc596-61ef-4f39-b512-18356caee0dc:indexpattern-datasource-layer-21891190-3fbe-4509-b194-a3b4d9de210e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_42578746-ab6b-48bc-b4b7-4453f4bbf187:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } ], - "refreshInterval": { - "pause": true, - "value": 60000 - }, - "timeFrom": "now-24h/h", - "timeRestore": true, - "timeTo": "now", - "title": "[Logs Corelight] Security Posture", - "version": 2 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-02-06T07:20:19.340Z", - "id": "corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "7d878c2d-f1ab-41a7-bb32-bdeec1ffdc8c:indexpattern-datasource-layer-df498787-6442-4e25-9f74-8c78625cfbbf", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4565d681-c2bc-495f-b81e-8de0c50c53cf:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f11b1714-11be-470f-a254-16de8bc012f9:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "abf210b6-6468-4ddd-a1e9-1f9674fa485a:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "296e71e6-816e-4553-8b53-e277741cab08:indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "db10f425-f12b-43a3-9db1-34fd1b93287a:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "22db030e-3be1-473c-a49b-2635390e9419:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "58e67657-fd2d-489b-9742-60dfe2979c0b:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "753224ec-ddb9-474b-bd82-682c1eb24fe1:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "e4e146ee-682b-454a-9296-920357fb6e6f:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d0d242fc-1339-4905-951a-aa6414d138e5:indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "dfa2dfa9-0737-4a4d-9a3a-d83794735a57:indexpattern-datasource-layer-2f1a7688-ceef-4972-abf3-a0c1fade953e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "a60c7606-8988-4755-8b3e-17816a006021:indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "d8f0712b-9a85-44d6-b8c2-c0e1791ce336:indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f2415ea7-fa2c-4643-b9fc-ee90446f42b5:indexpattern-datasource-layer-4bff1510-b6a4-4aeb-b8a4-84eeef3b113c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "423e7108-582c-4d2d-9353-fb4631a4d1a3:indexpattern-datasource-layer-eb25c949-e7e9-44f8-a8a6-4d0f3e2e915f", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:indexpattern-datasource-layer-17987725-38cf-441b-80f5-bfac6ffdd8f9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:indexpattern-datasource-layer-bc293d4e-883c-49c6-b57d-21b1018e67d9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:5918839a-d5a1-4a87-8971-05283f0052f3", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "2eab540d-c7cd-4a10-b705-98cf81bff3f6:indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4:indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4:209a539e-6ce4-41e8-a3b7-9b4bce41794e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "96ea21c5-b69c-422b-a146-5e603cb86fc4:indexpattern-datasource-layer-3a8fc291-604b-469a-b1f0-04af963f3bdb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:indexpattern-datasource-layer-86bf3a2f-1ace-4808-98ea-397ca4104587", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:indexpattern-datasource-layer-9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:3dfb3090-5395-444a-b3c5-5ff9f4829845", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536e399-6fa5-4c67-8cf6-879887c82662:indexpattern-datasource-layer-85cde827-d782-4cc5-a2e9-06ec5c176314", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536e399-6fa5-4c67-8cf6-879887c82662:9a0d8c7f-ac67-49e7-9542-3bd9863eed85", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536e399-6fa5-4c67-8cf6-879887c82662:2ec1de96-42ef-4638-9c08-dc21120daa95", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1536e399-6fa5-4c67-8cf6-879887c82662:a634d260-6f56-4e35-82f6-37bb46227dfe", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:indexpattern-datasource-layer-b49f0771-93f3-4c27-9748-204bc03d4f42", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:0b079edd-048e-4c1b-9a02-e01af8675bb1", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:indexpattern-datasource-layer-3dab57e3-501b-44f3-b26e-ea81181d3096", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ee6608a6-a905-4e49-acd2-18a119dc633a:indexpattern-datasource-layer-a43b081c-d4f3-4e85-926b-1297b06b22e0", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ee6608a6-a905-4e49-acd2-18a119dc633a:3c3ae6fa-719c-4286-b6fd-0a9df3ac5115", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "29799cca-01ae-4c3f-911d-d07b116968eb:indexpattern-datasource-layer-66267767-efdd-44d5-b1f9-df14b732b457", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "29799cca-01ae-4c3f-911d-d07b116968eb:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b:indexpattern-datasource-layer-071618ce-0873-4d00-ad7c-002474b23ceb", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:indexpattern-datasource-layer-ec2d913a-dfac-492b-8897-0684cb5e8384", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:b8977309-8b15-43e2-a989-d584a507e76c", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d:indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "5ab5369a-3203-444a-a6df-c6e53a2012d9:indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "c19bc596-61ef-4f39-b512-18356caee0dc:indexpattern-datasource-layer-21891190-3fbe-4509-b194-a3b4d9de210e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "89bdbbdd-970b-48f0-b467-454690ac31ba:layer_1_join_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_42578746-ab6b-48bc-b4b7-4453f4bbf187:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "10.2.0" -} + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json b/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json index f9d2659e9aa..11b7b1d6cf6 100644 --- a/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json +++ b/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "597c5dc5-3e91-4307-8a43-32592d3367d0", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -72,7 +71,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- **Data Insights**\n - **Name Resolution Insights**\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- **Data Insights**\n - **Name Resolution Insights**\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -198,11 +197,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| stats count(), count_distinct(source.ip), values(destination.geo.country_name) , values(conn.local_resp) by destination.ip\r\n| eval `values(destination.geo.country_name)` = case(`values(destination.geo.country_name)` is null, \"Unknown\",\r\n`values(destination.geo.country_name)`)\r\n| eval Internal = case(\r\n `values(conn.local_resp)` == true, \"yes\", \"no\")\r\n| rename destination.ip as Destination, `count()` as `# of Queries`, `count_distinct(source.ip)` as `# of Unique Clients`, `values(destination.geo.country_name)` as Country\r\n| sort `# of Queries` DESC, `# of Unique Clients` ASC\r\n| keep Destination, `# of Queries`,`# of Unique Clients`,`Country`, Internal\r\n| stats count()\r\n| rename `count()` as `Responding DNS Servers`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -377,10 +384,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| stats count(), count_distinct(source.ip), values(destination.geo.country_name) , values(conn.local_resp) by destination.ip\r\n| eval `values(destination.geo.country_name)` = case(`values(destination.geo.country_name)` is null, \"Unknown\",\r\n`values(destination.geo.country_name)`)\r\n| eval Internal = case(\r\n `values(conn.local_resp)` == true, \"yes\", \"no\")\r\n| rename destination.ip as `Destination IP`, `count()` as `Number of Queries`, `count_distinct(source.ip)` as `Number of Unique Clients`, `values(destination.geo.country_name)` as Country\r\n| sort `Number of Queries` DESC, `Number of Unique Clients` ASC\r\n| keep `Destination IP`, `Number of Queries`,`Number of Unique Clients`,`Country`, Internal" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -457,11 +472,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null and dns.response_code == \"NXDOMAIN\"\r\n| stats count() by source.ip, destination.ip, dns.question.name, dns.flags.rejected\r\n| rename source.ip as Source, destination.ip as Responder, dns.question.name as Query, dns.flags.rejected as query_rejected, `count()` as Count\r\n|eval `Rejected?` = case(query_rejected == true, \"Yes\", \"No\")\r\n| keep Source, Responder, Query, `Rejected?`, Count\r\n| stats sum(Count)\r\n| rename `sum(Count)` as `NXDOMAIN Responses`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -768,8 +791,148 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d231056f-f69b-475d-8c67-3d4781691d7b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -942,10 +1105,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null and dns.response_code == \"NXDOMAIN\"\r\n| stats count() by source.ip, destination.ip, dns.question.name, dns.flags.rejected\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, dns.question.name as Query, dns.flags.rejected as query_rejected, `count()` as Count\r\n|eval `Rejected?` = case(query_rejected == true, \"Yes\", \"No\")\r\n| sort Count desc\r\n| keep `Source IP`, `Destination IP`, Query, `Rejected?`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1293,7 +1464,147 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "292f84a8-5325-419b-a0c5-16eb5bd6ff86", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1510,8 +1821,155 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "baebe57a-478c-46bd-b9a0-47c98ac5ee8b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -1628,11 +2086,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null\r\n| stats avg_rtt = avg(dns.rtt) by dns.question.name,destination.ip\r\n| where avg_rtt \u003e 0.015\r\n| eval avg_rtt = to_string(round(avg_rtt*1000, 2))\r\n| rename dns.question.name as Query, destination.ip as Responder, avg_rtt as `Avg. Response Time (ms)`\r\n| stats count(Query) \r\n| rename `count(Query)` as `Monitoring DNS Query Response Times \u003e 15ms`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -2008,8 +2474,155 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "568d23b1-2259-41d0-96cb-29eda7008a47", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -2118,11 +2731,19 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": false, + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null\r\n| stats avg_rtt = avg(dns.rtt) by dns.question.name,destination.ip\r\n| where avg_rtt \u003e 0.015\r\n| eval avg_rtt = to_string(round(avg_rtt*1000, 2))\r\n| rename dns.question.name as Query, destination.ip as `Destination IP`, avg_rtt as `Avg. Response Time (ms)`\r\n| keep Query, `Destination IP`,`Avg. Response Time (ms)`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -2303,8 +2924,117 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "93a71a88-d4bf-463f-87ef-b291ff153658", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "dns" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 8, @@ -2554,8 +3284,95 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -2577,12 +3394,11 @@ "timeRestore": true, "timeTo": "now", "title": "[Logs Corelight] Name Resolution Insights", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-02-06T07:20:16.569Z", + "created_at": "2026-01-06T09:23:35.396Z", "id": "corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e", - "managed": false, "references": [ { "id": "logs-*", diff --git a/packages/corelight/kibana/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa.json b/packages/corelight/kibana/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa.json index 501fc9a82a8..11e0b66cccd 100644 --- a/packages/corelight/kibana/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa.json +++ b/packages/corelight/kibana/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "http.response.status_code", - "id": "35a99a9f-d770-4824-b6fa-b15185d700df", "searchTechnique": "exact", "selectedOptions": [], "sort": { @@ -32,7 +31,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "user_agent.original", - "id": "524af843-c613-493b-a129-aa52c6c05d43", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -50,7 +48,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "http.request.method", - "id": "7fb8732f-b009-425b-8552-7c0008ec41d1", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -68,7 +65,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "afc48b88-9962-439c-9835-de744be7ade5", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -149,7 +145,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - **HTTP**\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - **HTTP**\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -289,8 +285,63 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "user_agent.original", + "index": "logs-*", + "key": "user_agent.original", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "user_agent.original" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "http" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -418,8 +469,62 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "http" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "user_agent.original", + "index": "1bf002e2-a9b9-4f59-8929-90ece408cffa", + "key": "user_agent.original", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "user_agent.original" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -496,11 +601,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND user_agent.original is not null\r\n| LIMIT 10000\r\n| STATS COUNT_DISTINCT(event.id)\r\n| RENAME `COUNT_DISTINCT(event.id)` AS `Distinct Connections`\r\n| KEEP `Distinct Connections`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -577,11 +690,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND user_agent.original is not null\r\n| LIMIT 10000\r\n| STATS VALUES(http.response.body.bytes) by source.ip, destination.ip, event.id\r\n| STATS AVG(`VALUES(http.response.body.bytes)`)\r\n| EVAL `Average Body Length` = ROUND(`AVG(``VALUES(http.response.body.bytes)``)`)\r\n| KEEP `Average Body Length`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 9, @@ -658,11 +779,19 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND user_agent.original is not null\r\n| LIMIT 10000\r\n| STATS VALUES(user_agent.original_length) by source.ip, destination.ip, event.id\r\n| STATS AVG(`VALUES(user_agent.original_length)`)\r\n| EVAL `Average User Agent Length` = ROUND(`AVG(``VALUES(user_agent.original_length)``)`) \r\n| KEEP `Average User Agent Length`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 9, @@ -787,8 +916,62 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "2e4dc4e5-8216-456a-be40-e61353ffa6ae", + "key": "event.dataset", + "negate": false, + "params": { + "query": "http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "http" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "user_agent.original", + "index": "1bf002e2-a9b9-4f59-8929-90ece408cffa", + "key": "user_agent.original", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "user_agent.original" + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -906,10 +1089,18 @@ "type": "lens", "visualizationType": "lnsPie" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND user_agent.original is not null AND http.response.status_name IS NOT NULL\r\n| LIMIT 10000\r\n| STATS VALUES(http.response.status_name) by source.ip, destination.ip, event.id \r\n| STATS COUNT() by `VALUES(http.response.status_name)` \r\n| RENAME `VALUES(http.response.status_name)` as `Status Message`, `COUNT()` as Count\r\n| SORT Count DESC\r\n| LIMIT 10 \r\n| KEEP `Status Message`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1001,10 +1192,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND dest_host is not null\r\n| LIMIT 10000\r\n| STATS VALUES(dest_host) by source.ip, destination.ip, event.id \r\n| STATS COUNT() by `VALUES(dest_host)` \r\n| RENAME `VALUES(dest_host)` as `Host Header`, `COUNT()` as Count\r\n| SORT Count desc\r\n| LIMIT 10\r\n| KEEP `Host Header`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1190,7 +1389,84 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "37eb0903-905a-4719-bf92-4492fd7e7004", + "key": "event.dataset", + "negate": false, + "params": { + "query": "conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "bec317a1-7ba3-4793-966a-c0fe68cde81a", + "key": "network.protocol", + "negate": false, + "params": { + "query": "http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "http" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "73926b28-ff01-45b5-9e43-9aaee729ff38", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1282,10 +1558,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND dest_host is not null\r\n| LIMIT 10000\r\n| STATS VALUES(dest_host) by source.ip, destination.ip, event.id \r\n| STATS COUNT() by `VALUES(dest_host)` \r\n| RENAME `VALUES(dest_host)` as `Host Header`, `COUNT()` as Count\r\n| SORT Count ASC\r\n| LIMIT 10\r\n| KEEP `Host Header`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1377,10 +1661,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND dest_host is not null\r\n| LIMIT 10000\r\n| STATS VALUES(user_agent.original) by source.ip, destination.ip, event.id\r\n| STATS COUNT() by `VALUES(user_agent.original)`\r\n| RENAME `VALUES(user_agent.original)` as `Http User Agent`, `COUNT()` as Count\r\n| SORT Count ASC\r\n| LIMIT 10\r\n| KEEP `Http User Agent`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1519,10 +1811,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND dest_host is not null\r\n| LIMIT 10000\r\n| STATS VALUES(dest_host) by source.ip, destination.ip, event.id \r\n| STATS COUNT() by `VALUES(dest_host)` \r\n| RENAME `VALUES(dest_host)` as `Host Header`, `COUNT()` as Count\r\n| SORT Count desc\r\n| KEEP `Host Header`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1641,10 +1941,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.http*\r\n| WHERE event.dataset == \"http\" AND dest_host is not null AND http.response.status_code IS NOT NULL\r\n| LIMIT 10000\r\n| STATS VALUES(dest_host), VALUES(http.response.status_code), VALUES(http.response.status_name) by source.ip, destination.ip, event.id \r\n| STATS COUNT() by `VALUES(dest_host)`, `VALUES(http.response.status_code)` , `VALUES(http.response.status_name)` \r\n| RENAME `VALUES(dest_host)` as `Host Header`, `VALUES(http.response.status_code)` as `Status Code`, `VALUES(http.response.status_name)` as `Status Message`, `COUNT()` as Count\r\n| SORT Count desc\r\n| KEEP `Host Header`, `Status Code`, `Status Message`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1660,12 +1968,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] HTTP", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T10:19:48.801Z", + "created_at": "2026-01-06T09:23:38.433Z", "id": "corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa", - "managed": false, "references": [ { "id": "logs-*", @@ -1726,6 +2033,11 @@ "id": "logs-*", "name": "controlGroup_35a99a9f-d770-4824-b6fa-b15185d700df:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8.json b/packages/corelight/kibana/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8.json new file mode 100644 index 00000000000..ea0397b9deb --- /dev/null +++ b/packages/corelight/kibana/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8.json @@ -0,0 +1,16263 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "063e2fd9-659e-4362-95f8-7057d21e631d": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "network.direction", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Direction" + }, + "grow": true, + "order": 4, + "type": "optionsListControl", + "width": "medium" + }, + "0a0b3611-3250-476d-b19c-953963299235": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "resp_inst.org_id", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Destination AWS Organization ID" + }, + "grow": true, + "order": 6, + "type": "optionsListControl", + "width": "medium" + }, + "146e6c58-7fe4-484c-a64c-359ec9a24ecc": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "source.ip", + "runPastTimeout": false, + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Source IP" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "388044d3-36a5-45c8-a5bf-0d7fe1f20464": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "capture_metadata.vpc.vpc_id", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": false, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "VPC ID" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "8e126021-859a-41c0-b84a-9a44551c1c05": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "orig_inst.org_id", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": true, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Source AWS Organization ID" + }, + "grow": true, + "order": 5, + "type": "optionsListControl", + "width": "medium" + }, + "c6d88a1f-5878-4db7-b89c-33ecb859e140": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "observer.hostname", + "searchTechnique": "prefix", + "selectedOptions": [], + "singleSelect": true, + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Corelight Sensor" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "fa4eaca2-46e1-45d4-a4a0-4ca99e7c21eb": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "destination.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Destination IP" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d0f1264a-3a68-434d-8e77-02466186f0e3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d0f1264a-3a68-434d-8e77-02466186f0e3": { + "columnOrder": [ + "626ce7b1-3ef7-4964-8f53-1f6b429d47f3", + "84ed0b33-79d9-4868-8a4b-925d1d8ea229" + ], + "columns": { + "626ce7b1-3ef7-4964-8f53-1f6b429d47f3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Source Country", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "84ed0b33-79d9-4868-8a4b-925d1d8ea229", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_iso_code" + }, + "84ed0b33-79d9-4868-8a4b-925d1d8ea229": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Session ID", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "inbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "inbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d0f1264a-3a68-434d-8e77-02466186f0e3", + "layerType": "data", + "regionAccessor": "626ce7b1-3ef7-4964-8f53-1f6b429d47f3", + "valueAccessor": "84ed0b33-79d9-4868-8a4b-925d1d8ea229" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsChoropleth" + }, + "description": "Identifying inbound connections to your organization's AWS VPC", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "inbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "inbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "79b479b3-ab96-4b3e-84b1-998dc63b634b", + "w": 29, + "x": 0, + "y": 75 + }, + "panelIndex": "79b479b3-ab96-4b3e-84b1-998dc63b634b", + "title": "Inbound Connections by Source Country", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d0f1264a-3a68-434d-8e77-02466186f0e3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d0f1264a-3a68-434d-8e77-02466186f0e3": { + "columnOrder": [ + "626ce7b1-3ef7-4964-8f53-1f6b429d47f3", + "84ed0b33-79d9-4868-8a4b-925d1d8ea229" + ], + "columns": { + "626ce7b1-3ef7-4964-8f53-1f6b429d47f3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Destination Country", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "84ed0b33-79d9-4868-8a4b-925d1d8ea229", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_iso_code" + }, + "84ed0b33-79d9-4868-8a4b-925d1d8ea229": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Session ID", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "d0f1264a-3a68-434d-8e77-02466186f0e3", + "layerType": "data", + "regionAccessor": "626ce7b1-3ef7-4964-8f53-1f6b429d47f3", + "valueAccessor": "84ed0b33-79d9-4868-8a4b-925d1d8ea229" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsChoropleth" + }, + "description": "Identifying outbound connections from your organization's AWS VPC", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "df56cedd-65fe-4fd6-95df-457dbe1f74d7", + "w": 29, + "x": 0, + "y": 89 + }, + "panelIndex": "df56cedd-65fe-4fd6-95df-457dbe1f74d7", + "title": "Outbound Connections by Destination Country", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7abc0ea4-73fb-4e9a-95db-e9e85873f982", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "75750924-a6c8-4d14-982e-078b2d29755e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a432253f-07b7-4990-aa94-9993fcc76176", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "02a52305-2b97-4f2c-8c23-42e44bb158fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d33b2a4f-e773-4ce4-80c4-49a505ef7bb8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "91d1ca62-5bff-4e08-9239-89748529edf6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "50c044bc-ae03-479b-bf7c-10ee6f6b62df", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Volume", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "sum(source.bytes) + sum(destination.bytes)", + "isFormulaBroken": false + }, + "references": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2" + ], + "scale": "ratio" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Volume", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "source.bytes" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Volume", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "destination.bytes" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Volume", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1" + ], + "location": { + "max": 42, + "min": 0 + }, + "name": "add", + "text": "sum(source.bytes) + sum(destination.bytes)", + "type": "function" + } + }, + "references": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1" + ], + "scale": "ratio" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "7abc0ea4-73fb-4e9a-95db-e9e85873f982", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "75750924-a6c8-4d14-982e-078b2d29755e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "a432253f-07b7-4990-aa94-9993fcc76176", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "02a52305-2b97-4f2c-8c23-42e44bb158fc", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "d33b2a4f-e773-4ce4-80c4-49a505ef7bb8", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "91d1ca62-5bff-4e08-9239-89748529edf6", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "50c044bc-ae03-479b-bf7c-10ee6f6b62df", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6", + "w": 9, + "x": 12, + "y": 0 + }, + "panelIndex": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "87c04943-fd51-4aee-96ca-bd6750742106", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b5050370-9360-42d6-9a1c-1cfc659ce894", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "afdd6c0e-49e4-452a-addb-56c8c7b321fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9c314438-6b71-47a5-9580-3a7ee9d802b5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0830b582-0ee7-4245-909a-78af8be04f2c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d03f8f9a-91c7-4fd8-9bb0-509f99b73ed2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "50d72482-aba3-41a2-bfbe-a09b888fd44f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Connections", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "87c04943-fd51-4aee-96ca-bd6750742106", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b5050370-9360-42d6-9a1c-1cfc659ce894", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "afdd6c0e-49e4-452a-addb-56c8c7b321fc", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "9c314438-6b71-47a5-9580-3a7ee9d802b5", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "0830b582-0ee7-4245-909a-78af8be04f2c", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "d03f8f9a-91c7-4fd8-9bb0-509f99b73ed2", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "50d72482-aba3-41a2-bfbe-a09b888fd44f", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false, + "trendlineBreakdownByAccessor": null, + "trendlineLayerId": null, + "trendlineLayerType": null, + "trendlineMetricAccessor": null, + "trendlineTimeAccessor": null + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "1a29cb63-2562-4091-a650-544075715729", + "w": 9, + "x": 21, + "y": 0 + }, + "panelIndex": "1a29cb63-2562-4091-a650-544075715729", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "27d23ca9-3464-4832-8cfe-728a6a25a6fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8363c330-2e95-4b70-9303-88b54ca36f17", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a1d023e3-f3da-4b8c-94aa-76e6347d916e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3510f2bb-17f6-4ad2-9179-c29acddfe03b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2f4e225e-244d-444c-bc09-be4303c98417", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "342c7c8d-4280-474d-abeb-401b037b0ddf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "feeebf53-d61e-4362-b82a-6450d8312ebf", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Source IPs", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "27d23ca9-3464-4832-8cfe-728a6a25a6fb", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8363c330-2e95-4b70-9303-88b54ca36f17", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "a1d023e3-f3da-4b8c-94aa-76e6347d916e", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "3510f2bb-17f6-4ad2-9179-c29acddfe03b", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "2f4e225e-244d-444c-bc09-be4303c98417", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "342c7c8d-4280-474d-abeb-401b037b0ddf", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "feeebf53-d61e-4362-b82a-6450d8312ebf", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false, + "trendlineBreakdownByAccessor": null, + "trendlineLayerId": null, + "trendlineLayerType": null, + "trendlineMetricAccessor": null, + "trendlineTimeAccessor": null + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "efea7128-c873-409b-aebe-a301fe01d895", + "w": 9, + "x": 30, + "y": 0 + }, + "panelIndex": "efea7128-c873-409b-aebe-a301fe01d895", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "043828ff-1a11-4991-af7b-558b04c750d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ac10368d-9930-4a89-ba90-5070529f990d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dcaa8554-ff5e-43d6-b648-96184d40749b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "61c093c5-bb4c-4f1f-867e-3dbbdd6aaff4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab565996-6195-4090-bad8-5da60194d85f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "feeeddbd-53d8-46ce-9ffb-c70086a1a5a4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ff869537-1e64-41f0-a6f5-a21cd9dee237", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "filter": null, + "isBucketed": false, + "label": "Unique Destination IPs", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 0 + } + } + }, + "reducedTimeRange": null, + "scale": "ratio", + "sourceField": "destination.ip", + "timeShift": null + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "043828ff-1a11-4991-af7b-558b04c750d5", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ac10368d-9930-4a89-ba90-5070529f990d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "dcaa8554-ff5e-43d6-b648-96184d40749b", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "61c093c5-bb4c-4f1f-867e-3dbbdd6aaff4", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "ab565996-6195-4090-bad8-5da60194d85f", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "feeeddbd-53d8-46ce-9ffb-c70086a1a5a4", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "ff869537-1e64-41f0-a6f5-a21cd9dee237", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false, + "trendlineBreakdownByAccessor": null, + "trendlineLayerId": null, + "trendlineLayerType": null, + "trendlineMetricAccessor": null, + "trendlineTimeAccessor": null + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 7, + "i": "a45cba37-e588-4e13-a501-7a890827d4a2", + "w": 9, + "x": 39, + "y": 0 + }, + "panelIndex": "a45cba37-e588-4e13-a501-7a890827d4a2", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "0cc9f377-1ec1-4ba4-9caf-0e1de2fd35d4", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "0cc9f377-1ec1-4ba4-9caf-0e1de2fd35d4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "filter": null, + "isBucketed": false, + "label": "unique destinations", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "reducedTimeRange": null, + "scale": "ratio", + "sourceField": "destination.ip", + "timeShift": null + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "seriesType": "line", + "xAccessor": "0cc9f377-1ec1-4ba4-9caf-0e1de2fd35d4" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 8, + "i": "8b17e388-b864-434f-9292-d42753c329c7", + "w": 9, + "x": 39, + "y": 7 + }, + "panelIndex": "8b17e388-b864-434f-9292-d42753c329c7", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "a43c89ea-e1c3-4983-a096-fa60852bd5f7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "unique sources", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip" + }, + "a43c89ea-e1c3-4983-a096-fa60852bd5f7": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "seriesType": "line", + "xAccessor": "a43c89ea-e1c3-4983-a096-fa60852bd5f7" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 8, + "i": "baa08342-f7a7-4ead-bafe-57bf35e90837", + "w": 9, + "x": 30, + "y": 7 + }, + "panelIndex": "baa08342-f7a7-4ead-bafe-57bf35e90837", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "42708bb5-f083-4a1b-b2de-2e6cb6878ce7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "12490d5c-6f51-4a1e-91c4-a914eb7b497e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a3006dcd-c8b9-48a4-a5cd-dde9e87c26eb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "98d59e33-dc48-4559-b867-ca6830d47cc5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b58e858f-f4a3-496a-8d1a-5f635db5da99", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "701f265b-5d26-4ffd-a4c7-434b298a476b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f7333720-18de-470d-b3a2-60a009dd16c7", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "5fc0075b-101f-43c6-8de1-9fc81936e793", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "5fc0075b-101f-43c6-8de1-9fc81936e793": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": false, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "connections", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "42708bb5-f083-4a1b-b2de-2e6cb6878ce7", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "12490d5c-6f51-4a1e-91c4-a914eb7b497e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "a3006dcd-c8b9-48a4-a5cd-dde9e87c26eb", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "98d59e33-dc48-4559-b867-ca6830d47cc5", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "b58e858f-f4a3-496a-8d1a-5f635db5da99", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "701f265b-5d26-4ffd-a4c7-434b298a476b", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "f7333720-18de-470d-b3a2-60a009dd16c7", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "seriesType": "line", + "xAccessor": "5fc0075b-101f-43c6-8de1-9fc81936e793" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 8, + "i": "14ce901c-bd47-4c98-abb9-90c54727985e", + "w": 9, + "x": 21, + "y": 7 + }, + "panelIndex": "14ce901c-bd47-4c98-abb9-90c54727985e", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "868264ad-1815-4c35-a4e2-b1cbdad0d327", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0de0d2df-a20d-4d1b-b3c6-e651d40757f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5b4dca52-96a0-4513-97a2-a176d8cef1e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2518fdab-da72-4f8e-bcb2-80fc3e5f74a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "31473c95-9765-4b59-a017-2a5c3cc08905", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eb1000ac-f1ab-4f7b-ac8c-96d6b08d710e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8c61b00a-d3d8-4baa-88e2-016614d2da62", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3b97646d-b562-43e7-8e91-2daac479a1cc": { + "columnOrder": [ + "ea2c579a-2390-43e2-afeb-30a0918612a5", + "2a3d9924-faf5-463d-aa14-fa7ae1ab8a71", + "68da99e1-d3da-4289-af3d-df03ddb1622d", + "70fe1b8c-7044-4cfc-9eb8-d20ac7cf8060", + "f401e2c1-9227-4c88-af3f-5421129e79ba" + ], + "columns": { + "2a3d9924-faf5-463d-aa14-fa7ae1ab8a71": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Transport", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": null, + "orderBy": { + "columnId": "f401e2c1-9227-4c88-af3f-5421129e79ba", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": null, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "network.transport" + }, + "68da99e1-d3da-4289-af3d-df03ddb1622d": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination Port", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f401e2c1-9227-4c88-af3f-5421129e79ba", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "destination.port" + }, + "70fe1b8c-7044-4cfc-9eb8-d20ac7cf8060": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": null, + "orderBy": { + "columnId": "f401e2c1-9227-4c88-af3f-5421129e79ba", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": null, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "ea2c579a-2390-43e2-afeb-30a0918612a5": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f401e2c1-9227-4c88-af3f-5421129e79ba", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "f401e2c1-9227-4c88-af3f-5421129e79ba": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Session ID", + "operationType": "count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "log.id.uid" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "868264ad-1815-4c35-a4e2-b1cbdad0d327", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0de0d2df-a20d-4d1b-b3c6-e651d40757f8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "5b4dca52-96a0-4513-97a2-a176d8cef1e7", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "2518fdab-da72-4f8e-bcb2-80fc3e5f74a8", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "31473c95-9765-4b59-a017-2a5c3cc08905", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "eb1000ac-f1ab-4f7b-ac8c-96d6b08d710e", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "8c61b00a-d3d8-4baa-88e2-016614d2da62", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "f401e2c1-9227-4c88-af3f-5421129e79ba", + "hidden": true, + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "collapseFn": "", + "colorMode": "none", + "columnId": "ea2c579a-2390-43e2-afeb-30a0918612a5", + "hidden": false, + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + }, + { + "alignment": "center", + "columnId": "2a3d9924-faf5-463d-aa14-fa7ae1ab8a71", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + }, + { + "alignment": "center", + "columnId": "68da99e1-d3da-4289-af3d-df03ddb1622d", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + }, + { + "alignment": "center", + "colorMapping": null, + "colorMode": "none", + "columnId": "70fe1b8c-7044-4cfc-9eb8-d20ac7cf8060", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true, + "palette": null + } + ], + "layerId": "3b97646d-b562-43e7-8e91-2daac479a1cc", + "layerType": "data", + "sorting": { + "columnId": "68da99e1-d3da-4289-af3d-df03ddb1622d", + "direction": "asc" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85", + "w": 24, + "x": 0, + "y": 47 + }, + "panelIndex": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85", + "title": "Connections between Source IPs and Destination IPs", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3b97646d-b562-43e7-8e91-2daac479a1cc": { + "columnOrder": [ + "0a382df2-e479-41ed-afca-aed1b0a13533", + "ce62cd98-81c5-4823-b86d-35a33275f301", + "3a8ea73b-c145-4003-8516-a5dbb11421d5" + ], + "columns": { + "0a382df2-e479-41ed-afca-aed1b0a13533": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IPs", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3a8ea73b-c145-4003-8516-a5dbb11421d5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "3a8ea73b-c145-4003-8516-a5dbb11421d5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Volume", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "network.ip_bytes" + }, + "ce62cd98-81c5-4823-b86d-35a33275f301": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Destination Port", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3a8ea73b-c145-4003-8516-a5dbb11421d5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "destination.port" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "3a8ea73b-c145-4003-8516-a5dbb11421d5", + "hidden": false, + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "collapseFn": "", + "columnId": "0a382df2-e479-41ed-afca-aed1b0a13533", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + }, + { + "alignment": "center", + "columnId": "ce62cd98-81c5-4823-b86d-35a33275f301", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + } + ], + "layerId": "3b97646d-b562-43e7-8e91-2daac479a1cc", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "4ce9d8b9-a017-4958-85a9-3a4548b4e886", + "w": 24, + "x": 24, + "y": 47 + }, + "panelIndex": "4ce9d8b9-a017-4958-85a9-3a4548b4e886", + "title": "Top 20 Largest Byte Transfers", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3b97646d-b562-43e7-8e91-2daac479a1cc": { + "columnOrder": [ + "51c78c74-4700-4d63-9ab4-b91fa0ef6ab7", + "df8168db-beb1-4892-a623-fdb996933992" + ], + "columns": { + "51c78c74-4700-4d63-9ab4-b91fa0ef6ab7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Country", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "df8168db-beb1-4892-a623-fdb996933992", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_iso_code" + }, + "df8168db-beb1-4892-a623-fdb996933992": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Connections", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "inbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "inbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "df8168db-beb1-4892-a623-fdb996933992", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "51c78c74-4700-4d63-9ab4-b91fa0ef6ab7", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "3b97646d-b562-43e7-8e91-2daac479a1cc", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "inbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "inbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "f718c0a3-f5a5-479c-b545-7e911ab53f6c", + "w": 19, + "x": 29, + "y": 75 + }, + "panelIndex": "f718c0a3-f5a5-479c-b545-7e911ab53f6c", + "title": "Inbound Connections by Source Country", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 15, + "markdown": "**VPC Insights derived from Cloud Enrichment Connection Logs**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 2, + "i": "38700819-5361-4073-a100-a2839867356d", + "w": 48, + "x": 0, + "y": 103 + }, + "panelIndex": "38700819-5361-4073-a100-a2839867356d", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-88dc0543-fc61-42fb-8834-ee7a7ee1f0bc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "88dc0543-fc61-42fb-8834-ee7a7ee1f0bc": { + "columnOrder": [ + "938a66a7-cc4d-454d-a72e-9cd27b7b9e83", + "96dda1b6-cfee-409d-a360-374f98f1954f" + ], + "columns": { + "938a66a7-cc4d-454d-a72e-9cd27b7b9e83": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of orig_inst.org_id", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "96dda1b6-cfee-409d-a360-374f98f1954f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "orig_inst.org_id" + }, + "96dda1b6-cfee-409d-a360-374f98f1954f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "event.id", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "orig_inst.* exists OR resp_inst.* exists", + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "orig_inst.az", + "index": "logs-*", + "key": "orig_inst.az", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.az" + } + } + }, + { + "meta": { + "disabled": false, + "field": "orig_inst.id", + "index": "logs-*", + "key": "orig_inst.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.name", + "index": "logs-*", + "key": "orig_inst.name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.name" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.org_id", + "index": "logs-*", + "key": "orig_inst.org_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.org_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.sg_ids", + "index": "logs-*", + "key": "orig_inst.sg_ids", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.sg_ids" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.vpc_id", + "index": "logs-*", + "key": "orig_inst.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.az", + "index": "logs-*", + "key": "resp_inst.az", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.az" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.id", + "index": "logs-*", + "key": "resp_inst.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.name", + "index": "logs-*", + "key": "resp_inst.name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.name" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.org_id", + "index": "logs-*", + "key": "resp_inst.org_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.org_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.sg_ids", + "index": "logs-*", + "key": "resp_inst.sg_ids", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.sg_ids" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.vpc_id", + "index": "logs-*", + "key": "resp_inst.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.vpc_id" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "88dc0543-fc61-42fb-8834-ee7a7ee1f0bc", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "96dda1b6-cfee-409d-a360-374f98f1954f" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "938a66a7-cc4d-454d-a72e-9cd27b7b9e83" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "Top 10 Total Connections", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "orig_inst.* exists OR resp_inst.* exists", + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "orig_inst.az", + "index": "logs-*", + "key": "orig_inst.az", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.az" + } + } + }, + { + "meta": { + "disabled": false, + "field": "orig_inst.id", + "index": "logs-*", + "key": "orig_inst.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.name", + "index": "logs-*", + "key": "orig_inst.name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.name" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.org_id", + "index": "logs-*", + "key": "orig_inst.org_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.org_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.sg_ids", + "index": "logs-*", + "key": "orig_inst.sg_ids", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.sg_ids" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "orig_inst.vpc_id", + "index": "logs-*", + "key": "orig_inst.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "orig_inst.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.az", + "index": "logs-*", + "key": "resp_inst.az", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.az" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.id", + "index": "logs-*", + "key": "resp_inst.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.name", + "index": "logs-*", + "key": "resp_inst.name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.name" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.org_id", + "index": "logs-*", + "key": "resp_inst.org_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.org_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.sg_ids", + "index": "logs-*", + "key": "resp_inst.sg_ids", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.sg_ids" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "resp_inst.vpc_id", + "index": "logs-*", + "key": "resp_inst.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "resp_inst.vpc_id" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "80916d77-d693-4588-b6cd-d967b0e4716d", + "w": 12, + "x": 23, + "y": 105 + }, + "panelIndex": "80916d77-d693-4588-b6cd-d967b0e4716d", + "title": "Traffic By AWS Account", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "a153ad5c-2356-43ea-a375-6a24cc624bc1": { + "columns": [ + { + "columnId": "status_text", + "customLabel": true, + "fieldName": "status_text", + "label": "Cloud Enrichment", + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (\r\n orig_inst.az IS NOT NULL\r\n OR orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.az IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS count = COUNT(*)\r\n| EVAL status_text = CASE(count \u003e 0, \"Enriched Conn Logs are Present\", \"Enriched Conn Logs are not Present\")\r\n| EVAL status_code = CASE(count \u003e 0, 1, 0)\r\n| KEEP status_text, status_code\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (\r\n orig_inst.az IS NOT NULL\r\n OR orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.az IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS count = COUNT(*)\r\n| EVAL status_text = CASE(count \u003e 0, \"Enriched Conn Logs are Present\", \"Enriched Conn Logs are not Present\")\r\n| EVAL status_code = CASE(count \u003e 0, 1, 0)\r\n| KEEP status_text, status_code\r\n" + }, + "visualization": { + "columns": [ + { + "columnId": "status_text" + } + ], + "layerId": "a153ad5c-2356-43ea-a375-6a24cc624bc1", + "layerType": "data" + } + }, + "title": "Bar vertical stacked", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (\r\n orig_inst.az IS NOT NULL\r\n OR orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.az IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS count = COUNT(*)\r\n| EVAL status_text = CASE(count \u003e 0, \"Enriched Conn Logs are Present\", \"Enriched Conn Logs are not Present\")\r\n| EVAL status_code = CASE(count \u003e 0, 1, 0)\r\n| KEEP status_text, status_code\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 8, + "i": "41d4aea2-803c-43ed-89ff-84f0c80a3a15", + "w": 9, + "x": 12, + "y": 7 + }, + "panelIndex": "41d4aea2-803c-43ed-89ff-84f0c80a3a15", + "title": "Table status_text (copy)", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 16, + "markdown": "**IP Interrogation**\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 2, + "i": "718eb7ad-f5fb-487e-94e9-44254498102d", + "w": 48, + "x": 0, + "y": 117 + }, + "panelIndex": "718eb7ad-f5fb-487e-94e9-44254498102d", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3b97646d-b562-43e7-8e91-2daac479a1cc": { + "columnOrder": [ + "51c78c74-4700-4d63-9ab4-b91fa0ef6ab7", + "df8168db-beb1-4892-a623-fdb996933992" + ], + "columns": { + "51c78c74-4700-4d63-9ab4-b91fa0ef6ab7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Country", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "df8168db-beb1-4892-a623-fdb996933992", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_iso_code" + }, + "df8168db-beb1-4892-a623-fdb996933992": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Connections", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "df8168db-beb1-4892-a623-fdb996933992", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "51c78c74-4700-4d63-9ab4-b91fa0ef6ab7", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "3b97646d-b562-43e7-8e91-2daac479a1cc", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "72beffe3-47db-4fe7-8fcd-9a8fdda46372", + "w": 19, + "x": 29, + "y": 89 + }, + "panelIndex": "72beffe3-47db-4fe7-8fcd-9a8fdda46372", + "title": "Outbound Connections by Destination Country", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1ebeef92-3327-45ac-b95c-b41ce1fa37c0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "1ebeef92-3327-45ac-b95c-b41ce1fa37c0": { + "columnOrder": [ + "c83072a4-a10a-4b58-8136-4301d8457c45", + "65f70ce6-5678-4a12-8039-146336b501c3", + "c1632b0c-cd0e-4574-8c27-4358e64510c5", + "c1632b0c-cd0e-4574-8c27-4358e64510c5X1", + "c1632b0c-cd0e-4574-8c27-4358e64510c5X0" + ], + "columns": { + "65f70ce6-5678-4a12-8039-146336b501c3": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Bytes", + "operationType": "range", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "includeEmptyRows": false, + "maxBars": "auto", + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" + }, + "scale": "interval", + "sourceField": "source.ip_bytes" + }, + "c1632b0c-cd0e-4574-8c27-4358e64510c5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Duration (ms)", + "operationType": "formula", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0, + "suffix": "ms" + } + }, + "formula": "last_value((event.duration))/1000000000", + "isFormulaBroken": false + }, + "references": [ + "c1632b0c-cd0e-4574-8c27-4358e64510c5X1" + ], + "scale": "ratio" + }, + "c1632b0c-cd0e-4574-8c27-4358e64510c5X0": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "\"event.duration\": *" + }, + "isBucketed": false, + "label": "Part of Duration (ms)", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "event.duration" + }, + "c1632b0c-cd0e-4574-8c27-4358e64510c5X1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Duration (ms)", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "c1632b0c-cd0e-4574-8c27-4358e64510c5X0", + 1000000000 + ], + "location": { + "max": 39, + "min": 0 + }, + "name": "divide", + "text": "last_value((event.duration))/1000000000", + "type": "function" + } + }, + "references": [ + "c1632b0c-cd0e-4574-8c27-4358e64510c5X0" + ], + "scale": "ratio" + }, + "c83072a4-a10a-4b58-8136-4301d8457c45": { + "customLabel": false, + "dataType": "ip", + "isBucketed": true, + "label": "Top 10 values of source.ip", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c1632b0c-cd0e-4574-8c27-4358e64510c5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "1ebeef92-3327-45ac-b95c-b41ce1fa37c0", + "layerType": "data", + "seriesType": "bar_stacked", + "splitAccessor": "c83072a4-a10a-4b58-8136-4301d8457c45", + "xAccessor": "65f70ce6-5678-4a12-8039-146336b501c3" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "036c817f-fe91-4e8e-80b1-82ebc5aaec33", + "w": 48, + "x": 0, + "y": 63 + }, + "panelIndex": "036c817f-fe91-4e8e-80b1-82ebc5aaec33", + "title": "Outbound Connection Outliers", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "345787b9-3b6f-41cd-a4ea-57f727c62393", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cb420d7a-3fe9-469f-98f1-8dc76177f7e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5d9949f0-3bcd-4722-bada-5a84d95715e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b2d65697-fd28-45e6-9030-a47d571fccf8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ceda1951-cfe8-4346-a742-6be453dc6241", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "095c6744-8120-44d6-9f13-4bd5e22a4a1e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f48a94d8-9f7a-4680-8153-c6abbd888bb5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "462edab1-05e1-423c-a03e-7dc4e9cebc87", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "filter": null, + "isBucketed": false, + "label": "Unique Destination IPs", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "compact": false, + "decimals": 0 + } + } + }, + "reducedTimeRange": null, + "scale": "ratio", + "sourceField": "destination.ip", + "timeShift": null + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "345787b9-3b6f-41cd-a4ea-57f727c62393", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "cb420d7a-3fe9-469f-98f1-8dc76177f7e7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "5d9949f0-3bcd-4722-bada-5a84d95715e8", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "b2d65697-fd28-45e6-9030-a47d571fccf8", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "ceda1951-cfe8-4346-a742-6be453dc6241", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "095c6744-8120-44d6-9f13-4bd5e22a4a1e", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "f48a94d8-9f7a-4680-8153-c6abbd888bb5", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "462edab1-05e1-423c-a03e-7dc4e9cebc87", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false, + "trendlineBreakdownByAccessor": null, + "trendlineLayerId": null, + "trendlineLayerType": null, + "trendlineMetricAccessor": null, + "trendlineTimeAccessor": null + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "36ca0cd6-e98a-4045-987b-7a00bbc61b43", + "w": 9, + "x": 39, + "y": 119 + }, + "panelIndex": "36ca0cd6-e98a-4045-987b-7a00bbc61b43", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8e74e095-5ced-44b6-902b-44240715d2bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dd6136f6-3230-4199-8b3a-db9559a76aea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e475d1bd-b75c-4c37-9e1a-972896226e01", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b6a75d11-45bd-48c5-9d4b-2f55eca81905", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d5f62c5d-d44c-450f-9bdb-45693f2ba8e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d156a569-89cc-47d1-a84a-751a41baf8da", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "22fe7cc5-9b0e-4638-8e5f-4f032684d39a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0966a287-e4e1-4173-aea9-50b56cfa42e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique Source IPs", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "8e74e095-5ced-44b6-902b-44240715d2bd", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "dd6136f6-3230-4199-8b3a-db9559a76aea", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "e475d1bd-b75c-4c37-9e1a-972896226e01", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "b6a75d11-45bd-48c5-9d4b-2f55eca81905", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "d5f62c5d-d44c-450f-9bdb-45693f2ba8e9", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "d156a569-89cc-47d1-a84a-751a41baf8da", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "22fe7cc5-9b0e-4638-8e5f-4f032684d39a", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "0966a287-e4e1-4173-aea9-50b56cfa42e5", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false, + "trendlineBreakdownByAccessor": null, + "trendlineLayerId": null, + "trendlineLayerType": null, + "trendlineMetricAccessor": null, + "trendlineTimeAccessor": null + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "c5294d5e-0599-4559-b36c-dd0640353f8e", + "w": 9, + "x": 30, + "y": 119 + }, + "panelIndex": "c5294d5e-0599-4559-b36c-dd0640353f8e", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "13cd083d-d650-4bfb-8d39-b1241a0d7ef0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1e4c9862-3936-4a19-81cb-be74d1eb8913", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "45f3185a-4414-4107-9878-9de7d78ff89b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2ce5c3a2-33d2-4cca-a301-c1721ea46c8d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bf988300-4133-43c7-8bb5-9b5af2e65a2e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e487dc98-1b45-450b-96ae-1a328c1636a7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4fff2a29-0b13-48a6-9487-4d6585d090d4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "390c942a-04e4-4b9d-95b8-70dbc10b1efb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Connections", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "13cd083d-d650-4bfb-8d39-b1241a0d7ef0", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1e4c9862-3936-4a19-81cb-be74d1eb8913", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "45f3185a-4414-4107-9878-9de7d78ff89b", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "2ce5c3a2-33d2-4cca-a301-c1721ea46c8d", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "bf988300-4133-43c7-8bb5-9b5af2e65a2e", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "e487dc98-1b45-450b-96ae-1a328c1636a7", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4fff2a29-0b13-48a6-9487-4d6585d090d4", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "390c942a-04e4-4b9d-95b8-70dbc10b1efb", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false, + "trendlineBreakdownByAccessor": null, + "trendlineLayerId": null, + "trendlineLayerType": null, + "trendlineMetricAccessor": null, + "trendlineTimeAccessor": null + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "a5facc8b-3da7-4a63-91d4-b320ba68f988", + "w": 10, + "x": 20, + "y": 119 + }, + "panelIndex": "a5facc8b-3da7-4a63-91d4-b320ba68f988", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c47c49b9-4c99-4daa-8ec8-3719163ace63", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "847bfde0-ad15-457f-b399-f76712fe7c5e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0dd94fa1-6c95-4a58-bd83-ecd1a89d1d31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e4e93b86-5ae3-446e-b1c1-3db207535477", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fb2c1ac7-7857-449e-be4e-0fb6b5a4f6a2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3be6dadf-8a66-4b81-af7f-b73b5e4cb8b0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5d379087-e4e1-43fb-b1a7-bd94cdf6d253", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6ee29176-f888-4111-97da-69792f0b0687", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Data Outbound", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "sum(source.ip_bytes) + sum(destination.ip_bytes)", + "isFormulaBroken": false + }, + "references": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2" + ], + "scale": "ratio" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Data Outbound", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "source.ip_bytes" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Data Outbound", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "destination.ip_bytes" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Data Outbound", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1" + ], + "location": { + "max": 48, + "min": 0 + }, + "name": "add", + "text": "sum(source.ip_bytes) + sum(destination.ip_bytes)", + "type": "function" + } + }, + "references": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1" + ], + "scale": "ratio" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "c47c49b9-4c99-4daa-8ec8-3719163ace63", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "847bfde0-ad15-457f-b399-f76712fe7c5e", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "0dd94fa1-6c95-4a58-bd83-ecd1a89d1d31", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "e4e93b86-5ae3-446e-b1c1-3db207535477", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "fb2c1ac7-7857-449e-be4e-0fb6b5a4f6a2", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "3be6dadf-8a66-4b81-af7f-b73b5e4cb8b0", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5d379087-e4e1-43fb-b1a7-bd94cdf6d253", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "6ee29176-f888-4111-97da-69792f0b0687", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "outbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "outbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "69d1a02d-bedf-446e-b939-2720a6d25df7", + "w": 10, + "x": 10, + "y": 119 + }, + "panelIndex": "69d1a02d-bedf-446e-b939-2720a6d25df7", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "81836f32-d6bb-4e2d-9ac0-9dea7fa2be23", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a0f96a7c-e6e2-4105-902e-bce7bce04522", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dfc1e2d1-a7d9-4c6a-b29a-e2ebc6ed1688", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "900cd464-a005-44ae-9981-965c2a057f94", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bcb6bafa-8891-41ad-9876-a414c520482d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6007471b-9f19-4e48-b673-fe3c9f034ba2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae4dca25-d609-4a87-9c76-79322f1d03a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5d951a27-4e43-4df8-b5b1-129e4b3e0185", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2" + ], + "columns": { + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Data Inbound", + "operationType": "formula", + "params": { + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + }, + "formula": "sum(source.ip_bytes) + sum(destination.ip_bytes)", + "isFormulaBroken": false + }, + "references": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2" + ], + "scale": "ratio" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Data Inbound", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "source.ip_bytes" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Data Inbound", + "operationType": "sum", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "destination.ip_bytes" + }, + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Total Data Inbound", + "operationType": "math", + "params": { + "tinymathAst": { + "args": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1" + ], + "location": { + "max": 48, + "min": 0 + }, + "name": "add", + "text": "sum(source.ip_bytes) + sum(destination.ip_bytes)", + "type": "function" + } + }, + "references": [ + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX0", + "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2bX1" + ], + "scale": "ratio" + }, + "b8fd7325-9871-4ac5-973b-5fef01d0c5b7": { + "dataType": "number", + "isBucketed": false, + "label": "Median of source.bytes", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "81836f32-d6bb-4e2d-9ac0-9dea7fa2be23", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a0f96a7c-e6e2-4105-902e-bce7bce04522", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "dfc1e2d1-a7d9-4c6a-b29a-e2ebc6ed1688", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "900cd464-a005-44ae-9981-965c2a057f94", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "bcb6bafa-8891-41ad-9876-a414c520482d", + "key": "network.direction", + "negate": false, + "params": { + "query": "inbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "inbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "6007471b-9f19-4e48-b673-fe3c9f034ba2", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ae4dca25-d609-4a87-9c76-79322f1d03a6", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "5d951a27-4e43-4df8-b5b1-129e4b3e0185", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data", + "metricAccessor": "997fe5e3-4ebb-4e9c-8dbb-559fb6773c2b", + "showBar": false + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "params": { + "query": "inbound" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.direction": "inbound" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 4, + "i": "8cbe01ee-9c43-4697-a1d9-72824a514695", + "w": 10, + "x": 0, + "y": 119 + }, + "panelIndex": "8cbe01ee-9c43-4697-a1d9-72824a514695", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3824d4a3-66bc-4771-8711-e4635817be2d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3824d4a3-66bc-4771-8711-e4635817be2d": { + "columnOrder": [ + "70d06330-a6ec-4498-9d02-e66bd8360ded", + "4a1b3add-df64-4fc8-a54f-661ed870831c" + ], + "columns": { + "4a1b3add-df64-4fc8-a54f-661ed870831c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Event ID", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "70d06330-a6ec-4498-9d02-e66bd8360ded": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of capture_metadata.vpc.vpc_id", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4a1b3add-df64-4fc8-a54f-661ed870831c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "capture_metadata.vpc.vpc_id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3824d4a3-66bc-4771-8711-e4635817be2d", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "4a1b3add-df64-4fc8-a54f-661ed870831c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "70d06330-a6ec-4498-9d02-e66bd8360ded" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "134685aa-6965-4cf1-93df-d20f198bf90e", + "w": 16, + "x": 0, + "y": 123 + }, + "panelIndex": "134685aa-6965-4cf1-93df-d20f198bf90e", + "title": "VPC IDs by Connection Count", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3824d4a3-66bc-4771-8711-e4635817be2d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e684b4a3-7bd1-4315-82b6-41c3680a3dd8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6c8bf5c6-ed7b-488b-bdd5-2f0086649501", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ca729847-b693-44a9-b80a-556ce72db5b8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "641561f0-68b9-4867-8b08-568f4c01c694", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f06df791-03e6-4c83-ac75-8048164b3ec3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f2a83b5a-d2d7-493f-8096-17d9225def88", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bff0e575-58a9-4fd5-88ba-df68b412f6ee", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3824d4a3-66bc-4771-8711-e4635817be2d": { + "columnOrder": [ + "8c243ca4-7b37-4595-943d-2deff1fa490a", + "4a1b3add-df64-4fc8-a54f-661ed870831c" + ], + "columns": { + "4a1b3add-df64-4fc8-a54f-661ed870831c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Event ID", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "8c243ca4-7b37-4595-943d-2deff1fa490a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of network.direction", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4a1b3add-df64-4fc8-a54f-661ed870831c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "network.direction" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "e684b4a3-7bd1-4315-82b6-41c3680a3dd8", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "6c8bf5c6-ed7b-488b-bdd5-2f0086649501", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "ca729847-b693-44a9-b80a-556ce72db5b8", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "641561f0-68b9-4867-8b08-568f4c01c694", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "f06df791-03e6-4c83-ac75-8048164b3ec3", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "f2a83b5a-d2d7-493f-8096-17d9225def88", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "bff0e575-58a9-4fd5-88ba-df68b412f6ee", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3824d4a3-66bc-4771-8711-e4635817be2d", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "4a1b3add-df64-4fc8-a54f-661ed870831c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "8c243ca4-7b37-4595-943d-2deff1fa490a" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "77031a9b-20b4-431e-abcf-308794da31b9", + "w": 16, + "x": 16, + "y": 123 + }, + "panelIndex": "77031a9b-20b4-431e-abcf-308794da31b9", + "title": "Connections by Direction", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "a11821ce-bdf6-4d34-9789-8ebd41cd6c92": { + "columns": [ + { + "columnId": "transport", + "customLabel": true, + "fieldName": "transport", + "label": "transport", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "count", + "customLabel": false, + "fieldName": "count", + "inMetricDimension": true, + "label": "count", + "meta": { + "esType": "long", + "type": "number" + }, + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND observer.hostname IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND (source.ip IS NOT NULL OR destination.ip IS NOT NULL)\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"inbound\"\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n| STATS count = count(*) BY transport\r\n| SORT count DESC, transport ASC\r\n| LIMIT 10\r\n| KEEP transport, count\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND observer.hostname IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND (source.ip IS NOT NULL OR destination.ip IS NOT NULL)\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"inbound\"\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n| STATS count = count(*) BY transport\r\n| SORT count DESC, transport ASC\r\n| LIMIT 10\r\n| KEEP transport, count\r\n" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "a11821ce-bdf6-4d34-9789-8ebd41cd6c92", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "count" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "transport" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Bar vertical stacked", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND observer.hostname IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND (source.ip IS NOT NULL OR destination.ip IS NOT NULL)\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"inbound\"\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n| STATS count = count(*) BY transport\r\n| SORT count DESC, transport ASC\r\n| LIMIT 10\r\n| KEEP transport, count\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "ddb15826-0173-4e6d-a5f0-d1964a3cbbe3", + "w": 24, + "x": 0, + "y": 137 + }, + "panelIndex": "ddb15826-0173-4e6d-a5f0-d1964a3cbbe3", + "title": "Top Inbound Ports \u0026 Protocols", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-12fe920b-d233-480a-955b-7da85fa82e1a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "826478ef-90b0-45dd-84bf-629eab7e9fc2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e2e9798c-1cdc-45e9-adf3-efa29b1d28ab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab79b5a0-5ae0-4581-bd25-337b5c43efeb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "12fe920b-d233-480a-955b-7da85fa82e1a": { + "columnOrder": [ + "b8314169-e325-408c-86bf-83088ca843a6", + "5a74f052-52e2-4f10-9e7f-c4def98f0e4b" + ], + "columns": { + "5a74f052-52e2-4f10-9e7f-c4def98f0e4b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b8314169-e325-408c-86bf-83088ca843a6": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of event.dataset", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5a74f052-52e2-4f10-9e7f-c4def98f0e4b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.dataset" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "826478ef-90b0-45dd-84bf-629eab7e9fc2", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e2e9798c-1cdc-45e9-adf3-efa29b1d28ab", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ab79b5a0-5ae0-4581-bd25-337b5c43efeb", + "key": "query", + "negate": true, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"wildcard\":{\"event.dataset\":\"ssl*\"}},{\"wildcard\":{\"event.dataset\":\"smtp*\"}},{\"wildcard\":{\"event.dataset\":\"http*\"}},{\"wildcard\":{\"event.dataset\":\"files*\"}},{\"wildcard\":{\"event.dataset\":\"dns*\"}},{\"wildcard\":{\"event.dataset\":\"conn*\"}},{\"wildcard\":{\"event.dataset\":\"tls*\"}}]}}" + }, + "query": { + "bool": { + "should": [ + { + "wildcard": { + "event.dataset": "ssl*" + } + }, + { + "wildcard": { + "event.dataset": "smtp*" + } + }, + { + "wildcard": { + "event.dataset": "http*" + } + }, + { + "wildcard": { + "event.dataset": "files*" + } + }, + { + "wildcard": { + "event.dataset": "dns*" + } + }, + { + "wildcard": { + "event.dataset": "conn*" + } + }, + { + "wildcard": { + "event.dataset": "tls*" + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "12fe920b-d233-480a-955b-7da85fa82e1a", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "5a74f052-52e2-4f10-9e7f-c4def98f0e4b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "b8314169-e325-408c-86bf-83088ca843a6" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "description": "Corelight supporting data sources for source\n\n\n\n\n\n\n", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": true, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"wildcard\":{\"event.dataset\":\"ssl*\"}},{\"wildcard\":{\"event.dataset\":\"smtp*\"}},{\"wildcard\":{\"event.dataset\":\"http*\"}},{\"wildcard\":{\"event.dataset\":\"files*\"}},{\"wildcard\":{\"event.dataset\":\"dns*\"}},{\"wildcard\":{\"event.dataset\":\"conn*\"}},{\"wildcard\":{\"event.dataset\":\"tls*\"}}]}}" + }, + "query": { + "bool": { + "should": [ + { + "wildcard": { + "event.dataset": "ssl*" + } + }, + { + "wildcard": { + "event.dataset": "smtp*" + } + }, + { + "wildcard": { + "event.dataset": "http*" + } + }, + { + "wildcard": { + "event.dataset": "files*" + } + }, + { + "wildcard": { + "event.dataset": "dns*" + } + }, + { + "wildcard": { + "event.dataset": "conn*" + } + }, + { + "wildcard": { + "event.dataset": "tls*" + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "b9c412cc-32e0-41af-ac43-ef053fdfac90", + "w": 16, + "x": 32, + "y": 123 + }, + "panelIndex": "b9c412cc-32e0-41af-ac43-ef053fdfac90", + "title": "Corelight Data Sets", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "7372f89e-1793-4cb4-9a2a-82d402b6be2e", + "95140924-afab-4a89-aebb-278790114f95" + ], + "columns": { + "7372f89e-1793-4cb4-9a2a-82d402b6be2e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination IP", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "95140924-afab-4a89-aebb-278790114f95", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "95140924-afab-4a89-aebb-278790114f95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Bytes Received", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "destination.ip_bytes" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "95140924-afab-4a89-aebb-278790114f95", + "isTransposed": false + }, + { + "columnId": "7372f89e-1793-4cb4-9a2a-82d402b6be2e", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + } + ], + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "4a87f0f8-8da9-4a20-a906-2622e0612bc9", + "w": 16, + "x": 16, + "y": 29 + }, + "panelIndex": "4a87f0f8-8da9-4a20-a906-2622e0612bc9", + "title": "Top 10 Destination IPs with Most Received Data", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47db230e-6727-4fee-af47-57c2c82042e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c4141336-b711-404e-8cc7-a2bcdaaf97f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5fa75508-d792-4c8b-b6a2-c95db499e799", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "92ff096d-3f16-4e6d-98d4-73e4326738a4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4d3ab7d8-6ee9-4b7e-b55b-90bb3629b67e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "157510b8-44b0-4d4c-8fe2-70e84084a9fd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d6533243-1174-49c2-a5e4-feed441d99ee", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "966bd70c-5e36-4868-a1de-a89f13e92014": { + "columnOrder": [ + "7372f89e-1793-4cb4-9a2a-82d402b6be2e", + "95140924-afab-4a89-aebb-278790114f95" + ], + "columns": { + "7372f89e-1793-4cb4-9a2a-82d402b6be2e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "95140924-afab-4a89-aebb-278790114f95", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "95140924-afab-4a89-aebb-278790114f95": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Bytes Sent", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip_bytes" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "47db230e-6727-4fee-af47-57c2c82042e7", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "c4141336-b711-404e-8cc7-a2bcdaaf97f9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "5fa75508-d792-4c8b-b6a2-c95db499e799", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "92ff096d-3f16-4e6d-98d4-73e4326738a4", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "4d3ab7d8-6ee9-4b7e-b55b-90bb3629b67e", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "157510b8-44b0-4d4c-8fe2-70e84084a9fd", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "d6533243-1174-49c2-a5e4-feed441d99ee", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "95140924-afab-4a89-aebb-278790114f95", + "isTransposed": false + }, + { + "columnId": "7372f89e-1793-4cb4-9a2a-82d402b6be2e", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true + } + ], + "layerId": "966bd70c-5e36-4868-a1de-a89f13e92014", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "logs-*", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}],\"minimum_should_match\":1}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "47dab784-a590-43b3-90bf-dd2005b61eb5", + "w": 16, + "x": 0, + "y": 29 + }, + "panelIndex": "47dab784-a590-43b3-90bf-dd2005b61eb5", + "title": "Top 10 Source IPs with Most Sent Data", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "976a33f6-5255-4013-b849-d870481c2666": { + "columns": [ + { + "columnId": "transport", + "customLabel": false, + "fieldName": "transport", + "label": "transport", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "event_count", + "customLabel": false, + "fieldName": "event_count", + "inMetricDimension": true, + "label": "event_count", + "meta": { + "esType": "long", + "type": "number" + }, + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND network.direction IS NOT NULL\r\n\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n\r\n| STATS event_count = count(*) BY transport\r\n\r\n| SORT event_count DESC\r\n| LIMIT 20\r\n\r\n| KEEP transport, event_count\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND network.direction IS NOT NULL\r\n\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n\r\n| STATS event_count = count(*) BY transport\r\n\r\n| SORT event_count DESC\r\n| LIMIT 20\r\n\r\n| KEEP transport, event_count\r\n" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "976a33f6-5255-4013-b849-d870481c2666", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "event_count" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "transport" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Bar vertical stacked", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND network.direction IS NOT NULL\r\n\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n\r\n| STATS event_count = count(*) BY transport\r\n\r\n| SORT event_count DESC\r\n| LIMIT 20\r\n\r\n| KEEP transport, event_count\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "10d22653-999e-4960-8c42-8271598816d1", + "w": 16, + "x": 32, + "y": 29 + }, + "panelIndex": "10d22653-999e-4960-8c42-8271598816d1", + "title": "Top 20 Protocol and Port Distribution", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "c1f0461a-4114-409b-a305-3551e0650284": { + "columns": [ + { + "columnId": "resp_inst.sg_ids", + "customLabel": true, + "fieldName": "resp_inst.sg_ids", + "label": "AWS Security Group", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "destination.port", + "customLabel": true, + "fieldName": "destination.port", + "inMetricDimension": true, + "label": "Destination Port", + "meta": { + "esType": "long", + "type": "number" + }, + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + } + }, + { + "columnId": "Connections", + "customLabel": false, + "fieldName": "Connections", + "inMetricDimension": true, + "label": "Connections", + "meta": { + "esType": "long", + "type": "number" + }, + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"inbound\"\r\n AND (\r\n orig_inst.az IS NOT NULL\r\n OR orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.az IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS Connections = COUNT(*) BY resp_inst.sg_ids, destination.port\r\n| SORT Connections DESC\r\n| KEEP resp_inst.sg_ids , destination.port, Connections" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"inbound\"\r\n AND (\r\n orig_inst.az IS NOT NULL\r\n OR orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.az IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS Connections = COUNT(*) BY resp_inst.sg_ids, destination.port\r\n| SORT Connections DESC\r\n| KEEP resp_inst.sg_ids , destination.port, Connections" + }, + "visualization": { + "columns": [ + { + "columnId": "resp_inst.sg_ids" + }, + { + "columnId": "destination.port" + }, + { + "columnId": "Connections" + } + ], + "layerId": "c1f0461a-4114-409b-a305-3551e0650284", + "layerType": "data" + } + }, + "title": "destination.port \u0026 Connections of resp_inst.sg_ids", + "visualizationType": "lnsDatatable" + }, + "description": "External Source Inbound to Internal Responding Security Group", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"inbound\"\r\n AND (\r\n orig_inst.az IS NOT NULL\r\n OR orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.az IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS Connections = COUNT(*) BY resp_inst.sg_ids, destination.port\r\n| SORT Connections DESC\r\n| KEEP resp_inst.sg_ids , destination.port, Connections" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "cf9bcb34-6bed-4141-9029-bfcbccac99d5", + "w": 11, + "x": 0, + "y": 105 + }, + "panelIndex": "cf9bcb34-6bed-4141-9029-bfcbccac99d5", + "title": "Inbound Traffic by Security Group", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "d3b4eb96-faae-4dc8-b52a-6dc6fb454dee": { + "allColumns": [ + { + "columnId": "Connections", + "customLabel": false, + "fieldName": "Connections", + "inMetricDimension": true, + "label": "Connections", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Total_Bytes_Sent", + "customLabel": false, + "fieldName": "Total_Bytes_Sent", + "inMetricDimension": true, + "label": "Total_Bytes_Sent", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "f495fe7e-17a5-45ce-927c-a612a6cdc24c", + "fieldName": "resp_inst.az", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "8d82d30f-139c-4593-87db-6243853537f0", + "customLabel": true, + "fieldName": "orig_inst.az", + "label": "Originating Availability Zone", + "meta": { + "esType": "keyword", + "sourceParams": {}, + "type": "string" + } + }, + { + "columnId": "orig_inst.az", + "fieldName": "orig_inst.az", + "label": "orig_inst.az", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "resp_inst.az", + "fieldName": "resp_inst.az", + "label": "resp_inst.az", + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "columns": [ + { + "columnId": "8d82d30f-139c-4593-87db-6243853537f0", + "customLabel": true, + "fieldName": "orig_inst.az", + "label": "Originating Availability Zone", + "meta": { + "esType": "keyword", + "sourceParams": {}, + "type": "string" + } + }, + { + "columnId": "Connections", + "customLabel": false, + "fieldName": "Connections", + "inMetricDimension": true, + "label": "Connections", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Total_Bytes_Sent", + "customLabel": true, + "fieldName": "Total_Bytes_Sent", + "inMetricDimension": true, + "label": "Total Bytes Sent", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "f495fe7e-17a5-45ce-927c-a612a6cdc24c", + "customLabel": true, + "fieldName": "resp_inst.az", + "label": "Responding Availability Zone", + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND orig_inst.az IS NOT NULL\r\n AND resp_inst.az IS NOT NULL\r\n AND (\r\n orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS\r\n total_bytes_sent = SUM(source.ip_bytes),\r\n conn_count = COUNT(event.id)\r\n BY orig_inst.az, resp_inst.az\r\n| SORT total_bytes_sent DESC\r\n| LIMIT 20\r\n| EVAL Total_Bytes_Sent =\r\n CASE(\r\n total_bytes_sent \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1099511627776.00, 2)), \" TB\"),\r\n total_bytes_sent \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1073741824.00, 2)), \" GB\"),\r\n total_bytes_sent \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1048576.00, 2)), \" MB\"),\r\n total_bytes_sent \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1024.00, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_sent), \" B\")\r\n )\r\n| EVAL Connections =\r\n CASE(\r\n conn_count \u003e= 1000000,\r\n CONCAT(TO_STRING(ROUND(conn_count / 1000000, 2)), \"M\"),\r\n conn_count \u003e= 1000,\r\n CONCAT(TO_STRING(ROUND(conn_count / 1000, 1)), \"K\"),\r\n TRUE,\r\n TO_STRING(conn_count)\r\n )\r\n| KEEP\r\n orig_inst.az,\r\n resp_inst.az,\r\n Connections,\r\n Total_Bytes_Sent\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND orig_inst.az IS NOT NULL\r\n AND resp_inst.az IS NOT NULL\r\n AND (\r\n orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS\r\n total_bytes_sent = SUM(source.ip_bytes),\r\n conn_count = COUNT(event.id)\r\n BY orig_inst.az, resp_inst.az\r\n| SORT total_bytes_sent DESC\r\n| LIMIT 20\r\n| EVAL Total_Bytes_Sent =\r\n CASE(\r\n total_bytes_sent \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1099511627776.00, 2)), \" TB\"),\r\n total_bytes_sent \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1073741824.00, 2)), \" GB\"),\r\n total_bytes_sent \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1048576.00, 2)), \" MB\"),\r\n total_bytes_sent \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1024.00, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_sent), \" B\")\r\n )\r\n| EVAL Connections =\r\n CASE(\r\n conn_count \u003e= 1000000,\r\n CONCAT(TO_STRING(ROUND(conn_count / 1000000, 2)), \"M\"),\r\n conn_count \u003e= 1000,\r\n CONCAT(TO_STRING(ROUND(conn_count / 1000, 1)), \"K\"),\r\n TRUE,\r\n TO_STRING(conn_count)\r\n )\r\n| KEEP\r\n orig_inst.az,\r\n resp_inst.az,\r\n Connections,\r\n Total_Bytes_Sent\r\n" + }, + "visualization": { + "columns": [ + { + "columnId": "Connections", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "Total_Bytes_Sent" + }, + { + "columnId": "f495fe7e-17a5-45ce-927c-a612a6cdc24c", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "8d82d30f-139c-4593-87db-6243853537f0", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "d3b4eb96-faae-4dc8-b52a-6dc6fb454dee", + "layerType": "data" + } + }, + "title": "Table orig_inst.az \u0026 resp_inst.az \u0026 Connections \u0026 Total_Bytes_Sent", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND orig_inst.az IS NOT NULL\r\n AND resp_inst.az IS NOT NULL\r\n AND (\r\n orig_inst.id IS NOT NULL\r\n OR orig_inst.name IS NOT NULL\r\n OR orig_inst.org_id IS NOT NULL\r\n OR orig_inst.sg_ids IS NOT NULL\r\n OR orig_inst.subnet_id IS NOT NULL\r\n OR orig_inst.vpc_id IS NOT NULL\r\n OR resp_inst.id IS NOT NULL\r\n OR resp_inst.name IS NOT NULL\r\n OR resp_inst.org_id IS NOT NULL\r\n OR resp_inst.sg_ids IS NOT NULL\r\n OR resp_inst.subnet_id IS NOT NULL\r\n OR resp_inst.vpc_id IS NOT NULL\r\n )\r\n| STATS\r\n total_bytes_sent = SUM(source.ip_bytes),\r\n conn_count = COUNT(event.id)\r\n BY orig_inst.az, resp_inst.az\r\n| SORT total_bytes_sent DESC\r\n| LIMIT 20\r\n| EVAL Total_Bytes_Sent =\r\n CASE(\r\n total_bytes_sent \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1099511627776.00, 2)), \" TB\"),\r\n total_bytes_sent \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1073741824.00, 2)), \" GB\"),\r\n total_bytes_sent \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1048576.00, 2)), \" MB\"),\r\n total_bytes_sent \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1024.00, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_sent), \" B\")\r\n )\r\n| EVAL Connections =\r\n CASE(\r\n conn_count \u003e= 1000000,\r\n CONCAT(TO_STRING(ROUND(conn_count / 1000000, 2)), \"M\"),\r\n conn_count \u003e= 1000,\r\n CONCAT(TO_STRING(ROUND(conn_count / 1000, 1)), \"K\"),\r\n TRUE,\r\n TO_STRING(conn_count)\r\n )\r\n| KEEP\r\n orig_inst.az,\r\n resp_inst.az,\r\n Connections,\r\n Total_Bytes_Sent\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "d1392801-7d4c-488c-a52b-5410b0a30fdc", + "w": 12, + "x": 11, + "y": 105 + }, + "panelIndex": "d1392801-7d4c-488c-a52b-5410b0a30fdc", + "title": "Lateral Traffic between Availability Zones", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "a4adf498-c57f-49e7-afc1-8d7c4e9a94e8": { + "columns": [ + { + "columnId": "orig_inst.name", + "customLabel": true, + "fieldName": "orig_inst.name", + "inMetricDimension": true, + "label": "EC2 Instance Name", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "source.ip", + "customLabel": true, + "fieldName": "source.ip", + "inMetricDimension": true, + "label": "Source IP", + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "destination.ip", + "customLabel": true, + "fieldName": "destination.ip", + "inMetricDimension": true, + "label": "Destination IP", + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Total_Data_Outbound", + "customLabel": true, + "fieldName": "Total_Data_Outbound", + "inMetricDimension": true, + "label": "Total Data Outbound", + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"outbound\"\r\n AND (orig_inst.org_id IS NOT NULL OR resp_inst.org_id IS NOT NULL)\r\n AND (orig_inst.name IS NOT NULL OR resp_inst.name IS NOT NULL)\r\n| STATS total_bytes = SUM(source.ip_bytes)\r\n BY orig_inst.name, source.ip, destination.ip\r\n| SORT total_bytes DESC\r\n| EVAL Total_Data_Outbound =\r\n CASE(\r\n total_bytes \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1073741824.0, 2)), \" GB\"),\r\n total_bytes \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1048576.0, 2)), \" MB\"),\r\n total_bytes \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes), \" B\")\r\n )\r\n| KEEP\r\n orig_inst.name,\r\n source.ip,\r\n destination.ip,\r\n Total_Data_Outbound" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"outbound\"\r\n AND (orig_inst.org_id IS NOT NULL OR resp_inst.org_id IS NOT NULL)\r\n AND (orig_inst.name IS NOT NULL OR resp_inst.name IS NOT NULL)\r\n| STATS total_bytes = SUM(source.ip_bytes)\r\n BY orig_inst.name, source.ip, destination.ip\r\n| SORT total_bytes DESC\r\n| EVAL Total_Data_Outbound =\r\n CASE(\r\n total_bytes \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1073741824.0, 2)), \" GB\"),\r\n total_bytes \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1048576.0, 2)), \" MB\"),\r\n total_bytes \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes), \" B\")\r\n )\r\n| KEEP\r\n orig_inst.name,\r\n source.ip,\r\n destination.ip,\r\n Total_Data_Outbound" + }, + "visualization": { + "columns": [ + { + "columnId": "orig_inst.name" + }, + { + "columnId": "source.ip", + "width": 115 + }, + { + "columnId": "destination.ip", + "width": 122 + }, + { + "columnId": "Total_Data_Outbound" + } + ], + "layerId": "a4adf498-c57f-49e7-afc1-8d7c4e9a94e8", + "layerType": "data", + "sorting": { + "columnId": "Total_Data_Outbound", + "direction": "asc" + } + } + }, + "title": "Table orig_inst.name \u0026 source.ip \u0026 destination.ip \u0026 Total_Data_Outbound", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"outbound\"\r\n AND (orig_inst.org_id IS NOT NULL OR resp_inst.org_id IS NOT NULL)\r\n AND (orig_inst.name IS NOT NULL OR resp_inst.name IS NOT NULL)\r\n| STATS total_bytes = SUM(source.ip_bytes)\r\n BY orig_inst.name, source.ip, destination.ip\r\n| SORT total_bytes DESC\r\n| EVAL Total_Data_Outbound =\r\n CASE(\r\n total_bytes \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1073741824.0, 2)), \" GB\"),\r\n total_bytes \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1048576.0, 2)), \" MB\"),\r\n total_bytes \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes), \" B\")\r\n )\r\n| KEEP\r\n orig_inst.name,\r\n source.ip,\r\n destination.ip,\r\n Total_Data_Outbound" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "d0bbbe9f-90ef-4875-9fd2-96b167eb84e2", + "w": 13, + "x": 35, + "y": 105 + }, + "panelIndex": "d0bbbe9f-90ef-4875-9fd2-96b167eb84e2", + "title": "Outbound Traffic by EC2 Instance Names", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "3e08a7c3-5af0-465b-bc3d-4076b482d3a0": { + "columns": [ + { + "columnId": "transport", + "customLabel": false, + "fieldName": "transport", + "label": "transport", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "count", + "customLabel": false, + "fieldName": "count", + "inMetricDimension": true, + "label": "count", + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND observer.hostname IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND (source.ip IS NOT NULL OR destination.ip IS NOT NULL)\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"outbound\"\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n| STATS count = count(*) BY transport\r\n| SORT count DESC, transport ASC\r\n| LIMIT 10\r\n| KEEP transport, count\r\n" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "needsRefresh": false, + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND observer.hostname IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND (source.ip IS NOT NULL OR destination.ip IS NOT NULL)\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"outbound\"\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n| STATS count = count(*) BY transport\r\n| SORT count DESC, transport ASC\r\n| LIMIT 10\r\n| KEEP transport, count\r\n" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3e08a7c3-5af0-465b-bc3d-4076b482d3a0", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "count" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "transport" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Bar vertical stacked", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND observer.hostname IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND (source.ip IS NOT NULL OR destination.ip IS NOT NULL)\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND network.direction == \"outbound\"\r\n| EVAL transport = concat(network.transport, \"/\", to_string(destination.port))\r\n| STATS count = count(*) BY transport\r\n| SORT count DESC, transport ASC\r\n| LIMIT 10\r\n| KEEP transport, count\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 16, + "i": "46a2e2a8-e48d-42e0-b948-bb262e552a46", + "w": 24, + "x": 24, + "y": 137 + }, + "panelIndex": "46a2e2a8-e48d-42e0-b948-bb262e552a46", + "title": "Top Outbound Ports \u0026 Protocols", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": null, + "references": [], + "savedObjectId": null, + "state": { + "adHocDataViews": { + "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333": { + "allowHidden": false, + "allowNoIndex": false, + "fieldAttrs": null, + "fieldFormats": {}, + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "logs-corelight.conn*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "timeField": "@timestamp", + "title": "logs-corelight.conn*" + } + ], + "layers": { + "6e79cd9d-40c8-401e-be7d-6affca9c71fb": { + "allColumns": [ + { + "columnId": "first_alert_time", + "customLabel": true, + "fieldName": "first_alert_time", + "inMetricDimension": true, + "label": "First Seen", + "meta": { + "esType": "date", + "type": "date" + }, + "variable": null + }, + { + "columnId": "last_alert_time", + "customLabel": true, + "fieldName": "last_alert_time", + "inMetricDimension": true, + "label": "Last Seen", + "meta": { + "esType": "date", + "type": "date" + }, + "variable": null + }, + { + "columnId": "vpc_id", + "customLabel": true, + "fieldName": "vpc_id", + "inMetricDimension": true, + "label": "AWS VPC ID", + "meta": { + "esType": "keyword", + "type": "string" + }, + "variable": null + }, + { + "columnId": "source.ip", + "customLabel": true, + "fieldName": "source.ip", + "inMetricDimension": true, + "label": "Source IP", + "meta": { + "esType": "ip", + "type": "ip" + }, + "variable": null + }, + { + "columnId": "src_country", + "customLabel": false, + "fieldName": "src_country", + "inMetricDimension": true, + "label": "src_country", + "meta": { + "esType": "keyword", + "type": "string" + }, + "variable": null + } + ], + "columns": [ + { + "columnId": "first_alert_time", + "customLabel": true, + "fieldName": "first_alert_time", + "inMetricDimension": true, + "label": "First Seen", + "meta": { + "esType": "date", + "type": "date" + }, + "variable": null + }, + { + "columnId": "last_alert_time", + "customLabel": true, + "fieldName": "last_alert_time", + "inMetricDimension": true, + "label": "Last Seen", + "meta": { + "esType": "date", + "type": "date" + }, + "variable": null + }, + { + "columnId": "vpc_id", + "customLabel": true, + "fieldName": "vpc_id", + "inMetricDimension": true, + "label": "AWS VPC ID", + "meta": { + "esType": "keyword", + "type": "string" + }, + "variable": null + }, + { + "columnId": "source.ip", + "customLabel": true, + "fieldName": "source.ip", + "inMetricDimension": true, + "label": "Source IP", + "meta": { + "esType": "ip", + "type": "ip" + }, + "variable": null + }, + { + "columnId": "cd08afd5-d34a-4a19-bc4b-96fddc8e6ec6", + "customLabel": true, + "fieldName": "formatted_total_bytes_sent", + "label": "Bytes Sent", + "meta": { + "esType": "keyword", + "sourceParams": {}, + "type": "string" + }, + "variable": null + }, + { + "columnId": "3440ed70-10d0-49ae-8e32-d06ed381862b", + "customLabel": true, + "fieldName": "direction", + "label": "Direction", + "meta": { + "esType": "keyword", + "sourceParams": {}, + "type": "string" + }, + "variable": null + }, + { + "columnId": "d9b09e3f-b863-4f4d-80bd-a7f1fd89a9a8", + "customLabel": true, + "fieldName": "destination.ip", + "label": "Destination IP", + "meta": { + "esType": "ip", + "sourceParams": {}, + "type": "ip" + }, + "variable": null + }, + { + "columnId": "2bd55e92-18e9-4355-ad3e-7f8288af3c9a", + "customLabel": true, + "fieldName": "transport", + "label": "Destination Port", + "meta": { + "esType": "keyword", + "sourceParams": {}, + "type": "string" + }, + "variable": null + }, + { + "columnId": "86ad9694-4b94-466d-ac22-b789540f7933", + "customLabel": true, + "fieldName": "formatted_total_bytes_recv", + "label": "Bytes Received", + "meta": { + "esType": "keyword", + "sourceParams": {}, + "type": "string" + } + }, + { + "columnId": "72e4619c-aa12-45d0-bb61-958ded5356f6", + "customLabel": true, + "fieldName": "total_duration", + "label": "Total Duration", + "meta": { + "esType": "long", + "sourceParams": {}, + "type": "number" + }, + "params": { + "format": { + "id": "duration", + "params": { + "decimals": 2, + "fromUnit": "nanoseconds", + "toUnit": "asSeconds" + } + } + } + }, + { + "columnId": "f91b507d-812f-4108-b5ad-37ffb820bdc2", + "customLabel": true, + "fieldName": "total_connections", + "label": "Total Connections", + "meta": { + "esType": "long", + "sourceParams": {}, + "type": "number" + }, + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + } + } + ], + "index": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE\r\n data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND source.ip IS NOT NULL\r\n AND destination.ip IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND network.direction IS NOT NULL\r\n\r\n| EVAL transport = CONCAT(network.transport, \"/\", TO_STRING(destination.port))\r\n\r\n| STATS\r\n epoch_first_alert_time = MIN(@timestamp),\r\n epoch_last_alert_time = MAX(@timestamp),\r\n total_duration = SUM(event.duration),\r\n total_bytes_sent = SUM(source.ip_bytes),\r\n total_bytes_recv = SUM(destination.ip_bytes),\r\n total_connections = COUNT(event.id),\r\n src_country = VALUES(source.geo.country_iso_code),\r\n dest_country = VALUES(destination.geo.country_iso_code),\r\n direction = VALUES(network.direction),\r\n vpc_id = VALUES(capture_metadata.vpc.vpc_id)\r\n BY source.ip, destination.ip, transport\r\n\r\n| EVAL total_duration = total_duration / 1000\r\n\r\n| SORT total_connections DESC\r\n\r\n| EVAL formatted_total_bytes_sent =\r\n CASE(\r\n total_bytes_sent \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes_sent \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1073741824.0, 2)), \" GB\"),\r\n total_bytes_sent \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1048576.0, 2)), \" MB\"),\r\n total_bytes_sent \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_sent), \" B\")\r\n )\r\n\r\n| EVAL formatted_total_bytes_recv =\r\n CASE(\r\n total_bytes_recv \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes_recv \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1073741824.0, 2)), \" GB\"),\r\n total_bytes_recv \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1048576.0, 2)), \" MB\"),\r\n total_bytes_recv \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_recv), \" B\")\r\n )\r\n\r\n| EVAL\r\n first_alert_time = TO_DATETIME(epoch_first_alert_time)\r\n\r\n| EVAL last_alert_time = TO_DATETIME(epoch_last_alert_time)\r\n\r\n| KEEP\r\n first_alert_time,\r\n last_alert_time,\r\n vpc_id,\r\n source.ip, \r\n src_country,\r\n formatted_total_bytes_sent,\r\n direction,\r\n destination.ip,\r\n dest_country,\r\n transport,\r\n formatted_total_bytes_recv,\r\n total_duration,\r\n total_connections" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "internalReferences": [ + { + "id": "9ac500899338b2fcf45fd20d129c34e52b042f3ade63945dd675f42672450333", + "name": "textBasedLanguages-datasource-layer-6e79cd9d-40c8-401e-be7d-6affca9c71fb", + "type": "index-pattern" + } + ], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE\r\n data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND source.ip IS NOT NULL\r\n AND destination.ip IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND network.direction IS NOT NULL\r\n\r\n| EVAL transport = CONCAT(network.transport, \"/\", TO_STRING(destination.port))\r\n\r\n| STATS\r\n epoch_first_alert_time = MIN(@timestamp),\r\n epoch_last_alert_time = MAX(@timestamp),\r\n total_duration = SUM(event.duration),\r\n total_bytes_sent = SUM(source.ip_bytes),\r\n total_bytes_recv = SUM(destination.ip_bytes),\r\n total_connections = COUNT(event.id),\r\n src_country = VALUES(source.geo.country_iso_code),\r\n dest_country = VALUES(destination.geo.country_iso_code),\r\n direction = VALUES(network.direction),\r\n vpc_id = VALUES(capture_metadata.vpc.vpc_id)\r\n BY source.ip, destination.ip, transport\r\n\r\n| EVAL total_duration = total_duration / 1000\r\n\r\n| SORT total_connections DESC\r\n\r\n| EVAL formatted_total_bytes_sent =\r\n CASE(\r\n total_bytes_sent \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes_sent \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1073741824.0, 2)), \" GB\"),\r\n total_bytes_sent \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1048576.0, 2)), \" MB\"),\r\n total_bytes_sent \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_sent), \" B\")\r\n )\r\n\r\n| EVAL formatted_total_bytes_recv =\r\n CASE(\r\n total_bytes_recv \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes_recv \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1073741824.0, 2)), \" GB\"),\r\n total_bytes_recv \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1048576.0, 2)), \" MB\"),\r\n total_bytes_recv \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_recv), \" B\")\r\n )\r\n\r\n| EVAL\r\n first_alert_time = TO_DATETIME(epoch_first_alert_time)\r\n\r\n| EVAL last_alert_time = TO_DATETIME(epoch_last_alert_time)\r\n\r\n| KEEP\r\n first_alert_time,\r\n last_alert_time,\r\n vpc_id,\r\n source.ip, \r\n src_country,\r\n formatted_total_bytes_sent,\r\n direction,\r\n destination.ip,\r\n dest_country,\r\n transport,\r\n formatted_total_bytes_recv,\r\n total_duration,\r\n total_connections" + }, + "visualization": { + "columns": [ + { + "columnId": "first_alert_time", + "isTransposed": null, + "width": 213.39231601731595 + }, + { + "columnId": "last_alert_time", + "isTransposed": null, + "width": 241.0589826839827 + }, + { + "columnId": "vpc_id", + "isTransposed": null, + "width": 199.89231601731603 + }, + { + "columnId": "source.ip", + "isTransposed": null, + "width": 155.5589826839827 + }, + { + "columnId": "cd08afd5-d34a-4a19-bc4b-96fddc8e6ec6", + "isMetric": true, + "isTransposed": false, + "width": 135.95898268398267 + }, + { + "columnId": "3440ed70-10d0-49ae-8e32-d06ed381862b", + "isMetric": true, + "isTransposed": false, + "width": 105.62564935064935 + }, + { + "columnId": "d9b09e3f-b863-4f4d-80bd-a7f1fd89a9a8", + "isMetric": true, + "isTransposed": false, + "width": 127.91136363636363 + }, + { + "columnId": "2bd55e92-18e9-4355-ad3e-7f8288af3c9a", + "isMetric": true, + "isTransposed": false, + "width": 134.53636363636366 + }, + { + "columnId": "86ad9694-4b94-466d-ac22-b789540f7933", + "isMetric": true, + "isTransposed": false, + "width": 106.63636363636363 + }, + { + "columnId": "72e4619c-aa12-45d0-bb61-958ded5356f6", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "f91b507d-812f-4108-b5ad-37ffb820bdc2", + "isMetric": true, + "isTransposed": false, + "width": 108.53636363636363 + } + ], + "layerId": "6e79cd9d-40c8-401e-be7d-6affca9c71fb", + "layerType": "data", + "sorting": null + } + }, + "title": "Table first_alert_time \u0026 last_alert_time \u0026 vpc_id \u0026 source.ip \u0026 src_country", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Top Connections/Services by Bytes Transferred", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.conn*\r\n| WHERE\r\n data_stream.dataset == \"corelight.conn\"\r\n AND capture_source == \"vpcflow\"\r\n AND (network.transport != \"icmp\" OR (\r\n network.transport == \"icmp\"\r\n AND source.ip IS NOT NULL\r\n AND (TO_STRING(source.ip) RLIKE \r\n \".*:.*\")\r\n ))\r\n AND source.ip IS NOT NULL\r\n AND destination.ip IS NOT NULL\r\n AND capture_metadata.vpc.vpc_id IS NOT NULL\r\n AND network.direction IS NOT NULL\r\n\r\n| EVAL transport = CONCAT(network.transport, \"/\", TO_STRING(destination.port))\r\n\r\n| STATS\r\n epoch_first_alert_time = MIN(@timestamp),\r\n epoch_last_alert_time = MAX(@timestamp),\r\n total_duration = SUM(event.duration),\r\n total_bytes_sent = SUM(source.ip_bytes),\r\n total_bytes_recv = SUM(destination.ip_bytes),\r\n total_connections = COUNT(event.id),\r\n src_country = VALUES(source.geo.country_iso_code),\r\n dest_country = VALUES(destination.geo.country_iso_code),\r\n direction = VALUES(network.direction),\r\n vpc_id = VALUES(capture_metadata.vpc.vpc_id)\r\n BY source.ip, destination.ip, transport\r\n\r\n| EVAL total_duration = total_duration / 1000\r\n\r\n| SORT total_connections DESC\r\n\r\n| EVAL formatted_total_bytes_sent =\r\n CASE(\r\n total_bytes_sent \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes_sent \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1073741824.0, 2)), \" GB\"),\r\n total_bytes_sent \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1048576.0, 2)), \" MB\"),\r\n total_bytes_sent \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_sent / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_sent), \" B\")\r\n )\r\n\r\n| EVAL formatted_total_bytes_recv =\r\n CASE(\r\n total_bytes_recv \u003e= 1099511627776,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1099511627776.0, 2)), \" TB\"),\r\n total_bytes_recv \u003e= 1073741824,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1073741824.0, 2)), \" GB\"),\r\n total_bytes_recv \u003e= 1048576,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1048576.0, 2)), \" MB\"),\r\n total_bytes_recv \u003e= 1024,\r\n CONCAT(TO_STRING(ROUND(total_bytes_recv / 1024.0, 2)), \" KB\"),\r\n TRUE,\r\n CONCAT(TO_STRING(total_bytes_recv), \" B\")\r\n )\r\n\r\n| EVAL\r\n first_alert_time = TO_DATETIME(epoch_first_alert_time)\r\n\r\n| EVAL last_alert_time = TO_DATETIME(epoch_last_alert_time)\r\n\r\n| KEEP\r\n first_alert_time,\r\n last_alert_time,\r\n vpc_id,\r\n source.ip, \r\n src_country,\r\n formatted_total_bytes_sent,\r\n direction,\r\n destination.ip,\r\n dest_country,\r\n transport,\r\n formatted_total_bytes_recv,\r\n total_duration,\r\n total_connections" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "94f5ebec-4159-43d4-83a0-112f408ea053", + "w": 48, + "x": 0, + "y": 153 + }, + "panelIndex": "94f5ebec-4159-43d4-83a0-112f408ea053", + "title": "Connections", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - **AWS VPC Flow**\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 29, + "i": "c0807db3-a439-4387-8d72-a16ce0a3e51f", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "c0807db3-a439-4387-8d72-a16ce0a3e51f", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-060774b8-2302-4c63-8ffc-ec1a25a6d935", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c97c757c-8003-4419-9b60-41ee8f562ac5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6fc488ec-adaf-4e86-9e6c-4db1682cc97f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0972b470-093b-4e64-853b-ef1c577f1cf4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "65474ab0-0cd1-4b2b-a954-8581793600d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aa99acf7-0e1b-44cb-97a0-ff50d9666172", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "060774b8-2302-4c63-8ffc-ec1a25a6d935": { + "columnOrder": [ + "1fb2dcff-32a8-4a5c-89ca-9889a2a4414b", + "ec1534e3-bcb9-4409-98a0-a94cf498275b", + "baa0328c-ba95-47b7-b91e-19637eb03797", + "28a1517a-e06d-46dd-8b62-95296c83902e" + ], + "columns": { + "1fb2dcff-32a8-4a5c-89ca-9889a2a4414b": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of network.direction", + "operationType": "terms", + "params": { + "accuracyMode": true, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "28a1517a-e06d-46dd-8b62-95296c83902e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "network.direction" + }, + "28a1517a-e06d-46dd-8b62-95296c83902e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "bytes in", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "destination.ip_bytes" + }, + "baa0328c-ba95-47b7-b91e-19637eb03797": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": " bytes out", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "source.ip_bytes" + }, + "ec1534e3-bcb9-4409-98a0-a94cf498275b": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "c97c757c-8003-4419-9b60-41ee8f562ac5", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "6fc488ec-adaf-4e86-9e6c-4db1682cc97f", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}]}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "0972b470-093b-4e64-853b-ef1c577f1cf4", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "65474ab0-0cd1-4b2b-a954-8581793600d5", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "aa99acf7-0e1b-44cb-97a0-ff50d9666172", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "d6d8afe5-5dea-42fb-a0cf-c2ef3e9e242f", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e342d725-fb8a-4366-820d-9187e1625274", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "curveType": "CURVE_MONOTONE_X", + "fittingFunction": "Linear", + "layers": [ + { + "accessors": [ + "baa0328c-ba95-47b7-b91e-19637eb03797", + "28a1517a-e06d-46dd-8b62-95296c83902e" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "060774b8-2302-4c63-8ffc-ec1a25a6d935", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "1fb2dcff-32a8-4a5c-89ca-9889a2a4414b", + "xAccessor": "ec1534e3-bcb9-4409-98a0-a94cf498275b" + } + ], + "legend": { + "isInside": false, + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT network.transport: icmp OR (network.transport: icmp AND source.ip: .*:.*)", + "disabled": false, + "index": "logs-*", + "key": "query", + "negate": false, + "type": "custom", + "value": "{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"bool\":{\"must_not\":[{\"term\":{\"network.transport\":\"icmp\"}}]}},{\"bool\":{\"filter\":[{\"term\":{\"network.transport\":\"icmp\"}},{\"script\":{\"script\":{\"source\":\"doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')\"}}}]}}]}}" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "bool": { + "must_not": [ + { + "term": { + "network.transport": "icmp" + } + } + ] + } + }, + { + "bool": { + "filter": [ + { + "term": { + "network.transport": "icmp" + } + }, + { + "script": { + "script": { + "source": "doc['source.ip'].size() \u003e 0 \u0026\u0026 doc['source.ip'].value.toString().contains(':')" + } + } + } + ] + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_metadata.vpc.vpc_id", + "index": "logs-*", + "key": "capture_metadata.vpc.vpc_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "capture_metadata.vpc.vpc_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "capture_source", + "index": "logs-*", + "key": "capture_source", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "capture_source": "vpcflow" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.direction", + "index": "logs-*", + "key": "network.direction", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.direction" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "_index", + "index": "d6d8afe5-5dea-42fb-a0cf-c2ef3e9e242f", + "key": "_index", + "negate": false, + "params": { + "query": "logs-corelight.conn*" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "_index": "logs-corelight.conn*" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e342d725-fb8a-4366-820d-9187e1625274", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "corelight.conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "corelight.conn" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "43c8751d-827f-4513-8d96-7aad933137ac", + "w": 36, + "x": 12, + "y": 15 + }, + "panelIndex": "43c8751d-827f-4513-8d96-7aad933137ac", + "title": "Traffic by Direction and Bytes Transferred over Time", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Corelight] AWS VPC Flow ", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-08T05:44:26.218Z", + "id": "corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "79b479b3-ab96-4b3e-84b1-998dc63b634b:indexpattern-datasource-layer-d0f1264a-3a68-434d-8e77-02466186f0e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "df56cedd-65fe-4fd6-95df-457dbe1f74d7:indexpattern-datasource-layer-d0f1264a-3a68-434d-8e77-02466186f0e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:7abc0ea4-73fb-4e9a-95db-e9e85873f982", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:75750924-a6c8-4d14-982e-078b2d29755e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:a432253f-07b7-4990-aa94-9993fcc76176", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:02a52305-2b97-4f2c-8c23-42e44bb158fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:d33b2a4f-e773-4ce4-80c4-49a505ef7bb8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:91d1ca62-5bff-4e08-9239-89748529edf6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5209ae73-e40d-42dc-a1a5-58d39c4eafe6:50c044bc-ae03-479b-bf7c-10ee6f6b62df", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:87c04943-fd51-4aee-96ca-bd6750742106", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:b5050370-9360-42d6-9a1c-1cfc659ce894", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:afdd6c0e-49e4-452a-addb-56c8c7b321fc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:9c314438-6b71-47a5-9580-3a7ee9d802b5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:0830b582-0ee7-4245-909a-78af8be04f2c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:d03f8f9a-91c7-4fd8-9bb0-509f99b73ed2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a29cb63-2562-4091-a650-544075715729:50d72482-aba3-41a2-bfbe-a09b888fd44f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:27d23ca9-3464-4832-8cfe-728a6a25a6fb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:8363c330-2e95-4b70-9303-88b54ca36f17", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:a1d023e3-f3da-4b8c-94aa-76e6347d916e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:3510f2bb-17f6-4ad2-9179-c29acddfe03b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:2f4e225e-244d-444c-bc09-be4303c98417", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:342c7c8d-4280-474d-abeb-401b037b0ddf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efea7128-c873-409b-aebe-a301fe01d895:feeebf53-d61e-4362-b82a-6450d8312ebf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:043828ff-1a11-4991-af7b-558b04c750d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:ac10368d-9930-4a89-ba90-5070529f990d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:dcaa8554-ff5e-43d6-b648-96184d40749b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:61c093c5-bb4c-4f1f-867e-3dbbdd6aaff4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:ab565996-6195-4090-bad8-5da60194d85f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:feeeddbd-53d8-46ce-9ffb-c70086a1a5a4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a45cba37-e588-4e13-a501-7a890827d4a2:ff869537-1e64-41f0-a6f5-a21cd9dee237", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8b17e388-b864-434f-9292-d42753c329c7:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "baa08342-f7a7-4ead-bafe-57bf35e90837:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:42708bb5-f083-4a1b-b2de-2e6cb6878ce7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:12490d5c-6f51-4a1e-91c4-a914eb7b497e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:a3006dcd-c8b9-48a4-a5cd-dde9e87c26eb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:98d59e33-dc48-4559-b867-ca6830d47cc5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:b58e858f-f4a3-496a-8d1a-5f635db5da99", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:701f265b-5d26-4ffd-a4c7-434b298a476b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14ce901c-bd47-4c98-abb9-90c54727985e:f7333720-18de-470d-b3a2-60a009dd16c7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:868264ad-1815-4c35-a4e2-b1cbdad0d327", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:0de0d2df-a20d-4d1b-b3c6-e651d40757f8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:5b4dca52-96a0-4513-97a2-a176d8cef1e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:2518fdab-da72-4f8e-bcb2-80fc3e5f74a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:31473c95-9765-4b59-a017-2a5c3cc08905", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:eb1000ac-f1ab-4f7b-ac8c-96d6b08d710e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ed0b783-ab6e-4cd1-baf5-38a722cb4c85:8c61b00a-d3d8-4baa-88e2-016614d2da62", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ce9d8b9-a017-4958-85a9-3a4548b4e886:indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f718c0a3-f5a5-479c-b545-7e911ab53f6c:indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80916d77-d693-4588-b6cd-d967b0e4716d:indexpattern-datasource-layer-88dc0543-fc61-42fb-8834-ee7a7ee1f0bc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "72beffe3-47db-4fe7-8fcd-9a8fdda46372:indexpattern-datasource-layer-3b97646d-b562-43e7-8e91-2daac479a1cc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "036c817f-fe91-4e8e-80b1-82ebc5aaec33:indexpattern-datasource-layer-1ebeef92-3327-45ac-b95c-b41ce1fa37c0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:345787b9-3b6f-41cd-a4ea-57f727c62393", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:cb420d7a-3fe9-469f-98f1-8dc76177f7e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:5d9949f0-3bcd-4722-bada-5a84d95715e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:b2d65697-fd28-45e6-9030-a47d571fccf8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:ceda1951-cfe8-4346-a742-6be453dc6241", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:095c6744-8120-44d6-9f13-4bd5e22a4a1e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:f48a94d8-9f7a-4680-8153-c6abbd888bb5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "36ca0cd6-e98a-4045-987b-7a00bbc61b43:462edab1-05e1-423c-a03e-7dc4e9cebc87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:8e74e095-5ced-44b6-902b-44240715d2bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:dd6136f6-3230-4199-8b3a-db9559a76aea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:e475d1bd-b75c-4c37-9e1a-972896226e01", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:b6a75d11-45bd-48c5-9d4b-2f55eca81905", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:d5f62c5d-d44c-450f-9bdb-45693f2ba8e9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:d156a569-89cc-47d1-a84a-751a41baf8da", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:22fe7cc5-9b0e-4638-8e5f-4f032684d39a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c5294d5e-0599-4559-b36c-dd0640353f8e:0966a287-e4e1-4173-aea9-50b56cfa42e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:13cd083d-d650-4bfb-8d39-b1241a0d7ef0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:1e4c9862-3936-4a19-81cb-be74d1eb8913", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:45f3185a-4414-4107-9878-9de7d78ff89b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:2ce5c3a2-33d2-4cca-a301-c1721ea46c8d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:bf988300-4133-43c7-8bb5-9b5af2e65a2e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:e487dc98-1b45-450b-96ae-1a328c1636a7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:4fff2a29-0b13-48a6-9487-4d6585d090d4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5facc8b-3da7-4a63-91d4-b320ba68f988:390c942a-04e4-4b9d-95b8-70dbc10b1efb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:c47c49b9-4c99-4daa-8ec8-3719163ace63", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:847bfde0-ad15-457f-b399-f76712fe7c5e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:0dd94fa1-6c95-4a58-bd83-ecd1a89d1d31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:e4e93b86-5ae3-446e-b1c1-3db207535477", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:fb2c1ac7-7857-449e-be4e-0fb6b5a4f6a2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:3be6dadf-8a66-4b81-af7f-b73b5e4cb8b0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:5d379087-e4e1-43fb-b1a7-bd94cdf6d253", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69d1a02d-bedf-446e-b939-2720a6d25df7:6ee29176-f888-4111-97da-69792f0b0687", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:81836f32-d6bb-4e2d-9ac0-9dea7fa2be23", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:a0f96a7c-e6e2-4105-902e-bce7bce04522", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:dfc1e2d1-a7d9-4c6a-b29a-e2ebc6ed1688", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:900cd464-a005-44ae-9981-965c2a057f94", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:bcb6bafa-8891-41ad-9876-a414c520482d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:6007471b-9f19-4e48-b673-fe3c9f034ba2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:ae4dca25-d609-4a87-9c76-79322f1d03a6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8cbe01ee-9c43-4697-a1d9-72824a514695:5d951a27-4e43-4df8-b5b1-129e4b3e0185", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "134685aa-6965-4cf1-93df-d20f198bf90e:indexpattern-datasource-layer-3824d4a3-66bc-4771-8711-e4635817be2d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:indexpattern-datasource-layer-3824d4a3-66bc-4771-8711-e4635817be2d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:e684b4a3-7bd1-4315-82b6-41c3680a3dd8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:6c8bf5c6-ed7b-488b-bdd5-2f0086649501", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:ca729847-b693-44a9-b80a-556ce72db5b8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:641561f0-68b9-4867-8b08-568f4c01c694", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:f06df791-03e6-4c83-ac75-8048164b3ec3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:f2a83b5a-d2d7-493f-8096-17d9225def88", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77031a9b-20b4-431e-abcf-308794da31b9:bff0e575-58a9-4fd5-88ba-df68b412f6ee", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b9c412cc-32e0-41af-ac43-ef053fdfac90:indexpattern-datasource-layer-12fe920b-d233-480a-955b-7da85fa82e1a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b9c412cc-32e0-41af-ac43-ef053fdfac90:826478ef-90b0-45dd-84bf-629eab7e9fc2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b9c412cc-32e0-41af-ac43-ef053fdfac90:e2e9798c-1cdc-45e9-adf3-efa29b1d28ab", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b9c412cc-32e0-41af-ac43-ef053fdfac90:ab79b5a0-5ae0-4581-bd25-337b5c43efeb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4a87f0f8-8da9-4a20-a906-2622e0612bc9:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:indexpattern-datasource-layer-966bd70c-5e36-4868-a1de-a89f13e92014", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:47db230e-6727-4fee-af47-57c2c82042e7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:c4141336-b711-404e-8cc7-a2bcdaaf97f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:5fa75508-d792-4c8b-b6a2-c95db499e799", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:92ff096d-3f16-4e6d-98d4-73e4326738a4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:4d3ab7d8-6ee9-4b7e-b55b-90bb3629b67e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:157510b8-44b0-4d4c-8fe2-70e84084a9fd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "47dab784-a590-43b3-90bf-dd2005b61eb5:d6533243-1174-49c2-a5e4-feed441d99ee", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43c8751d-827f-4513-8d96-7aad933137ac:indexpattern-datasource-layer-060774b8-2302-4c63-8ffc-ec1a25a6d935", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43c8751d-827f-4513-8d96-7aad933137ac:c97c757c-8003-4419-9b60-41ee8f562ac5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43c8751d-827f-4513-8d96-7aad933137ac:6fc488ec-adaf-4e86-9e6c-4db1682cc97f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43c8751d-827f-4513-8d96-7aad933137ac:0972b470-093b-4e64-853b-ef1c577f1cf4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43c8751d-827f-4513-8d96-7aad933137ac:65474ab0-0cd1-4b2b-a954-8581793600d5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "43c8751d-827f-4513-8d96-7aad933137ac:aa99acf7-0e1b-44cb-97a0-ff50d9666172", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_c6d88a1f-5878-4db7-b89c-33ecb859e140:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_388044d3-36a5-45c8-a5bf-0d7fe1f20464:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_146e6c58-7fe4-484c-a64c-359ec9a24ecc:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_fa4eaca2-46e1-45d4-a4a0-4ca99e7c21eb:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_063e2fd9-659e-4362-95f8-7057d21e631d:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_8e126021-859a-41c0-b84a-9a44551c1c05:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_0a0b3611-3250-476d-b19c-953963299235:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203.json b/packages/corelight/kibana/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203.json index 6df6d06bbe5..9e6d45fa209 100644 --- a/packages/corelight/kibana/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203.json +++ b/packages/corelight/kibana/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "25c95ad2-d9ce-4855-9bbe-4e949dcd4656", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -95,7 +94,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - **SSL and x509**\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - **SSL and x509**\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -377,7 +376,133 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.domain", + "index": "6f6516d8-4601-4b34-bac1-24f9a787d17c", + "key": "destination.domain", + "negate": true, + "params": { + "query": "" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "destination.domain": "" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "554b25a1-9950-4801-820e-0088724f3ca3", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.domain", + "index": "logs-*", + "key": "destination.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.domain" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "tls.server.subject", + "index": "logs-*", + "key": "tls.server.subject", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "tls.server.subject" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "233db244-dacc-4687-a304-18d0dac87659", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "08304475-a100-4296-985d-740ca532fbeb", + "key": "observer.hostname", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -583,7 +708,82 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "564afe32-0721-4c57-8b43-b94c74fa2c21", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "477d7f4d-43f5-442f-b7ce-6fc12a7e6af7", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "tls.cipher", + "index": "5edd4f63-31ae-4fd3-9ce1-1cb972d3deee", + "key": "tls.cipher", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "tls.cipher" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -811,7 +1011,82 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "6fb9f18b-2091-498b-b6e3-8580b674b44e", + "key": "event.dataset", + "negate": false, + "params": { + "query": "x509" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "x509" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "abf12c96-6668-46a4-a639-adfe96bbc996", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.x509.subject.distinguished_name", + "index": "85ac0951-223d-413f-87de-ff2d3640aa85", + "key": "file.x509.subject.distinguished_name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "file.x509.subject.distinguished_name" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -996,7 +1271,82 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "6fb9f18b-2091-498b-b6e3-8580b674b44e", + "key": "event.dataset", + "negate": false, + "params": { + "query": "x509" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "x509" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "abf12c96-6668-46a4-a639-adfe96bbc996", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.x509.subject.distinguished_name", + "index": "85ac0951-223d-413f-87de-ff2d3640aa85", + "key": "file.x509.subject.distinguished_name", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "file.x509.subject.distinguished_name" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1012,12 +1362,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] SSL and x509", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T09:38:44.329Z", + "created_at": "2026-01-06T09:23:32.354Z", "id": "corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203", - "managed": false, "references": [ { "id": "logs-*", @@ -1048,6 +1397,11 @@ "id": "logs-*", "name": "controlGroup_25c95ad2-d9ce-4855-9bbe-4e949dcd4656:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb.json b/packages/corelight/kibana/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb.json index 2c72c651af3..8081cdaabdf 100644 --- a/packages/corelight/kibana/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb.json +++ b/packages/corelight/kibana/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "network.protocol", - "id": "012bb6c6-f9ee-4c39-8e75-7c4dee5a5026", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -32,7 +31,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "0168efe7-05c1-4272-a872-b1c823371951", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -50,7 +48,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "source.ip", - "id": "1d3b9da1-34a5-4de7-9da7-0c21106b5dc8", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -68,7 +65,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "source.port", - "id": "2c37ab99-5bda-4366-8bb3-235facbbff93", "searchTechnique": "exact", "selectedOptions": [], "sort": { @@ -86,7 +82,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "destination.ip", - "id": "8b2ad078-061b-4a83-ba8d-55aa43f40bdf", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -104,7 +99,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "destination.port", - "id": "fab65a21-501b-40ed-b010-2856d20d5c6c", "searchTechnique": "exact", "selectedOptions": [], "sort": { @@ -425,7 +419,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - **Connections**\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- **Data Explorer**\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - **Connections**\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -575,7 +569,19 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -724,7 +730,19 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -868,7 +886,19 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1012,7 +1042,19 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -1292,7 +1334,74 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "86b01239-d28a-407e-915f-49e8099cb0ca", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "conn.local_orig", + "index": "logs-*", + "key": "conn.local_orig", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "conn.local_orig": true + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "conn.local_resp", + "index": "logs-*", + "key": "conn.local_resp", + "negate": false, + "params": { + "query": false + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "conn.local_resp": false + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 18, @@ -1418,10 +1527,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs*\r\n| where event.dataset == \"conn\" and (source.ip is not null or destination.ip is not null) and source.ip not in (\"0.0.0.0\", \"255.255.255.255\") and destination.ip not in (\"0.0.0.0\", \"255.255.255.255\") and observer.hostname is not null and network.protocol is not null and source.port is not null and destination.port is not null and event.duration is not null\r\n| limit 10000\r\n| stats values(event.id), avg(event.duration), values(source.ip), values(destination.ip), values(network.transport) by event.id\r\n| eval Duration = `avg(event.duration)`/1000000000\r\n| rename `values(event.id)` as UID, `values(source.ip)` as `Source IP`, `values(destination.ip)` as `Destination IP`, `values(network.transport)` as Proto \r\n| sort Duration desc\r\n| limit 10\r\n| keep UID, Duration, `Source IP`, `Destination IP`, Proto" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1701,7 +1818,74 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "06c8fb30-b5e1-42d7-ad6f-e4e9c008a38f", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "conn.local_orig", + "index": "logs-*", + "key": "conn.local_orig", + "negate": false, + "params": { + "query": false + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "conn.local_orig": false + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "conn.local_resp", + "index": "logs-*", + "key": "conn.local_resp", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "conn.local_resp": true + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 18, @@ -1717,12 +1901,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] Connections", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T10:43:21.751Z", + "created_at": "2026-01-06T09:23:24.594Z", "id": "corelight-eff0434c-1e27-4c02-959e-9f5d95488efb", - "managed": false, "references": [ { "id": "logs-*", @@ -1803,6 +1986,26 @@ "id": "logs-*", "name": "controlGroup_012bb6c6-f9ee-4c39-8e75-7c4dee5a5026:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb.json b/packages/corelight/kibana/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb.json index 53df9eee61b..dee17a5f480 100644 --- a/packages/corelight/kibana/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb.json +++ b/packages/corelight/kibana/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb.json @@ -20,7 +20,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "53fb0468-7828-495e-9acf-0dcde0d4ee11", "placeholder": null, "runPastTimeout": null, "searchTechnique": "prefix", @@ -47,7 +46,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "9f440d0a-0642-494a-b8dd-003dc9f07ccd", "placeholder": null, "runPastTimeout": null, "searchTechnique": "prefix", @@ -74,7 +72,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "a7496e44-f00e-4f13-873b-8ba4fd31772f", "placeholder": null, "runPastTimeout": null, "searchTechnique": "exact", @@ -101,7 +98,6 @@ "hideExclude": null, "hideExists": null, "hideSort": null, - "id": "c535a1bc-d749-482a-8169-f700f5430ad4", "placeholder": null, "runPastTimeout": null, "searchTechnique": "prefix", @@ -264,7 +260,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - **Corelight Suricata IDS Alert Overview**\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - **Corelight Suricata IDS Alert Overview**\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -405,7 +401,19 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 19, @@ -488,8 +496,20 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -572,8 +592,20 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -691,8 +723,57 @@ "type": "lens", "visualizationType": "lnsMetric" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "rule.name : *cve* OR suricata.alert.metadata_original : *cve*", + "disabled": false, + "index": "7f7e40b2-410a-4e70-bac0-48804120031c", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "wildcard": { + "rule.name": { + "case_insensitive": true, + "value": "*cve*" + } + } + }, + { + "wildcard": { + "suricata.alert.metadata_original": { + "case_insensitive": true, + "value": "*cve*" + } + } + } + ] + } + } + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -817,7 +898,19 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 18, @@ -925,10 +1018,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.suricata*\r\n| WHERE event.dataset == \"suricata_corelight\"\r\n| LIMIT 10000\r\n| STATS COUNT(), COUNT_DISTINCT(rule.signature_id) by source.ip\r\n| RENAME `COUNT_DISTINCT(rule.signature_id)` as `Number of Rules`, `COUNT()` as `Number of Hits`, source.ip as `Source IP`\r\n| SORT `Number of Rules` DESC, `Number of Hits` ASC\r\n| KEEP `Source IP`, `Number of Rules`,`Number of Hits`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 18, @@ -1136,10 +1237,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "FROM logs-corelight.suricata*\r\n| WHERE event.dataset == \"suricata_corelight\"\r\n| LIMIT 10000\r\n| STATS COUNT(), COUNT_DISTINCT(source.ip) by event.severity, rule.signature_id, rule.name\r\n| RENAME event.severity as Severity, rule.name as Signature, rule.signature_id as SID, `COUNT_DISTINCT(source.ip)` as `Number of Sources`, `COUNT()` as Count\r\n| SORT `Number of Sources` DESC, Count DESC\r\n| KEEP Severity, Signature, SID, `Number of Sources`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 18, @@ -1155,7 +1264,11 @@ { "embeddableConfig": { "description": "", - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "rowsPerPage": 10 }, "gridData": { @@ -1173,12 +1286,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] Corelight Suricata IDS Alert Overview", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T07:34:26.789Z", + "created_at": "2026-01-06T09:23:25.290Z", "id": "corelight-f1208ffe-d168-46d1-9531-24de523d1bfb", - "managed": false, "references": [ { "id": "logs-*", @@ -1205,6 +1317,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern" }, + { + "id": "corelight-25c4969f-1368-433e-905d-fda0ae7e4923", + "name": "d6b0d9e6-0afa-481d-a617-1618154d0f0b:panel_d6b0d9e6-0afa-481d-a617-1618154d0f0b", + "type": "search" + }, { "id": "logs-*", "name": "15375c4f-775f-447b-a75d-4fdc6377b076:indexpattern-datasource-layer-70d67ee8-99ab-4577-bf0c-06f15b38818f", @@ -1230,11 +1347,6 @@ "name": "1d400e9f-5ccd-4afc-b22e-330166d5a8dd:indexpattern-datasource-layer-a9912cf0-82d6-4ee2-afba-dc23035bfa5d", "type": "index-pattern" }, - { - "id": "corelight-25c4969f-1368-433e-905d-fda0ae7e4923", - "name": "d6b0d9e6-0afa-481d-a617-1618154d0f0b:panel_d6b0d9e6-0afa-481d-a617-1618154d0f0b", - "type": "search" - }, { "id": "logs-*", "name": "controlGroup_53fb0468-7828-495e-9acf-0dcde0d4ee11:optionsListDataView", @@ -1254,6 +1366,31 @@ "id": "logs-*", "name": "controlGroup_c535a1bc-d749-482a-8169-f700f5430ad4:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json b/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json index cd8632a525b..c997f7543ce 100644 --- a/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json +++ b/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "observer.hostname", - "id": "31c87e45-d99f-4836-b47c-d7bf6892d9f6", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -71,7 +70,7 @@ "description": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- **Data Insights**\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - **Remote Activity Insights**\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- **Data Insights**\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - **Remote Activity Insights**\n- Security Workflows\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -346,8 +345,163 @@ "visualizationType": "lnsMetric" }, "description": "Total count of RDP success and failed actions within the specified time.", - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "646f43db-a468-43ae-8853-1972c048abc4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ], + "type": "phrases", + "value": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "rdp.result": "Success" + } + }, + { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "event.outcome" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -598,8 +752,148 @@ "visualizationType": "lnsMetric" }, "description": "Total count of users with login failures within the specified time.", - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "83380797-fbed-492f-a0be-648f9c64bcc5", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": { + "query": "SSL_NOT_ALLOWED_BY_SERVER" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -964,7 +1258,162 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ], + "type": "phrases", + "value": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "rdp.result": "Success" + } + }, + { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "event.outcome" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1345,8 +1794,148 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "35400392-619e-40cf-aae1-7cc1635b3a11", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": { + "query": "SSL_NOT_ALLOWED_BY_SERVER" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 16, @@ -1612,8 +2201,161 @@ "visualizationType": "lnsMetric" }, "description": "Total count of VPN connections that have the following inferences NSP - Non-Standard Port RW - Road warrior configuration detected (i.e. Cisco Anyconnect) COM - Commercial VPN service occurring at the same time which is deemed suspicious.", - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "964c174e-b61d-4dd0-ab95-34c18ad549ee", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "COM" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "COM" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "RW" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "RW" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "NSP" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "NSP" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -1731,11 +2473,19 @@ "visualizationType": "lnsMetric" }, "description": "Total count of VPN connections using potentially unusual connection configurations such as static TLS key auth", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"COM\", \"NSP\", \"SK\")\r\n| stats count(),values(vpn.inferences), values(destination.geo.country_iso_code), values(vpn.name) by source.ip,destination.ip\r\n| eval `values(vpn.inferences)` = mv_concat(`values(vpn.inferences)`,\":\")\r\n| rename source.ip as Source, destination.ip as Responder, `values(destination.geo.country_iso_code)` as `Responder Country`, `values(vpn.name)` as `VPN Type`, `values(vpn.inferences)` as Inferences, `count()` as count\r\n| keep Source, Responder,Inferences,`Responder Country`, `VPN Type`, count\r\n| stats count()\r\n| rename `count()` as `Suspected Data Exfiltration`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -2140,8 +2890,161 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "34be19f7-42d1-4889-8d3f-928ef606c522", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "COM" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "COM" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "RW" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "RW" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "NSP" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "NSP" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -2292,11 +3195,19 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"COM\", \"NSP\", \"SK\")\r\n| stats count(),values(vpn.inferences), values(destination.geo.country_iso_code), values(vpn.name) by source.ip,destination.ip\r\n| eval `values(vpn.inferences)` = mv_concat(`values(vpn.inferences)`,\":\")\r\n| rename source.ip as `Source IP`, destination.ip as `Destination IP`, `values(destination.geo.country_iso_code)` as `Destination Country`, `values(vpn.name)` as `VPN Type`, `values(vpn.inferences)` as Inferences, `count()` as Count\r\n| keep `Source IP`, `Destination IP`,Inferences,`Destination Country`, `VPN Type`, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -2374,11 +3285,19 @@ "visualizationType": "lnsMetric" }, "description": "Total count of VPN connections that are using the RW- Road warrior configuration detected (i.e. Cisco Anyconnect) and FW - Firewall subversion inferences", - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in ( \"RW\", \"FW\" )\r\n| stats count(), values(source.ip),values(destination.ip), values(proto),values(vpn.inferences), values(destination.port),values(source.bytes) by event.id\r\n| rename `values(source.ip)` as Source, `values(destination.ip)` as Destination, `values(proto)` as Proto, `values(vpn.inferences)` as Inferences,`values(destination.port)` as dest_port,`values(source.bytes)` as Bytes, `count()` as count\r\n| keep Source, Destination,Proto,Inferences,dest_port,Bytes,count\r\n| stats count()\r\n| rename `count()` as `Possible Unauthorized Remote Access Attempts`" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 10, @@ -2582,11 +3501,19 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {}, - "hidePanelTitles": true + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"RW\", \"FW\")\r\n| stats count(), values(source.ip),values(destination.ip), values(proto),values(vpn.inferences), values(destination.port),values(source.bytes) by event.id\r\n| rename `values(source.ip)` as `Source IP`, `values(destination.ip)` as `Destination IP`, `values(proto)` as Proto, `values(vpn.inferences)` as Inferences,`values(destination.port)` as `Destination Port`,`values(source.bytes)` as Bytes, `count()` as Count\r\n| keep `Source IP`, `Destination IP`,Proto,Inferences,`Destination Port`,Bytes, Count" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -2608,12 +3535,11 @@ "timeRestore": true, "timeTo": "now", "title": "[Logs Corelight] Remote Activity Insights", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-02-06T07:20:17.301Z", + "created_at": "2026-01-06T09:23:39.450Z", "id": "corelight-f4864774-ed73-4b78-b861-5b8235ec12cf", - "managed": false, "references": [ { "id": "logs-*", diff --git a/packages/corelight/kibana/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618.json b/packages/corelight/kibana/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618.json index c9ab14b89a6..db9aeb013fa 100644 --- a/packages/corelight/kibana/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618.json +++ b/packages/corelight/kibana/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618.json @@ -14,7 +14,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "severity.name", - "id": "224819c3-9d2a-4c3a-bb89-9817b0833a8f", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -32,7 +31,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "notice.message", - "id": "7c5460fc-7b12-474c-9293-a9953c6e2743", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -50,7 +48,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "network.transport", - "id": "9063f853-fa9a-48c7-9af7-43a722080b85", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -68,7 +65,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "destination.port", - "id": "9414aa6d-01b3-4a10-bb5d-7809afca36c5", "searchTechnique": "exact", "selectedOptions": [], "sort": { @@ -86,7 +82,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "source.ip", - "id": "ececffb2-34d8-4be8-8708-2eea73ee3223", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -104,7 +99,6 @@ "explicitInput": { "dataViewId": "logs-*", "fieldName": "notice.note", - "id": "f828f95e-cae2-44d0-8a3c-8bbac711aa63", "searchTechnique": "prefix", "selectedOptions": [], "sort": { @@ -207,7 +201,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - **Notices**\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - [Log Hunting](#/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3)\n - **Notices**\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", "openLinksInNewTab": false }, "title": "", @@ -346,7 +340,19 @@ "type": "lens", "visualizationType": "lnsXY" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 17, @@ -620,7 +626,150 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "7a9293b3-ed59-48b3-8ba3-d34c544ea108", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "notice.note", + "index": "logs-*", + "key": "notice.note", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "notice.note" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.transport", + "index": "logs-*", + "key": "network.transport", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.transport" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "notice.p", + "index": "logs-*", + "key": "notice.p", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "notice.p" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "notice.message", + "index": "adbc8cd3-3b7a-442d-afa9-99cd8044506d", + "key": "notice.message", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "notice.message" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "severity.level", + "index": "d3be8701-26db-42f7-87d2-c9c65110d865", + "key": "severity.level", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "severity.level" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -738,10 +887,18 @@ "type": "lens", "visualizationType": "lnsPie" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various*\r\n| where event.dataset == \"notice\" and (notice.note is not null or source.ip is not null or destination.ip is not null or network.transport is not null or notice.p is not null)and notice.message is not null and severity.level is not null\r\n| limit 10000\r\n| stats values(severity.name),values(severity.level), count() by severity.name \r\n| eval severity_display = concat(`values(severity.name)`,\" (\",to_string(`values(severity.level)`),\")\")\r\n| rename severity_display as Severity, `count()` as Total\r\n| keep Severity, Total" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 15, @@ -850,10 +1007,18 @@ "type": "lens", "visualizationType": "lnsDatatable" }, - "disabledActions": [ - "OPEN_FLYOUT_ADD_DRILLDOWN" - ], - "enhancements": {} + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| where event.dataset == \"notice\" and (notice.note is not null or source.ip is not null or destination.ip is not null or network.transport is not null or notice.p is not null)and notice.message is not null and severity.level is not null\r\n| limit 10000\r\n| stats values(notice.note), values(network.transport), values(destination.port), values(severity.name),values(severity.level) by notice.note, severity.name, severity.level, destination.port\r\n| eval severity_display = concat(`values(severity.name)`,\" (\",to_string(`values(severity.level)`),\")\"), pp = concat(`values(network.transport)`,\"/\",to_string(`values(destination.port)`))\r\n| stats values(pp), values(severity_display) by `values(notice.note)`, `values(severity.name)`\r\n| rename `values(notice.note)` as Notes, `values(severity_display)` as Severity, `values(pp)` as Protocol\r\n| keep Notes, Severity, Protocol\r\n" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, "gridData": { "h": 18, @@ -869,7 +1034,11 @@ { "embeddableConfig": { "description": "", - "enhancements": {}, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, "rowsPerPage": 10 }, "gridData": { @@ -887,12 +1056,11 @@ ], "timeRestore": false, "title": "[Logs Corelight] Notices", - "version": 2 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T09:51:22.712Z", + "created_at": "2026-01-06T09:23:36.403Z", "id": "corelight-f7da14f0-85db-48e8-a591-1f650af0f618", - "managed": false, "references": [ { "id": "logs-*", @@ -904,6 +1072,11 @@ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern" }, + { + "id": "corelight-e0f9718e-23ec-4c36-8040-d687fc177db4", + "name": "3f4fb014-0abd-4274-9650-989177839367:panel_3f4fb014-0abd-4274-9650-989177839367", + "type": "search" + }, { "id": "logs-*", "name": "86499a6b-7a82-4079-bf25-32deec75f97a:indexpattern-datasource-layer-d9e882dd-717b-4717-87a1-c2e08632b490", @@ -914,11 +1087,6 @@ "name": "37bcafa0-0746-4f5f-9a2f-2e78b0bdec80:indexpattern-datasource-layer-cf0ee37a-ae63-4731-8995-9b2313ce3e22", "type": "index-pattern" }, - { - "id": "corelight-e0f9718e-23ec-4c36-8040-d687fc177db4", - "name": "3f4fb014-0abd-4274-9650-989177839367:panel_3f4fb014-0abd-4274-9650-989177839367", - "type": "search" - }, { "id": "logs-*", "name": "controlGroup_ececffb2-34d8-4be8-8708-2eea73ee3223:optionsListDataView", @@ -948,6 +1116,16 @@ "id": "logs-*", "name": "controlGroup_7c5460fc-7b12-474c-9293-a9953c6e2743:optionsListDataView", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" } ], "type": "dashboard", diff --git a/packages/corelight/kibana/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3.json b/packages/corelight/kibana/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3.json index 44cd22ca95a..bca40627e89 100644 --- a/packages/corelight/kibana/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3.json +++ b/packages/corelight/kibana/dashboard/corelight-ff07e65c-2703-4cbe-a45f-3881025352a3.json @@ -1,729 +1,766 @@ { - "attributes": { - "controlGroupInput": { - "chainingSystem": "HIERARCHICAL", - "controlStyle": "oneLine", - "ignoreParentSettingsJSON": { - "ignoreFilters": false, - "ignoreQuery": false, - "ignoreTimerange": false, - "ignoreValidations": false - }, - "panelsJSON": { - "1a827133-990a-4211-beb7-24bf597620d5": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "source.ip", - "id": "1a827133-990a-4211-beb7-24bf597620d5", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false }, - "title": "Source IP" - }, - "grow": true, - "order": 1, - "type": "optionsListControl", - "width": "medium" - }, - "322b1482-8b1c-4ef0-ab99-07fc602522a0": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "network.community_id", - "id": "322b1482-8b1c-4ef0-ab99-07fc602522a0", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "community_id" - }, - "grow": true, - "order": 5, - "type": "optionsListControl", - "width": "medium" - }, - "4afae7f6-00f9-45f1-89b0-1e2bdaf0dab2": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "log.id.fuid", - "id": "4afae7f6-00f9-45f1-89b0-1e2bdaf0dab2", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "fuid" - }, - "grow": true, - "order": 4, - "type": "optionsListControl", - "width": "medium" - }, - "88a5a7d1-e872-4f20-906c-dd565b44fbde": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "event.dataset", - "id": "88a5a7d1-e872-4f20-906c-dd565b44fbde", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Sourcetype" - }, - "grow": true, - "order": 0, - "type": "optionsListControl", - "width": "medium" - }, - "b688861e-b689-4ed9-88ee-228b6fd40895": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "destination.ip", - "id": "b688861e-b689-4ed9-88ee-228b6fd40895", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "Destination IP" - }, - "grow": true, - "order": 2, - "type": "optionsListControl", - "width": "medium" - }, - "f3ad773e-b9af-40a2-b5f9-1f0bae0f66c7": { - "explicitInput": { - "dataViewId": "logs-*", - "fieldName": "event.id", - "id": "f3ad773e-b9af-40a2-b5f9-1f0bae0f66c7", - "searchTechnique": "prefix", - "selectedOptions": [], - "sort": { - "by": "_count", - "direction": "desc" - }, - "title": "uid" - }, - "grow": true, - "order": 3, - "type": "optionsListControl", - "width": "medium" - } - }, - "showApplySelections": false - }, - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "source.ip", - "index": "logs-*", - "key": "source.ip", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "source.ip" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "destination.ip", - "index": "logs-*", - "key": "destination.ip", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "destination.ip" - } - } + "panelsJSON": { + "1a827133-990a-4211-beb7-24bf597620d5": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "source.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Source IP" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "event.id", - "index": "logs-*", - "key": "event.id", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "event.id" - } - } + "322b1482-8b1c-4ef0-ab99-07fc602522a0": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "network.community_id", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "community_id" + }, + "grow": true, + "order": 5, + "type": "optionsListControl", + "width": "medium" }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "log.id.fuid", - "index": "logs-*", - "key": "log.id.fuid", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "log.id.fuid" - } - } + "4afae7f6-00f9-45f1-89b0-1e2bdaf0dab2": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "log.id.fuid", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "fuid" + }, + "grow": true, + "order": 4, + "type": "optionsListControl", + "width": "medium" }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "log.id.resp_fuids", - "index": "logs-*", - "key": "log.id.resp_fuids", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "log.id.resp_fuids" - } - } + "88a5a7d1-e872-4f20-906c-dd565b44fbde": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.dataset", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Sourcetype" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "network.community_id", - "index": "logs-*", - "key": "network.community_id", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "network.community_id" - } - } + "b688861e-b689-4ed9-88ee-228b6fd40895": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "destination.ip", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Destination IP" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "log.id.uids", - "index": "logs-*", - "key": "log.id.uids", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "log.id.uids" - } - } + "f3ad773e-b9af-40a2-b5f9-1f0bae0f66c7": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.id", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "uid" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" } - ], - "relation": "OR", - "type": "combined" - }, - "query": {} - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": "NOT event.dataset: corelight_*", - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "query", - "negate": false, - "type": "custom" }, - "query": { - "bool": { - "must_not": [ - { - "wildcard": { - "event.dataset": "corelight_*" + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "index": "logs-*", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "index": "logs-*", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "event.id", + "index": "logs-*", + "key": "event.id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "event.id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "log.id.fuid", + "index": "logs-*", + "key": "log.id.fuid", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "log.id.fuid" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "log.id.resp_fuids", + "index": "logs-*", + "key": "log.id.resp_fuids", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "log.id.resp_fuids" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.community_id", + "index": "logs-*", + "key": "network.community_id", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.community_id" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "log.id.uids", + "index": "logs-*", + "key": "log.id.uids", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "log.id.uids" + } + } + } + ], + "relation": "OR", + "type": "combined" + }, + "query": {} + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": "NOT event.dataset: corelight_*", + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "query", + "negate": false, + "type": "custom" + }, + "query": { + "bool": { + "must_not": [ + { + "wildcard": { + "event.dataset": "corelight_*" + } + } + ] + } + } } - } - ] - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": false, - "syncCursor": true, - "syncTooltips": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], + ], "query": { - "language": "kuery", - "query": "" + "language": "kuery", + "query": "" } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - **Log Hunting**\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)\n", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } + } }, - "gridData": { - "h": 32, - "i": "4fdcfd48-8aaa-424d-b097-d7249313e64c", - "w": 12, - "x": 0, - "y": 0 + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true }, - "panelIndex": "4fdcfd48-8aaa-424d-b097-d7249313e64c", - "title": "Table of Contents", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-926c4539-754a-4608-84f1-327fd0fefd96", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "926c4539-754a-4608-84f1-327fd0fefd96": { - "columnOrder": [ - "4bafff9f-bb33-4882-b2b7-0623859a7da2", - "f3b60463-7320-426c-9d68-42e6a9749c5f" - ], - "columns": { - "4bafff9f-bb33-4882-b2b7-0623859a7da2": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Source Type", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "f3b60463-7320-426c-9d68-42e6a9749c5f", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "event.dataset" - }, - "f3b60463-7320-426c-9d68-42e6a9749c5f": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Total", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "___records___" + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- Data Insights\n - [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n - [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n - [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n- **Security Workflows**\n - [Intel](#/dashboard/corelight-323b0f27-993e-4fee-ae6e-b5977d7cab11)\n - [IP Interrogation](#/dashboard/corelight-3a4a279f-f238-47de-90ba-f643c5647fde)\n - **Log Hunting**\n - [Notices](#/dashboard/corelight-f7da14f0-85db-48e8-a591-1f650af0f618)\n - [RDP Inferences Overview](#/dashboard/corelight-2d4dc345-cbbe-4d7a-9203-5ab11c8cb5ba)\n - [SSH Inferences Overview](#/dashboard/corelight-65a5fa91-06e4-459b-b4bb-998c85a6cf08)\n - [Corelight Suricata IDS Alert Overview](#/dashboard/corelight-f1208ffe-d168-46d1-9531-24de523d1bfb)\n - [VPN Insights](#/dashboard/corelight-023162b6-94da-4d8d-b1f6-de6192356cce)\n- Data Explorer\n - [AWS VPC Flow](#/dashboard/corelight-caf92ff9-71b9-402c-813a-75ba5a3cb3b8)\n - [Connections](#/dashboard/corelight-eff0434c-1e27-4c02-959e-9f5d95488efb)\n - [DNS](#/dashboard/corelight-58885f47-95e1-4242-a1ee-783de69ace17)\n - [Files](#/dashboard/corelight-0cfc8a95-4979-4265-b9ad-91edf63f01a9)\n - [HTTP](#/dashboard/corelight-8c5f15f7-7063-4228-be54-fb8c20b29caa)\n - [Software](#/dashboard/corelight-40bbc19b-dd9c-4b43-a88a-e29fc8701902)\n - [SSL and x509](#/dashboard/corelight-e4a93cfe-4b1f-44df-ab99-50c74f6f2203)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} } - } }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 32, + "i": "4fdcfd48-8aaa-424d-b097-d7249313e64c", + "w": 12, + "x": 0, + "y": 0 }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "panelIndex": "4fdcfd48-8aaa-424d-b097-d7249313e64c", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-926c4539-754a-4608-84f1-327fd0fefd96", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "926c4539-754a-4608-84f1-327fd0fefd96": { + "columnOrder": [ + "4bafff9f-bb33-4882-b2b7-0623859a7da2", + "f3b60463-7320-426c-9d68-42e6a9749c5f" + ], + "columns": { + "4bafff9f-bb33-4882-b2b7-0623859a7da2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Source Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f3b60463-7320-426c-9d68-42e6a9749c5f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.dataset" + }, + "f3b60463-7320-426c-9d68-42e6a9749c5f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "926c4539-754a-4608-84f1-327fd0fefd96", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "f3b60463-7320-426c-9d68-42e6a9749c5f" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "4bafff9f-bb33-4882-b2b7-0623859a7da2" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "926c4539-754a-4608-84f1-327fd0fefd96", - "layerType": "data", - "legendDisplay": "show", - "metrics": ["f3b60463-7320-426c-9d68-42e6a9749c5f"], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": ["4bafff9f-bb33-4882-b2b7-0623859a7da2"], - "truncateLegend": false - } - ], - "shape": "pie" - } + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 14, + "i": "47ad5a2f-fb57-4348-9666-4061ea2ef49b", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "47ad5a2f-fb57-4348-9666-4061ea2ef49b", + "title": "Filtered Corelight data for this unique entity [Logs Corelight]", + "type": "lens" }, - "title": "", - "type": "lens", - "visualizationType": "lnsPie" - }, - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "47ad5a2f-fb57-4348-9666-4061ea2ef49b", - "w": 36, - "x": 12, - "y": 0 - }, - "panelIndex": "47ad5a2f-fb57-4348-9666-4061ea2ef49b", - "title": "Filtered Corelight data for this unique entity [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-26a83693-9fca-4ff5-bf8c-44d42d1f13b9", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "26a83693-9fca-4ff5-bf8c-44d42d1f13b9": { - "columnOrder": [ - "a1a09e30-c313-4495-9d78-d25ebc8e57a8", - "ad9d2b7f-c79d-4e98-940a-072f8a48872a" - ], - "columns": { - "a1a09e30-c313-4495-9d78-d25ebc8e57a8": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Source Type", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "ad9d2b7f-c79d-4e98-940a-072f8a48872a", - "type": "column" + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26a83693-9fca-4ff5-bf8c-44d42d1f13b9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "26a83693-9fca-4ff5-bf8c-44d42d1f13b9": { + "columnOrder": [ + "a1a09e30-c313-4495-9d78-d25ebc8e57a8", + "ad9d2b7f-c79d-4e98-940a-072f8a48872a" + ], + "columns": { + "a1a09e30-c313-4495-9d78-d25ebc8e57a8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Source Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "ad9d2b7f-c79d-4e98-940a-072f8a48872a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.dataset" + }, + "ad9d2b7f-c79d-4e98-940a-072f8a48872a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "event.dataset" - }, - "ad9d2b7f-c79d-4e98-940a-072f8a48872a": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } + "visualization": { + "layers": [ + { + "accessors": [ + "ad9d2b7f-c79d-4e98-940a-072f8a48872a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "26a83693-9fca-4ff5-bf8c-44d42d1f13b9", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "a1a09e30-c313-4495-9d78-d25ebc8e57a8" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_horizontal", + "title": "Empty XY chart", + "valueLabels": "hide" } - }, - "scale": "ratio", - "sourceField": "___records___" + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false }, - "indexpattern": { - "layers": {} + "gridData": { + "h": 18, + "i": "ba9d680d-7753-42c8-8b16-c097ecff527c", + "w": 36, + "x": 12, + "y": 14 }, - "textBased": { - "layers": {} - } - }, - "filters": [], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": ["ad9d2b7f-c79d-4e98-940a-072f8a48872a"], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false + "panelIndex": "ba9d680d-7753-42c8-8b16-c097ecff527c", + "title": "All Corelight data for this unique entity [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] } - ] }, - "layerId": "26a83693-9fca-4ff5-bf8c-44d42d1f13b9", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal", - "showGridlines": false, - "xAccessor": "a1a09e30-c313-4495-9d78-d25ebc8e57a8" - } - ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": true + "rowsPerPage": 50 }, - "preferredSeriesType": "bar_horizontal", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} + "gridData": { + "h": 21, + "i": "7e49020c-ad4b-4403-9e43-3da48bddfc73", + "w": 48, + "x": 0, + "y": 32 + }, + "panelIndex": "7e49020c-ad4b-4403-9e43-3da48bddfc73", + "panelRefName": "panel_7e49020c-ad4b-4403-9e43-3da48bddfc73", + "title": "Log Data [Logs Corelight]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Corelight] Log Hunting", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T09:23:29.316Z", + "id": "corelight-ff07e65c-2703-4cbe-a45f-3881025352a3", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "corelight-92c0bf7d-5abe-46a1-800d-281386e4b219", + "name": "7e49020c-ad4b-4403-9e43-3da48bddfc73:panel_7e49020c-ad4b-4403-9e43-3da48bddfc73", + "type": "search" + }, + { + "id": "logs-*", + "name": "47ad5a2f-fb57-4348-9666-4061ea2ef49b:indexpattern-datasource-layer-926c4539-754a-4608-84f1-327fd0fefd96", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ba9d680d-7753-42c8-8b16-c097ecff527c:indexpattern-datasource-layer-26a83693-9fca-4ff5-bf8c-44d42d1f13b9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_88a5a7d1-e872-4f20-906c-dd565b44fbde:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_1a827133-990a-4211-beb7-24bf597620d5:optionsListDataView", + "type": "index-pattern" }, - "gridData": { - "h": 18, - "i": "ba9d680d-7753-42c8-8b16-c097ecff527c", - "w": 36, - "x": 12, - "y": 14 + { + "id": "logs-*", + "name": "controlGroup_b688861e-b689-4ed9-88ee-228b6fd40895:optionsListDataView", + "type": "index-pattern" }, - "panelIndex": "ba9d680d-7753-42c8-8b16-c097ecff527c", - "title": "All Corelight data for this unique entity [Logs Corelight]", - "type": "lens" - }, - { - "embeddableConfig": { - "description": "", - "enhancements": {}, - "rowsPerPage": 50 + { + "id": "logs-*", + "name": "controlGroup_f3ad773e-b9af-40a2-b5f9-1f0bae0f66c7:optionsListDataView", + "type": "index-pattern" }, - "gridData": { - "h": 21, - "i": "7e49020c-ad4b-4403-9e43-3da48bddfc73", - "w": 48, - "x": 0, - "y": 32 + { + "id": "logs-*", + "name": "controlGroup_4afae7f6-00f9-45f1-89b0-1e2bdaf0dab2:optionsListDataView", + "type": "index-pattern" }, - "panelIndex": "7e49020c-ad4b-4403-9e43-3da48bddfc73", - "panelRefName": "panel_7e49020c-ad4b-4403-9e43-3da48bddfc73", - "title": "Log Data [Logs Corelight]", - "type": "search" - } + { + "id": "logs-*", + "name": "controlGroup_322b1482-8b1c-4ef0-ab99-07fc602522a0:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } ], - "timeRestore": false, - "title": "[Logs Corelight] Log Hunting", - "version": 2 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T07:34:27.533Z", - "id": "corelight-ff07e65c-2703-4cbe-a45f-3881025352a3", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "47ad5a2f-fb57-4348-9666-4061ea2ef49b:indexpattern-datasource-layer-926c4539-754a-4608-84f1-327fd0fefd96", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "ba9d680d-7753-42c8-8b16-c097ecff527c:indexpattern-datasource-layer-26a83693-9fca-4ff5-bf8c-44d42d1f13b9", - "type": "index-pattern" - }, - { - "id": "corelight-92c0bf7d-5abe-46a1-800d-281386e4b219", - "name": "7e49020c-ad4b-4403-9e43-3da48bddfc73:panel_7e49020c-ad4b-4403-9e43-3da48bddfc73", - "type": "search" - }, - { - "id": "logs-*", - "name": "controlGroup_88a5a7d1-e872-4f20-906c-dd565b44fbde:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_1a827133-990a-4211-beb7-24bf597620d5:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_b688861e-b689-4ed9-88ee-228b6fd40895:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_f3ad773e-b9af-40a2-b5f9-1f0bae0f66c7:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_4afae7f6-00f9-45f1-89b0-1e2bdaf0dab2:optionsListDataView", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "controlGroup_322b1482-8b1c-4ef0-ab99-07fc602522a0:optionsListDataView", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "10.2.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-039807c4-9ec2-4778-b548-0e08877fb8d2.json b/packages/corelight/kibana/search/corelight-039807c4-9ec2-4778-b548-0e08877fb8d2.json index b854597d4ba..c149842c946 100644 --- a/packages/corelight/kibana/search/corelight-039807c4-9ec2-4778-b548-0e08877fb8d2.json +++ b/packages/corelight/kibana/search/corelight-039807c4-9ec2-4778-b548-0e08877fb8d2.json @@ -25,9 +25,8 @@ "title": "RDP Connection Detail [Logs Corelight]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T09:50:50.469Z", + "created_at": "2026-01-06T06:29:57.059Z", "id": "corelight-039807c4-9ec2-4778-b548-0e08877fb8d2", - "managed": true, "references": [ { "id": "logs-*", diff --git a/packages/corelight/kibana/search/corelight-25c4969f-1368-433e-905d-fda0ae7e4923.json b/packages/corelight/kibana/search/corelight-25c4969f-1368-433e-905d-fda0ae7e4923.json index 8fc966c8fa8..7469bd1818b 100644 --- a/packages/corelight/kibana/search/corelight-25c4969f-1368-433e-905d-fda0ae7e4923.json +++ b/packages/corelight/kibana/search/corelight-25c4969f-1368-433e-905d-fda0ae7e4923.json @@ -26,10 +26,8 @@ "title": "Log Details [Logs Corelight]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T09:18:34.153Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "created_at": "2026-01-06T06:29:57.059Z", "id": "corelight-25c4969f-1368-433e-905d-fda0ae7e4923", - "managed": false, "references": [ { "id": "logs-*", @@ -38,6 +36,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-34498312-f418-4e47-9931-bc5fc46c0bff.json b/packages/corelight/kibana/search/corelight-34498312-f418-4e47-9931-bc5fc46c0bff.json index 055e713fca9..bc5e964f51f 100644 --- a/packages/corelight/kibana/search/corelight-34498312-f418-4e47-9931-bc5fc46c0bff.json +++ b/packages/corelight/kibana/search/corelight-34498312-f418-4e47-9931-bc5fc46c0bff.json @@ -25,10 +25,8 @@ "title": "Software Details [Logs Corelight]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T10:00:22.834Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "created_at": "2026-01-06T06:29:57.059Z", "id": "corelight-34498312-f418-4e47-9931-bc5fc46c0bff", - "managed": false, "references": [ { "id": "logs-*", @@ -37,6 +35,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-845d2914-3a55-4057-9dca-a3fd4e226d54.json b/packages/corelight/kibana/search/corelight-845d2914-3a55-4057-9dca-a3fd4e226d54.json index b70b272e984..16b3ffb5e7a 100644 --- a/packages/corelight/kibana/search/corelight-845d2914-3a55-4057-9dca-a3fd4e226d54.json +++ b/packages/corelight/kibana/search/corelight-845d2914-3a55-4057-9dca-a3fd4e226d54.json @@ -1,163 +1,165 @@ { - "attributes": { - "columns": [], - "description": "intel", - "grid": {}, - "hideChart": false, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "source.ip", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "source.ip", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "source.ip" - } + "attributes": { + "columns": [], + "description": "intel", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "source.ip", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "source.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "source.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.ip", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "destination.ip", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.ip" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "destination.port", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "destination.port" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "intel.seen.indicator", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "intel.seen.indicator", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "intel.seen.indicator" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "intel.seen.indicator_type", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "key": "intel.seen.indicator_type", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "intel.seen.indicator_type" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "destination.ip", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "destination.ip", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "destination.ip" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "destination.port", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "destination.port", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "destination.port" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "intel.seen.indicator", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "key": "intel.seen.indicator", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "intel.seen.indicator" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "intel.seen.indicator_type", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", - "key": "intel.seen.indicator_type", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "intel.seen.indicator_type" - } - } - } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "sort": [["@timestamp", "desc"]], - "timeRestore": false, - "title": "Log Data [Logs Corelight]" - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-28T07:09:37.866Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", - "id": "corelight-845d2914-3a55-4057-9dca-a3fd4e226d54", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" + "timeRestore": false, + "title": "Log Data [Logs Corelight]" }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", - "type": "index-pattern" - } - ], - "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T06:29:57.059Z", + "id": "corelight-845d2914-3a55-4057-9dca-a3fd4e226d54", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-92c0bf7d-5abe-46a1-800d-281386e4b219.json b/packages/corelight/kibana/search/corelight-92c0bf7d-5abe-46a1-800d-281386e4b219.json index 1b5bbd43b1a..68c350777b2 100644 --- a/packages/corelight/kibana/search/corelight-92c0bf7d-5abe-46a1-800d-281386e4b219.json +++ b/packages/corelight/kibana/search/corelight-92c0bf7d-5abe-46a1-800d-281386e4b219.json @@ -25,10 +25,8 @@ "title": "Log Data [Logs Corelight]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-29T15:31:55.889Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "created_at": "2026-01-06T06:29:57.059Z", "id": "corelight-92c0bf7d-5abe-46a1-800d-281386e4b219", - "managed": false, "references": [ { "id": "logs-*", @@ -37,6 +35,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef.json b/packages/corelight/kibana/search/corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef.json index dfb9678ae5b..247ee7e3b57 100644 --- a/packages/corelight/kibana/search/corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef.json +++ b/packages/corelight/kibana/search/corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef.json @@ -25,10 +25,8 @@ "title": "VPN Inference Log Data [Logs Corelight]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-24T12:07:43.896Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "created_at": "2026-01-06T06:29:57.059Z", "id": "corelight-9eee7e02-dea8-4e4b-9dc1-9d1df9785aef", - "managed": false, "references": [ { "id": "logs-*", @@ -37,6 +35,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-a44be701-0e99-4b53-9073-b7720df40481.json b/packages/corelight/kibana/search/corelight-a44be701-0e99-4b53-9073-b7720df40481.json index b00593c9de3..c3133376a75 100644 --- a/packages/corelight/kibana/search/corelight-a44be701-0e99-4b53-9073-b7720df40481.json +++ b/packages/corelight/kibana/search/corelight-a44be701-0e99-4b53-9073-b7720df40481.json @@ -1,37 +1,39 @@ { - "attributes": { - "columns": [], - "description": "SSH Inference Log Data", - "grid": {}, - "hideChart": false, - "isTextBasedQuery": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } + "attributes": { + "columns": [], + "description": "SSH Inference Log Data", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Log Data [Logs Corelight]" }, - "sort": [["@timestamp", "desc"]], - "timeRestore": false, - "title": "Log Data [Logs Corelight]" - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-28T08:39:38.494Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", - "id": "corelight-a44be701-0e99-4b53-9073-b7720df40481", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} + "coreMigrationVersion": "8.8.0", + "created_at": "2026-01-06T06:29:57.059Z", + "id": "corelight-a44be701-0e99-4b53-9073-b7720df40481", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/search/corelight-e0f9718e-23ec-4c36-8040-d687fc177db4.json b/packages/corelight/kibana/search/corelight-e0f9718e-23ec-4c36-8040-d687fc177db4.json index 89d9df21a5a..d265ddf0ac3 100644 --- a/packages/corelight/kibana/search/corelight-e0f9718e-23ec-4c36-8040-d687fc177db4.json +++ b/packages/corelight/kibana/search/corelight-e0f9718e-23ec-4c36-8040-d687fc177db4.json @@ -25,10 +25,8 @@ "title": "Log Data [Logs Corelight]" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-01-30T09:38:28.699Z", - "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "created_at": "2026-01-06T06:29:57.059Z", "id": "corelight-e0f9718e-23ec-4c36-8040-d687fc177db4", - "managed": false, "references": [ { "id": "logs-*", @@ -37,6 +35,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.5.0", - "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/corelight/manifest.yml b/packages/corelight/manifest.yml index 5d33cd4a197..7dab5d0ea88 100644 --- a/packages/corelight/manifest.yml +++ b/packages/corelight/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.1 name: corelight title: Corelight -version: "1.0.0" +version: "1.1.0" description: Collect logs from Corelight with Elastic Agent. type: integration categories: @@ -64,6 +64,10 @@ screenshots: title: VPN Insights Dashboard Screenshot size: 600x600 type: image/png + - src: /img/aws-vpc-flow.png + title: AWS VPC Flow Dashboard Screenshot + size: 600x600 + type: image/png - src: /img/connections.png title: Connections Dashboard Screenshot size: 600x600