diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 9ad7aa51598..a89a9706878 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -158,6 +158,7 @@ /packages/cockroachdb @elastic/obs-infraobs-integrations /packages/containerd @elastic/obs-cloudnative-monitoring /packages/coredns @elastic/obs-infraobs-integrations +/packages/corelight @elastic/security-service-integrations /packages/couchbase @elastic/obs-infraobs-integrations /packages/couchdb @elastic/obs-infraobs-integrations /packages/cribl @elastic/security-service-integrations diff --git a/packages/corelight/changelog.yml b/packages/corelight/changelog.yml new file mode 100644 index 00000000000..2cc30eaae01 --- /dev/null +++ b/packages/corelight/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/11288 diff --git a/packages/corelight/docs/README.md b/packages/corelight/docs/README.md new file mode 100644 index 00000000000..9ec852a9199 --- /dev/null +++ b/packages/corelight/docs/README.md @@ -0,0 +1,36 @@ +# Corelight + +[Corelight](https://corelight.com/) provides network detection and response (NDR) solutions that enhance visibility, threat detection, and incident response by leveraging open-source technologies like Zeek. Its platform integrates with existing security tools to deliver high-fidelity network data, helping organizations detect and respond to threats more effectively across both on-premises and cloud environments​. + +This integration includes only the Corelight dashboards mentioned below: +- Security Posture +- Remote Activity Insights +- Name Resolution Insights +- Secure Channel Insights + +## Prerequisites: + +**Add ECS Mappings**: Start by adding the ECS (Elastic Common Schema) mappings from the [Corelight GitHub organization](https://github.com/corelight). You can find the required templates here: [Corelight ECS Templates](https://github.com/corelight/ecs-templates). The script within the repository installs the necessary components, including index settings, index templates, ILM policies, and ingest pipelines etc. These components will ensure that Corelight data is correctly formatted and aligned with Elastic's schema. + +**Send Data from Corelight to Elastic**: Once the ECS mappings are in place, configure Elasticsearch in the web interface under Sensor > Export > Export to Elastic. It will require below parameters: +- **Server:** The HTTP or HTTPS URL (including the port). +- **Prefix:** The Elasticsearch index, alias, and template prefix (e.g. logs-corelight-*). +- **Username:** The Username to authenticate to Elasticsearch. +- **Password:** The Password to authenticate to Elasticsearch. +- **Zeek logs to exclude:** Logs that you don't want to export to Elasticsearch. If blank, sensor will export all log types. +- **Elasticsearch log filter:** Logs to exclude using the Corelight Filtering Language. + +**Note**: Use the index prefix name (logs-*) instead of a custom index prefix. + +## Setup + +### Enabling the integration in Elastic: + +1. In Kibana navigate to Management > Integrations. +2. In "Search for integrations" top bar, search `Corelight`. +3. Select the "Corelight" integration from the search results. +4. Navigate to Settings. +5. Select the "Install Corelight assets". +6. Navigate to Assets to get list of dashboards. + +> **Note:** This integration provides dashboards only. We recommend regularly checking and updating assets using the script from the Corelight repository. For any mapping or parsing issues, especially those not related to the dashboards, we recommend contacting Corelight, as they maintain those components. diff --git a/packages/corelight/img/corelight-logo.svg b/packages/corelight/img/corelight-logo.svg new file mode 100644 index 00000000000..a45d458b3b6 --- /dev/null +++ b/packages/corelight/img/corelight-logo.svg @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/packages/corelight/img/name-resolution-insights.png b/packages/corelight/img/name-resolution-insights.png new file mode 100644 index 00000000000..ed2662db59b Binary files /dev/null and b/packages/corelight/img/name-resolution-insights.png differ diff --git a/packages/corelight/img/remote-activity-insights-screenshot.png b/packages/corelight/img/remote-activity-insights-screenshot.png new file mode 100644 index 00000000000..7c761318334 Binary files /dev/null and b/packages/corelight/img/remote-activity-insights-screenshot.png differ diff --git a/packages/corelight/img/secure-channel-insights.png b/packages/corelight/img/secure-channel-insights.png new file mode 100644 index 00000000000..568e6aa871e Binary files /dev/null and b/packages/corelight/img/secure-channel-insights.png differ diff --git a/packages/corelight/img/security-posture.png b/packages/corelight/img/security-posture.png new file mode 100644 index 00000000000..695953b8819 Binary files /dev/null and b/packages/corelight/img/security-posture.png differ diff --git a/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json b/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json new file mode 100644 index 00000000000..bc4696f1c3c --- /dev/null +++ b/packages/corelight/kibana/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963.json @@ -0,0 +1,1897 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "b7b4bc2e-98d1-453a-a412-a37228a386b1": { + "explicitInput": { + "enhancements": {}, + "fieldName": "observer.hostname", + "grow": true, + "id": "b7b4bc2e-98d1-453a-a412-a37228a386b1", + "searchTechnique": "prefix", + "title": "Sensor", + "width": "medium" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "small" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "## Encrypted Traffic Notables\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "be6ab3ce-1843-4a13-8caa-a2affb57113a", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "be6ab3ce-1843-4a13-8caa-a2affb57113a", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n- [**Secure Channel Insights (This Page)**](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n- [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 23, + "i": "d1c18930-83ea-43cd-a011-143ae3f1028e", + "w": 10, + "x": 0, + "y": 4 + }, + "panelIndex": "d1c18930-83ea-43cd-a011-143ae3f1028e", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "name": "logs-corelight.ssl-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.ssl-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "timeField": "@timestamp", + "title": "logs-corelight.ssl-*" + } + ], + "layers": { + "d0fa3d75-c6e6-41ec-bd1d-eb6239626707": { + "columns": [ + { + "columnId": "Self Signed Certs", + "fieldName": "Self Signed Certs", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and ssl.\r\nvalidation_status == \"self signed certificate\"\r\n| stats values(destination.domain), values(ssl.validation_status), values(destination.ip) by destination.ip, destination.domain\r\n| rename `values(destination.domain)` as Subject, `values(destination.ip)` as Destination, `values(ssl.validation_status)` as Status\r\n| keep Subject, Destination, Status\r\n| stats count()\r\n| rename `count()` as `Self Signed Certs`\r\n| keep `Self Signed Certs`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and ssl.\r\nvalidation_status == \"self signed certificate\"\r\n| stats values(destination.domain), values(ssl.validation_status), values(destination.ip) by destination.ip, destination.domain\r\n| rename `values(destination.domain)` as Subject, `values(destination.ip)` as Destination, `values(ssl.validation_status)` as Status\r\n| keep Subject, Destination, Status\r\n| stats count()\r\n| rename `count()` as `Self Signed Certs`\r\n| keep `Self Signed Certs`" + }, + "visualization": { + "layerId": "d0fa3d75-c6e6-41ec-bd1d-eb6239626707", + "layerType": "data", + "metricAccessor": "Self Signed Certs" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "8757d800-b114-456b-8d1c-2737cae7c348", + "w": 8, + "x": 10, + "y": 4 + }, + "panelIndex": "8757d800-b114-456b-8d1c-2737cae7c348", + "title": "Self Signed Certs [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "This dashboard panel identifies self-signed certificates in use within internal networks, highlighting a key security concern due to their lack of third-party validation. Addressing this issue by transitioning to certificates from trusted authorities enhances network security and trustworthiness.\n\n\n\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "a707d9d1-d18f-4ec0-bc87-16463858a8a0", + "w": 11, + "x": 18, + "y": 4 + }, + "panelIndex": "a707d9d1-d18f-4ec0-bc87-16463858a8a0", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "name": "logs-corelight.ssl-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.ssl-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "timeField": "@timestamp", + "title": "logs-corelight.ssl-*" + } + ], + "layers": { + "3c6d5d2f-97d6-4797-8044-bddf4b247069": { + "columns": [ + { + "columnId": "Less Secure Ciphers", + "fieldName": "Less Secure Ciphers", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and tls.cipher is not null and (tls.cipher like \"*RC4*\" or tls.cipher like \"*DES*\" or tls.cipher like \"*3DES*\" or tls.cipher like \"*MD5*\" or tls.cipher like \"*NULL*\" or tls.cipher like \"*EXPORT*\")\r\n| stats count_distinct(tls.cipher)\r\n| rename `count_distinct(tls.cipher)` as `Less Secure Ciphers`\r\n| keep `Less Secure Ciphers`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and tls.cipher is not null and (tls.cipher like \"*RC4*\" or tls.cipher like \"*DES*\" or tls.cipher like \"*3DES*\" or tls.cipher like \"*MD5*\" or tls.cipher like \"*NULL*\" or tls.cipher like \"*EXPORT*\")\r\n| stats count_distinct(tls.cipher)\r\n| rename `count_distinct(tls.cipher)` as `Less Secure Ciphers`\r\n| keep `Less Secure Ciphers`" + }, + "visualization": { + "layerId": "3c6d5d2f-97d6-4797-8044-bddf4b247069", + "layerType": "data", + "metricAccessor": "Less Secure Ciphers" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "65cb107f-949a-4968-bf9f-fa438dca10ca", + "w": 8, + "x": 29, + "y": 4 + }, + "panelIndex": "65cb107f-949a-4968-bf9f-fa438dca10ca", + "title": "Less Secure Ciphers [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "SSL/TLS sessions utilizing weak cipher suites (eg. RC4) are easily decrypted. This traffic may indicate the presence of old and/or unpatched resources on the network. It could also be the result of a successful downgrade attack.\n\n\n\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "440164d1-a9af-4da9-a128-dda24540db06", + "w": 11, + "x": 37, + "y": 4 + }, + "panelIndex": "440164d1-a9af-4da9-a128-dda24540db06", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "name": "logs-corelight.ssl-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.ssl-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "timeField": "@timestamp", + "title": "logs-corelight.ssl-*" + } + ], + "layers": { + "d99d143b-808b-4f68-a2f8-7337d8bd51b6": { + "columns": [ + { + "columnId": "Subject", + "fieldName": "Subject", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Destination", + "fieldName": "Destination", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Status", + "fieldName": "Status", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and ssl.\r\nvalidation_status == \"self signed certificate\"\r\n| stats values(destination.domain), values(ssl.validation_status), values(destination.ip) by destination.ip, destination.domain\r\n| rename `values(destination.domain)` as Subject, `values(destination.ip)` as Destination, `values(ssl.validation_status)` as Status\r\n| keep Subject, Destination, Status" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and ssl.\r\nvalidation_status == \"self signed certificate\"\r\n| stats values(destination.domain), values(ssl.validation_status), values(destination.ip) by destination.ip, destination.domain\r\n| rename `values(destination.domain)` as Subject, `values(destination.ip)` as Destination, `values(ssl.validation_status)` as Status\r\n| keep Subject, Destination, Status" + }, + "visualization": { + "columns": [ + { + "columnId": "Subject" + }, + { + "columnId": "Destination" + }, + { + "columnId": "Status" + } + ], + "layerId": "d99d143b-808b-4f68-a2f8-7337d8bd51b6", + "layerType": "data" + } + }, + "title": "Table Subject \u0026 Destination \u0026 Status", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f8937613-607b-40c2-9155-2afd6f5426a0", + "w": 19, + "x": 10, + "y": 12 + }, + "panelIndex": "f8937613-607b-40c2-9155-2afd6f5426a0", + "title": "Network Evidence for Self Signed Internal Certificates [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "name": "logs-corelight.ssl-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.ssl-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "timeField": "@timestamp", + "title": "logs-corelight.ssl-*" + } + ], + "layers": { + "2ab5c5ab-83af-436d-9031-40dd1d38020f": { + "columns": [ + { + "columnId": "Cipher", + "fieldName": "Cipher", + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "dest_ip", + "fieldName": "dest_ip", + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Unique_Conns", + "fieldName": "Unique_Conns", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and tls.cipher is not null and (tls.cipher like \"*RC4*\" or tls.cipher like \"*DES*\" or tls.cipher like \"*3DES*\" or tls.cipher like \"*MD5*\" or tls.cipher like \"*NULL*\" or tls.cipher like \"*EXPORT*\")\r\n| stats values(destination.ip), count_distinct(event.id), count() by tls.cipher\r\n| eval mv_last(`values(destination.ip)`)\r\n| rename `mv_last(``values(destination.ip)``)` as dest_ip, `count_distinct(event.id)` as Unique_Conns , `count()` as Count, tls.cipher as Cipher\r\n| keep Cipher,dest_ip,Unique_Conns,Count\r\n| sort Unique_Conns desc, Count desc" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"tls\" and observer.hostname is not null and tls.cipher is not null and (tls.cipher like \"*RC4*\" or tls.cipher like \"*DES*\" or tls.cipher like \"*3DES*\" or tls.cipher like \"*MD5*\" or tls.cipher like \"*NULL*\" or tls.cipher like \"*EXPORT*\")\r\n| stats values(destination.ip), count_distinct(event.id), count() by tls.cipher\r\n| eval mv_last(`values(destination.ip)`)\r\n| rename `mv_last(``values(destination.ip)``)` as dest_ip, `count_distinct(event.id)` as Unique_Conns , `count()` as Count, tls.cipher as Cipher\r\n| keep Cipher,dest_ip,Unique_Conns,Count\r\n| sort Unique_Conns desc, Count desc" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "Unique_Conns", + "Count" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2ab5c5ab-83af-436d-9031-40dd1d38020f", + "layerType": "data", + "seriesType": "bar_stacked", + "splitAccessor": "dest_ip", + "xAccessor": "Cipher" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Unique_Conns \u0026 Count of Cipher", + "type": "lens", + "visualizationType": "lnsXY" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "99c231d5-2d4b-43a7-964c-bc9b276f281f", + "w": 19, + "x": 29, + "y": 12 + }, + "panelIndex": "99c231d5-2d4b-43a7-964c-bc9b276f281f", + "title": "Less Secure Ciphers seen in the period [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "9d4c0103-d7bd-43c1-8328-b609e20b0098": { + "columns": [ + { + "columnId": "Automated SSH Session Indicators", + "fieldName": "Automated SSH Session Indicators", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"PKA\", \"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\r\n inferences == \"KS\", \"Interactive session\",\r\n inferences == \"AUTO\", \"The client was a script or automated utility and not driven by a user\",\r\n inferences == \"CTS\", \"The client likely already had an entry in its known_hosts file for this server\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference,count\r\n| stats count()\r\n| rename `count()` as `Automated SSH Session Indicators`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"PKA\", \"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\r\n inferences == \"KS\", \"Interactive session\",\r\n inferences == \"AUTO\", \"The client was a script or automated utility and not driven by a user\",\r\n inferences == \"CTS\", \"The client likely already had an entry in its known_hosts file for this server\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference,count\r\n| stats count()\r\n| rename `count()` as `Automated SSH Session Indicators`" + }, + "visualization": { + "layerId": "9d4c0103-d7bd-43c1-8328-b609e20b0098", + "layerType": "data", + "metricAccessor": "Automated SSH Session Indicators" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "8c30168d-8cae-44f0-a22d-fb606365a807", + "w": 10, + "x": 0, + "y": 27 + }, + "panelIndex": "8c30168d-8cae-44f0-a22d-fb606365a807", + "title": "Automated SSH Session Indicators [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Tracks automated SSH sessions to enhance security and operational efficiency, highlighting potential risks and compliance issues. It identifies anomalies and unauthorized activities, ensuring that automation tools are used securely and efficiently. This tool is crucial for SOC analysts to monitor for security breaches and optimize system management.\n\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "bfacac80-d825-40b6-8f49-a20da953b435", + "w": 14, + "x": 10, + "y": 27 + }, + "panelIndex": "bfacac80-d825-40b6-8f49-a20da953b435", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "0ca7554e-9a61-4b4e-bf0c-81796e9660d3": { + "columns": [ + { + "columnId": "Interactive Sessions and Keystrokes", + "fieldName": "Interactive Sessions and Keystrokes", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"AUTO\", \"The client is a script automated utility and not driven by a user\",\r\n inferences == \"KS\", \"Interactive session\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference, Description,count\r\n| stats count()\r\n| rename `count()` as `Interactive Sessions and Keystrokes`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"AUTO\", \"The client is a script automated utility and not driven by a user\",\r\n inferences == \"KS\", \"Interactive session\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference, Description,count\r\n| stats count()\r\n| rename `count()` as `Interactive Sessions and Keystrokes`" + }, + "visualization": { + "layerId": "0ca7554e-9a61-4b4e-bf0c-81796e9660d3", + "layerType": "data", + "metricAccessor": "Interactive Sessions and Keystrokes" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "564e0a7a-25ae-417a-9103-d8e42ac71b83", + "w": 10, + "x": 24, + "y": 27 + }, + "panelIndex": "564e0a7a-25ae-417a-9103-d8e42ac71b83", + "title": "Interactive Sessions and Keystrokes [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Highlight interactive sessions (KS) and automated interactions (AUTO) to understand the nature of SSH traffic — manual vs. automated.\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "d005eb33-ff70-4e46-845d-3aca53d2dba9", + "w": 14, + "x": 34, + "y": 27 + }, + "panelIndex": "d005eb33-ff70-4e46-845d-3aca53d2dba9", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "66a2b798-b4b3-4fd5-8a37-e7add25f12f6": { + "columns": [ + { + "columnId": "uid", + "fieldName": "uid", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "src_ip", + "fieldName": "src_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "dest_ip", + "fieldName": "dest_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Inferences", + "fieldName": "Inferences", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"PKA\", \"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\r\n inferences == \"KS\", \"Interactive session\",\r\n inferences == \"AUTO\", \"The client was a script or automated utility and not driven by a user\",\r\n inferences == \"CTS\", \"The client likely already had an entry in its known_hosts file for this server\"\r\n)\r\n| where Description is not null\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inferences, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inferences,Count,Description" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"PKA\", \"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\r\n inferences == \"KS\", \"Interactive session\",\r\n inferences == \"AUTO\", \"The client was a script or automated utility and not driven by a user\",\r\n inferences == \"CTS\", \"The client likely already had an entry in its known_hosts file for this server\"\r\n)\r\n| where Description is not null\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inferences, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inferences,Count,Description" + }, + "visualization": { + "columns": [ + { + "columnId": "uid" + }, + { + "columnId": "src_ip" + }, + { + "columnId": "dest_ip" + }, + { + "columnId": "Inferences" + }, + { + "columnId": "Count" + } + ], + "layerId": "66a2b798-b4b3-4fd5-8a37-e7add25f12f6", + "layerType": "data" + } + }, + "title": "Table uid \u0026 src_ip \u0026 dest_ip \u0026 Inferences \u0026 Count", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4d0c64ce-bfda-47a4-b1fc-107c5e518ea9", + "w": 24, + "x": 0, + "y": 35 + }, + "panelIndex": "4d0c64ce-bfda-47a4-b1fc-107c5e518ea9", + "title": "SSH Session Inferences [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "bfcbfadc-677b-4344-adc9-2bed3af7a028": { + "columns": [ + { + "columnId": "uid", + "fieldName": "uid", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "src_ip", + "fieldName": "src_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "dest_ip", + "fieldName": "dest_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Inference", + "fieldName": "Inference", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Description", + "fieldName": "Description", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"AUTO\", \"The client is a script automated utility and not driven by a user\",\r\n inferences == \"KS\", \"Interactive session\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inference, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inference, Description,Count" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"AUTO\", \"The client is a script automated utility and not driven by a user\",\r\n inferences == \"KS\", \"Interactive session\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inference, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inference, Description,Count" + }, + "visualization": { + "columns": [ + { + "columnId": "uid" + }, + { + "columnId": "src_ip" + }, + { + "columnId": "dest_ip" + }, + { + "columnId": "Inference" + }, + { + "columnId": "Description" + } + ], + "layerId": "bfcbfadc-677b-4344-adc9-2bed3af7a028", + "layerType": "data" + } + }, + "title": "Table uid \u0026 src_ip \u0026 dest_ip \u0026 Inference \u0026 Description", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c9584765-ec26-4349-ac56-2334644105f0", + "w": 24, + "x": 24, + "y": 35 + }, + "panelIndex": "c9584765-ec26-4349-ac56-2334644105f0", + "title": "Network Evidence for Interactive Sessions and Keystrokes - SSH Inferences [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "4dd547db-fdb7-4312-b843-601055369c0b": { + "columns": [ + { + "columnId": "Possible File Uploaded", + "fieldName": "Possible File Uploaded", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"SFD\", \"This indicates a small file download.\",\r\n inferences == \"LFD\", \"This indicates a non interactive session where a file was possibly downloaded.\",\r\n inferences == \"SFU\", \"This indicates a small file upload.\",\r\n inferences == \"LFU\", \"This indicates a non interactive session where a file was possibly uploaded.\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference, Description,count\r\n| stats count()\r\n| rename `count()` as `Possible File Uploaded`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"SFD\", \"This indicates a small file download.\",\r\n inferences == \"LFD\", \"This indicates a non interactive session where a file was possibly downloaded.\",\r\n inferences == \"SFU\", \"This indicates a small file upload.\",\r\n inferences == \"LFU\", \"This indicates a non interactive session where a file was possibly uploaded.\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference, Description,count\r\n| stats count()\r\n| rename `count()` as `Possible File Uploaded`" + }, + "visualization": { + "layerId": "4dd547db-fdb7-4312-b843-601055369c0b", + "layerType": "data", + "metricAccessor": "Possible File Uploaded" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "e04c757d-27e9-4252-b2f8-3c887eaa3a12", + "w": 10, + "x": 0, + "y": 50 + }, + "panelIndex": "e04c757d-27e9-4252-b2f8-3c887eaa3a12", + "title": "Possible File Uploaded [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "This use case tracks SSH file transfer activity (inferences SFD, LFD, SFU, LFU). It uncovers potential data exfiltration by attackers or the introduction of malicious files. Focus on file names, sizes, unusual source IPs, and sensitive destination systems.\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "985e815c-8bb0-4aa1-8b30-de0c8749a4b7", + "w": 14, + "x": 10, + "y": 50 + }, + "panelIndex": "985e815c-8bb0-4aa1-8b30-de0c8749a4b7", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "8631d8c7-ce0c-4d1a-8b74-06ec92051357": { + "columns": [ + { + "columnId": "Potential Security Risks", + "fieldName": "Potential Security Risks", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null and inferences in ( \"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\" )\r\n| stats count() by event.id,source.ip,destination.ip,inferences\r\n| stats count()\r\n| rename `count()` as `Potential Security Risks`\r\n| keep `Potential Security Risks`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null and inferences in ( \"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\" )\r\n| stats count() by event.id,source.ip,destination.ip,inferences\r\n| stats count()\r\n| rename `count()` as `Potential Security Risks`\r\n| keep `Potential Security Risks`" + }, + "visualization": { + "layerId": "8631d8c7-ce0c-4d1a-8b74-06ec92051357", + "layerType": "data", + "metricAccessor": "Potential Security Risks" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "8cd93e89-3415-48b0-b4b6-78f955ab6495", + "w": 10, + "x": 24, + "y": 50 + }, + "panelIndex": "8cd93e89-3415-48b0-b4b6-78f955ab6495", + "title": "Potential Security Risks [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Monitors for signs of scanning (SC, SP, SV, SA), banner messages (BAN), and agent forwarding (AFR) for compliance and security risk identification.\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "726d6dbb-f327-4110-b7ae-8b78c2c10c38", + "w": 14, + "x": 34, + "y": 50 + }, + "panelIndex": "726d6dbb-f327-4110-b7ae-8b78c2c10c38", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "d9ee20a0-33ea-4764-9b5d-ab96f96f5631": { + "columns": [ + { + "columnId": "uid", + "fieldName": "uid", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "src_ip", + "fieldName": "src_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "dest_ip", + "fieldName": "dest_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Inference", + "fieldName": "Inference", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Description", + "fieldName": "Description", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"SFD\", \"This indicates a small file download.\",\r\n inferences == \"LFD\", \"This indicates a non interactive session where a file was possibly downloaded.\",\r\n inferences == \"SFU\", \"This indicates a small file upload.\",\r\n inferences == \"LFU\", \"This indicates a non interactive session where a file was possibly uploaded.\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inference, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inference, Description,Count" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"SFD\", \"This indicates a small file download.\",\r\n inferences == \"LFD\", \"This indicates a non interactive session where a file was possibly downloaded.\",\r\n inferences == \"SFU\", \"This indicates a small file upload.\",\r\n inferences == \"LFU\", \"This indicates a non interactive session where a file was possibly uploaded.\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences , Description\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inference, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inference, Description,Count" + }, + "visualization": { + "columns": [ + { + "columnId": "uid" + }, + { + "columnId": "src_ip" + }, + { + "columnId": "dest_ip" + }, + { + "columnId": "Inference" + }, + { + "columnId": "Description" + } + ], + "layerId": "d9ee20a0-33ea-4764-9b5d-ab96f96f5631", + "layerType": "data" + } + }, + "title": "Table uid \u0026 src_ip \u0026 dest_ip \u0026 Inference \u0026 Description", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "dce1fa2b-fb4d-4922-b8b8-9ad9e93afd09", + "w": 24, + "x": 0, + "y": 58 + }, + "panelIndex": "dce1fa2b-fb4d-4922-b8b8-9ad9e93afd09", + "title": "Possible File Transfer [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "f34fbda2-85fd-48bb-b8d4-25cfe122e3e7": { + "columns": [ + { + "columnId": "uid", + "fieldName": "uid", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "src_ip", + "fieldName": "src_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "dest_ip", + "fieldName": "dest_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "Inferences", + "fieldName": "Inferences", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null and inferences in ( \"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\" )\r\n| stats count() by event.id,source.ip,destination.ip,inferences\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip,`count()` as Count, inferences as Inferences\r\n| keep uid, src_ip,dest_ip,Count,Inferences" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null and inferences in ( \"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\" )\r\n| stats count() by event.id,source.ip,destination.ip,inferences\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip,`count()` as Count, inferences as Inferences\r\n| keep uid, src_ip,dest_ip,Count,Inferences" + }, + "visualization": { + "columns": [ + { + "columnId": "uid" + }, + { + "columnId": "src_ip" + }, + { + "columnId": "dest_ip" + }, + { + "columnId": "Count" + }, + { + "columnId": "Inferences" + } + ], + "layerId": "f34fbda2-85fd-48bb-b8d4-25cfe122e3e7", + "layerType": "data" + } + }, + "title": "Table uid \u0026 src_ip \u0026 dest_ip \u0026 Count \u0026 Inferences", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "6b380f80-d573-49ce-951b-121efac754a0", + "w": 24, + "x": 24, + "y": 58 + }, + "panelIndex": "6b380f80-d573-49ce-951b-121efac754a0", + "title": "SSH Inferences for Potential Security Risks [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "d5db6488-1189-4f11-9126-eec66fb075b5": { + "columns": [ + { + "columnId": "Advanced Threat Indicators", + "fieldName": "Advanced Threat Indicators", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"ABP\", \"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\r\n inferences == \"RSP\", \"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\r\n inferences == \"RSI\", \"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\r\n inferences == \"RSIA\", \"The inititation of the Reverse session happened very early in the packet stream, indicating automation\",\r\n inferences == \"RSL\", \"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\r\n inferences == \"RSK\", \"Keystrokes are detected within the Reverse tunnel\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference,count\r\n| stats count()\r\n| rename `count()` as `Advanced Threat Indicators`\r\n| keep `Advanced Threat Indicators`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences \r\n| eval Description =case(\r\n inferences == \"ABP\", \"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\r\n inferences == \"RSP\", \"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\r\n inferences == \"RSI\", \"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\r\n inferences == \"RSIA\", \"The inititation of the Reverse session happened very early in the packet stream, indicating automation\",\r\n inferences == \"RSL\", \"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\r\n inferences == \"RSK\", \"Keystrokes are detected within the Reverse tunnel\"\r\n)\r\n| where Description is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as inference, `count()` as count\r\n| keep uid , src_ip, dest_ip, inference,count\r\n| stats count()\r\n| rename `count()` as `Advanced Threat Indicators`\r\n| keep `Advanced Threat Indicators`" + }, + "visualization": { + "layerId": "d5db6488-1189-4f11-9126-eec66fb075b5", + "layerType": "data", + "metricAccessor": "Advanced Threat Indicators" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "8c39dd0f-4379-4825-a794-6c28983302a8", + "w": 10, + "x": 0, + "y": 73 + }, + "panelIndex": "8c39dd0f-4379-4825-a794-6c28983302a8", + "title": "Advanced Threat Indicators [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Helps to identify potential advanced threat indicators such as Client Authentication Bypass (ABP) and Reverse SSH tunneling activities (RSP, RSI, RSIA, RSL, RSK) for in-depth investigation.\n\n\n\n\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "8c5339cd-4ba2-4f10-ab14-38bb533f35d6", + "w": 14, + "x": 10, + "y": 73 + }, + "panelIndex": "8c5339cd-4ba2-4f10-ab14-38bb533f35d6", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "9165c358-1dc3-4a01-ba83-2421c6ac0244": { + "columns": [ + { + "columnId": "uid", + "fieldName": "uid", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "src_ip", + "fieldName": "src_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "dest_ip", + "fieldName": "dest_ip", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Inference", + "fieldName": "Inference", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences\r\n| eval Description =case(\r\n inferences == \"ABP\", \"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\r\n inferences == \"RSP\", \"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\r\n inferences == \"RSI\", \"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\r\n inferences == \"RSIA\", \"The inititation of the Reverse session happened very early in the packet stream, indicating automation\",\r\n inferences == \"RSL\", \"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\r\n inferences == \"RSK\", \"Keystrokes are detected within the Reverse tunnel\"\r\n)\r\n| where Description is not null\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inference, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inference,Count, Description" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"ssh\" and observer.hostname is not null\r\n| stats count() by event.id, source.ip, destination.ip, inferences\r\n| eval Description =case(\r\n inferences == \"ABP\", \"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\r\n inferences == \"RSP\", \"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\r\n inferences == \"RSI\", \"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\r\n inferences == \"RSIA\", \"The inititation of the Reverse session happened very early in the packet stream, indicating automation\",\r\n inferences == \"RSL\", \"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\r\n inferences == \"RSK\", \"Keystrokes are detected within the Reverse tunnel\"\r\n)\r\n| where Description is not null\r\n| rename event.id as uid, source.ip as src_ip, destination.ip as dest_ip, inferences as Inference, `count()` as Count\r\n| keep uid , src_ip, dest_ip, Inference,Count, Description" + }, + "visualization": { + "columns": [ + { + "columnId": "uid" + }, + { + "columnId": "src_ip" + }, + { + "columnId": "dest_ip" + }, + { + "columnId": "Inference" + }, + { + "columnId": "Count" + } + ], + "layerId": "9165c358-1dc3-4a01-ba83-2421c6ac0244", + "layerType": "data" + } + }, + "title": "Table uid \u0026 src_ip \u0026 dest_ip \u0026 Inference \u0026 Count", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3512af68-12fa-4aa3-8721-1af3dfcf1052", + "w": 24, + "x": 0, + "y": 81 + }, + "panelIndex": "3512af68-12fa-4aa3-8721-1af3dfcf1052", + "title": "SSH Advanced Threats Inferences [Logs Corelight]", + "type": "lens" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Corelight] Secure Channel Insights", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-02T13:54:02.174Z", + "id": "corelight-45197477-c13f-4e52-a5dd-fb4f53564963", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "controlGroup_b7b4bc2e-98d1-453a-a412-a37228a386b1:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json b/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json new file mode 100644 index 00000000000..d9dd847affc --- /dev/null +++ b/packages/corelight/kibana/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b.json @@ -0,0 +1,4666 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "42578746-ab6b-48bc-b4b7-4453f4bbf187": { + "explicitInput": { + "enhancements": {}, + "fieldName": "observer.hostname", + "grow": false, + "id": "42578746-ab6b-48bc-b4b7-4453f4bbf187", + "searchTechnique": "prefix", + "title": "Sensor", + "width": "small" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "small" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [**Security Posture (This Page)**](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n- [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n- [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 29, + "i": "717d6a38-d6c4-4540-a8f9-7f8d419f69b8", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "717d6a38-d6c4-4540-a8f9-7f8d419f69b8", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "## Encrypted Traffic Hygiene", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "48ea15bc-c977-4654-a5bd-7c030ab9530c", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "48ea15bc-c977-4654-a5bd-7c030ab9530c", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "name": "logs-corelight.ssl-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.ssl-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "timeField": "@timestamp", + "title": "logs-corelight.ssl-*" + } + ], + "layers": { + "ea0c7073-f69f-4603-b8e5-11d31aa5ddd1": { + "columns": [ + { + "columnId": "Self Signed Certs", + "fieldName": "Self Signed Certs", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "22ef31a921118149e9248d9055373ee05aa0a1357176fab08d84de81b8045865", + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.ssl-*\r\n| limit 10000\r\n| where event.dataset == \"tls\" and observer.vendor == \"Corelight\" and ssl.validation_status == \"self signed certificate\" and observer.hostname is not null\r\n| stats count_distinct(destination.domain)\r\n| rename `count_distinct(destination.domain)` as `Self Signed Certs`" + }, + "visualization": { + "layerId": "ea0c7073-f69f-4603-b8e5-11d31aa5ddd1", + "layerType": "data", + "metricAccessor": "Self Signed Certs" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "149ee3b3-379e-4bd3-a06a-0f9f9c5ca0da", + "w": 12, + "x": 12, + "y": 4 + }, + "panelIndex": "149ee3b3-379e-4bd3-a06a-0f9f9c5ca0da", + "title": "Self Signed Certs [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-17987725-38cf-441b-80f5-bfac6ffdd8f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bc293d4e-883c-49c6-b57d-21b1018e67d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5918839a-d5a1-4a87-8971-05283f0052f3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "17987725-38cf-441b-80f5-bfac6ffdd8f9": { + "columnOrder": [ + "80271d84-9144-4479-9551-98012acc1398", + "bf80f01f-4adb-4f7a-a134-60a1c912d002" + ], + "columns": { + "80271d84-9144-4479-9551-98012acc1398": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "bf80f01f-4adb-4f7a-a134-60a1c912d002": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Certs w/ Low Keys", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "file.hash.sha256" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "bc293d4e-883c-49c6-b57d-21b1018e67d9" + ], + "sampling": 1 + }, + "bc293d4e-883c-49c6-b57d-21b1018e67d9": { + "columnOrder": [ + "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa" + ], + "columns": { + "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Certs w/ Low Keys", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "file.hash.sha256" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5918839a-d5a1-4a87-8971-05283f0052f3", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "x509" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "x509" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "file.x509.public_key_size", + "index": "logs-*", + "key": "file.x509.public_key_size", + "negate": false, + "params": { + "lt": "2048" + }, + "type": "range", + "value": { + "lt": "2048" + } + }, + "query": { + "range": { + "file.x509.public_key_size": { + "lt": "2048" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "bc293d4e-883c-49c6-b57d-21b1018e67d9", + "layerType": "data", + "metricAccessor": "a9e1df93-0853-41f0-ae45-4bcc39f6ecfa", + "showBar": false, + "trendlineLayerId": "17987725-38cf-441b-80f5-bfac6ffdd8f9", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "bf80f01f-4adb-4f7a-a134-60a1c912d002", + "trendlineTimeAccessor": "80271d84-9144-4479-9551-98012acc1398" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "9ac116d2-1c6e-409f-8634-c296d2589f92", + "w": 12, + "x": 24, + "y": 4 + }, + "panelIndex": "9ac116d2-1c6e-409f-8634-c296d2589f92", + "title": "Certs w/ Low Keys [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", + "name": "logs-corelight.x509-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.x509-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", + "timeField": "@timestamp", + "title": "logs-corelight.x509-*" + } + ], + "layers": { + "aa51a893-8b6e-4fce-a459-06190e23a89e": { + "columns": [ + { + "columnId": "Expiring Certs.", + "fieldName": "Expiring Certs.", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "ba08d09cb79fc874d36e9c251592331da6c500f2b1da51995f9aea1cd7335c25", + "query": { + "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.x509-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"x509\" and observer.hostname is not null and file.x509.not_after is not null\r\n| eval not_valid_after = to_datetime(file.x509.not_after),current_time = to_datetime(now())\r\n| eval days_to_expire = date_diff(\"day\", not_valid_after,current_time)\r\n| where days_to_expire \u003e 0 and days_to_expire \u003c= 15\r\n| stats count_distinct(file.hash.sha256)\r\n| rename `count_distinct(file.hash.sha256)` as `Expiring Certs.`\r\n| keep `Expiring Certs.`" + }, + "visualization": { + "layerId": "aa51a893-8b6e-4fce-a459-06190e23a89e", + "layerType": "data", + "metricAccessor": "Expiring Certs." + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "955936a0-8d1d-49b7-a91b-3af34349a60a", + "w": 12, + "x": 36, + "y": 4 + }, + "panelIndex": "955936a0-8d1d-49b7-a91b-3af34349a60a", + "title": "Expiring Certs. [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d": { + "columnOrder": [ + "d922e855-cbcb-40ed-9330-9e478a1dcd80", + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "columns": { + "4b080a83-e997-4ece-a465-20c01c790d63": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d922e855-cbcb-40ed-9330-9e478a1dcd80": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "TLS Versions", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"tls.version\" : \"TLSv13\" " + }, + "label": "Most Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : \"TLSv12\" or tls.version : \"DTLSv12\"" + }, + "label": "Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : unknown-64282" + }, + "label": "Unknown" + }, + { + "input": { + "language": "kuery", + "query": "NOT (tls.version : \"TLSv12\" and tls.version : \"DTLSv12\" and \"tls.version\" : \"TLSv12\" and tls.version : unknown-64282)" + }, + "label": "Old Version" + } + ] + }, + "scale": "ordinal" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "ba8ba542-f4ea-432b-b9e4-56f02cecb7d7", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d922e855-cbcb-40ed-9330-9e478a1dcd80" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2eab540d-c7cd-4a10-b705-98cf81bff3f6", + "w": 18, + "x": 12, + "y": 14 + }, + "panelIndex": "2eab540d-c7cd-4a10-b705-98cf81bff3f6", + "title": "TLS Versions [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "209a539e-6ce4-41e8-a3b7-9b4bce41794e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d": { + "columnOrder": [ + "d922e855-cbcb-40ed-9330-9e478a1dcd80", + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "columns": { + "4b080a83-e997-4ece-a465-20c01c790d63": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d922e855-cbcb-40ed-9330-9e478a1dcd80": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "TLS Versions", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "\"tls.version\" : \"TLSv13\" " + }, + "label": "Most Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : \"TLSv12\" or tls.version : \"DTLSv12\"" + }, + "label": "Secure" + }, + { + "input": { + "language": "kuery", + "query": "tls.version : \"unknown-64282\"" + }, + "label": "Unknown" + }, + { + "input": { + "language": "kuery", + "query": "NOT (tls.version : \"TLSv12\" and tls.version : \"DTLSv12\" and \"tls.version\" : \"TLSv12\" and tls.version : unknown-64282)" + }, + "label": "Old Version" + } + ] + }, + "scale": "ordinal" + } + }, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "209a539e-6ce4-41e8-a3b7-9b4bce41794e", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4b080a83-e997-4ece-a465-20c01c790d63" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "d922e855-cbcb-40ed-9330-9e478a1dcd80" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4", + "w": 18, + "x": 30, + "y": 14 + }, + "panelIndex": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4", + "title": "Internal TLS Version Profile [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3a8fc291-604b-469a-b1f0-04af963f3bdb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ec12ef5-06e7-451b-b5af-4320d1a9a19b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3a8fc291-604b-469a-b1f0-04af963f3bdb": { + "columnOrder": [ + "7b489b22-614b-47a5-aa30-3386198a88cb", + "14c6d6bb-79e4-4f06-ba48-5d369e446cd4" + ], + "columns": { + "14c6d6bb-79e4-4f06-ba48-5d369e446cd4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Encrypted Traffic", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "7b489b22-614b-47a5-aa30-3386198a88cb": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "5ec12ef5-06e7-451b-b5af-4320d1a9a19b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "tls" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "tls" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "14c6d6bb-79e4-4f06-ba48-5d369e446cd4" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3a8fc291-604b-469a-b1f0-04af963f3bdb", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "7b489b22-614b-47a5-aa30-3386198a88cb" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "96ea21c5-b69c-422b-a146-5e603cb86fc4", + "w": 48, + "x": 0, + "y": 29 + }, + "panelIndex": "96ea21c5-b69c-422b-a146-5e603cb86fc4", + "title": "Encrypted Traffic Over Time [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "## Unencrypted Traffic Hygiene - Indicators", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "a628c097-bb3c-4293-a2fe-079733a79a77", + "w": 48, + "x": 0, + "y": 44 + }, + "panelIndex": "a628c097-bb3c-4293-a2fe-079733a79a77", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-86bf3a2f-1ace-4808-98ea-397ca4104587", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3dfb3090-5395-444a-b3c5-5ff9f4829845", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "86bf3a2f-1ace-4808-98ea-397ca4104587": { + "columnOrder": [ + "496ca09e-ad41-458f-b6e0-8fc244dfecf6", + "5b837993-b266-4681-89a2-3013546b6d46" + ], + "columns": { + "496ca09e-ad41-458f-b6e0-8fc244dfecf6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "5b837993-b266-4681-89a2-3013546b6d46": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unencrypted Connections", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87" + ], + "sampling": 1 + }, + "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87": { + "columnOrder": [ + "50aafda0-86ae-42c4-92eb-7172304d9122" + ], + "columns": { + "50aafda0-86ae-42c4-92eb-7172304d9122": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unencrypted Connections", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3dfb3090-5395-444a-b3c5-5ff9f4829845", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "etc_viz" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "etc_viz" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", + "layerType": "data", + "metricAccessor": "50aafda0-86ae-42c4-92eb-7172304d9122", + "showBar": false, + "trendlineLayerId": "86bf3a2f-1ace-4808-98ea-397ca4104587", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "5b837993-b266-4681-89a2-3013546b6d46", + "trendlineTimeAccessor": "496ca09e-ad41-458f-b6e0-8fc244dfecf6" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "32fe97ea-4e8a-48ab-a02a-b527bc130376", + "w": 16, + "x": 0, + "y": 48 + }, + "panelIndex": "32fe97ea-4e8a-48ab-a02a-b527bc130376", + "title": "Unencrypted Connections [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b49f0771-93f3-4c27-9748-204bc03d4f42", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0b079edd-048e-4c1b-9a02-e01af8675bb1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b49f0771-93f3-4c27-9748-204bc03d4f42": { + "columnOrder": [ + "0ddfbf0d-62eb-4348-af13-5eb9aaff6912", + "20356d37-2d65-48b1-9926-61c6fbc346d3" + ], + "columns": { + "0ddfbf0d-62eb-4348-af13-5eb9aaff6912": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "20356d37-2d65-48b1-9926-61c6fbc346d3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Telnet Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b" + ], + "sampling": 1 + }, + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b": { + "columnOrder": [ + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4" + ], + "columns": { + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Telnet Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "0b079edd-048e-4c1b-9a02-e01af8675bb1", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "destination.port", + "index": "logs-*", + "key": "destination.port", + "negate": false, + "params": { + "query": "23" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "destination.port": "23" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "layerType": "data", + "metricAccessor": "da6fd550-ba6d-4a30-8c2d-33f46a955dc4", + "showBar": false, + "trendlineLayerId": "b49f0771-93f3-4c27-9748-204bc03d4f42", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "20356d37-2d65-48b1-9926-61c6fbc346d3", + "trendlineTimeAccessor": "0ddfbf0d-62eb-4348-af13-5eb9aaff6912" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "55bac572-9e7e-4580-b674-a4a7a51b4be4", + "w": 16, + "x": 16, + "y": 48 + }, + "panelIndex": "55bac572-9e7e-4580-b674-a4a7a51b4be4", + "title": "Telnet Sessions [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3dab57e3-501b-44f3-b26e-ea81181d3096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "3dab57e3-501b-44f3-b26e-ea81181d3096": { + "columnOrder": [ + "016a9807-af3d-4e32-ba73-d9c3679387d6", + "52486aed-4c5f-4ec0-8909-86662ea24984" + ], + "columns": { + "016a9807-af3d-4e32-ba73-d9c3679387d6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "52486aed-4c5f-4ec0-8909-86662ea24984": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "FTP Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b" + ], + "sampling": 1 + }, + "ba4af475-eb29-4ff6-a6dd-04d8175fb81b": { + "columnOrder": [ + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4" + ], + "columns": { + "da6fd550-ba6d-4a30-8c2d-33f46a955dc4": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "FTP Sessions", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "ftp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "ftp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "layerType": "data", + "metricAccessor": "da6fd550-ba6d-4a30-8c2d-33f46a955dc4", + "showBar": false, + "trendlineLayerId": "3dab57e3-501b-44f3-b26e-ea81181d3096", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "52486aed-4c5f-4ec0-8909-86662ea24984", + "trendlineTimeAccessor": "016a9807-af3d-4e32-ba73-d9c3679387d6" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "c05df282-f5e3-4635-89d9-2c3824b7c713", + "w": 16, + "x": 32, + "y": 48 + }, + "panelIndex": "c05df282-f5e3-4635-89d9-2c3824b7c713", + "title": "FTP Sessions [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a43b081c-d4f3-4e85-926b-1297b06b22e0", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a43b081c-d4f3-4e85-926b-1297b06b22e0": { + "columnOrder": [ + "e504a2f7-bb66-4e9f-81d1-548068486084", + "a11e393b-4048-43c5-9cb9-fd556d726cca", + "4d96e75b-914a-4251-a830-2336592d52ad" + ], + "columns": { + "4d96e75b-914a-4251-a830-2336592d52ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "a11e393b-4048-43c5-9cb9-fd556d726cca": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e504a2f7-bb66-4e9f-81d1-548068486084": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4d96e75b-914a-4251-a830-2336592d52ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "1fa6c07e-8ea3-4cbf-8995-4e833a1b4704", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": [ + "conn", + "conn_long", + "conn_red" + ], + "type": "phrases", + "value": [ + "conn", + "conn_long", + "conn_red" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.dataset": "conn" + } + }, + { + "match_phrase": { + "event.dataset": "conn_long" + } + }, + { + "match_phrase": { + "event.dataset": "conn_red" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "network.protocol" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": [ + "tls", + "dns", + "ssl" + ], + "type": "phrases", + "value": [ + "tls", + "dns", + "ssl" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "network.protocol": "tls" + } + }, + { + "match_phrase": { + "network.protocol": "dns" + } + }, + { + "match_phrase": { + "network.protocol": "ssl" + } + } + ] + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "ssl,http" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "ssl,http" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": true, + "params": { + "query": "http,ssl" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "http,ssl" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4d96e75b-914a-4251-a830-2336592d52ad" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "a43b081c-d4f3-4e85-926b-1297b06b22e0", + "layerType": "data", + "position": "top", + "seriesType": "area", + "showGridlines": false, + "splitAccessor": "e504a2f7-bb66-4e9f-81d1-548068486084", + "xAccessor": "a11e393b-4048-43c5-9cb9-fd556d726cca" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "area", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "ee6608a6-a905-4e49-acd2-18a119dc633a", + "w": 48, + "x": 0, + "y": 60 + }, + "panelIndex": "ee6608a6-a905-4e49-acd2-18a119dc633a", + "title": "Top Unencrypted Protocols Used [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "## DNS Hygiene", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "35079c39-3ce8-47ae-8ccf-77c92e44345e", + "w": 48, + "x": 0, + "y": 76 + }, + "panelIndex": "35079c39-3ce8-47ae-8ccf-77c92e44345e", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66267767-efdd-44d5-b1f9-df14b732b457", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "66267767-efdd-44d5-b1f9-df14b732b457": { + "columnOrder": [ + "419606b4-2184-442d-8c6c-2c5c515ce3b6", + "f25b1da0-8365-484b-9a55-e123f0bbfe17" + ], + "columns": { + "419606b4-2184-442d-8c6c-2c5c515ce3b6": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "f25b1da0-8365-484b-9a55-e123f0bbfe17": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed DNS Queries", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.response_code" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "linkToLayers": [ + "d4281ac5-0f1f-408e-b630-0496df8a6abd" + ], + "sampling": 1 + }, + "d4281ac5-0f1f-408e-b630-0496df8a6abd": { + "columnOrder": [ + "bf395d6a-f13a-420b-af21-92f5d7524e0d" + ], + "columns": { + "bf395d6a-f13a-420b-af21-92f5d7524e0d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed DNS Queries", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.response_code" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d9855a4e-7726-4400-8cf3-0be9a0fcfa2f", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", + "layerType": "data", + "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", + "showBar": false, + "trendlineLayerId": "66267767-efdd-44d5-b1f9-df14b732b457", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "f25b1da0-8365-484b-9a55-e123f0bbfe17", + "trendlineTimeAccessor": "419606b4-2184-442d-8c6c-2c5c515ce3b6" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "29799cca-01ae-4c3f-911d-d07b116968eb", + "w": 12, + "x": 0, + "y": 80 + }, + "panelIndex": "29799cca-01ae-4c3f-911d-d07b116968eb", + "title": "Failed DNS Queries [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-071618ce-0873-4d00-ad7c-002474b23ceb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "071618ce-0873-4d00-ad7c-002474b23ceb": { + "columnOrder": [ + "0f9ca953-058a-4cc1-b046-3179b9a86232", + "c381d089-e693-481b-af25-375b5cbff6ef" + ], + "columns": { + "0f9ca953-058a-4cc1-b046-3179b9a86232": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c381d089-e693-481b-af25-375b5cbff6ef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Qtypes", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "linkToLayers": [ + "d4281ac5-0f1f-408e-b630-0496df8a6abd" + ], + "sampling": 1 + }, + "d4281ac5-0f1f-408e-b630-0496df8a6abd": { + "columnOrder": [ + "bf395d6a-f13a-420b-af21-92f5d7524e0d" + ], + "columns": { + "bf395d6a-f13a-420b-af21-92f5d7524e0d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Qtypes", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "57907480-ca4a-4cb2-b1bd-e25b7e025fff", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", + "layerType": "data", + "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", + "showBar": false, + "trendlineLayerId": "071618ce-0873-4d00-ad7c-002474b23ceb", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "c381d089-e693-481b-af25-375b5cbff6ef", + "trendlineTimeAccessor": "0f9ca953-058a-4cc1-b046-3179b9a86232" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b", + "w": 12, + "x": 12, + "y": 80 + }, + "panelIndex": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b", + "title": "Unusual Qtypes [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2d913a-dfac-492b-8897-0684cb5e8384", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8977309-8b15-43e2-a989-d584a507e76c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d4281ac5-0f1f-408e-b630-0496df8a6abd": { + "columnOrder": [ + "bf395d6a-f13a-420b-af21-92f5d7524e0d" + ], + "columns": { + "bf395d6a-f13a-420b-af21-92f5d7524e0d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "NXDOMAIN Responses", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + }, + "ec2d913a-dfac-492b-8897-0684cb5e8384": { + "columnOrder": [ + "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61", + "0aa08f02-f75e-4c1f-ab8b-1348751a830e" + ], + "columns": { + "0aa08f02-f75e-4c1f-ab8b-1348751a830e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "NXDOMAIN Responses", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "linkToLayers": [ + "d4281ac5-0f1f-408e-b630-0496df8a6abd" + ], + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b8977309-8b15-43e2-a989-d584a507e76c", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "NXDOMAIN", + "NO ERROR" + ], + "type": "phrases", + "value": [ + "NXDOMAIN", + "NO ERROR" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "NXDOMAIN" + } + }, + { + "match_phrase": { + "dns.response_code": "NO ERROR" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "d4281ac5-0f1f-408e-b630-0496df8a6abd", + "layerType": "data", + "metricAccessor": "bf395d6a-f13a-420b-af21-92f5d7524e0d", + "showBar": false, + "trendlineLayerId": "ec2d913a-dfac-492b-8897-0684cb5e8384", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "0aa08f02-f75e-4c1f-ab8b-1348751a830e", + "trendlineTimeAccessor": "eba6a3d3-63dd-4d94-b96d-1ea2930d2b61" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a", + "w": 12, + "x": 24, + "y": 80 + }, + "panelIndex": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a", + "title": "NXDOMAIN Responses [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "name": "logs-corelight.conn-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "timeField": "@timestamp", + "title": "logs-corelight.conn-*" + } + ], + "layers": { + "de0b257f-0377-4bb9-af1b-7d20dd1167a2": { + "columns": [ + { + "columnId": "Internal DNS Servers", + "fieldName": "Internal DNS Servers", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| where conn.local_resp == \"true\"\r\n| where destination.ip IS NOT NULL AND destination.port IN (53, 5353)\r\n| stats count_distinct(destination.ip)\r\n| rename `count_distinct(destination.ip)` as `Internal DNS Servers`" + }, + "visualization": { + "layerId": "de0b257f-0377-4bb9-af1b-7d20dd1167a2", + "layerType": "data", + "metricAccessor": "Internal DNS Servers" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 12, + "i": "6fa2127f-76a0-4cf4-aeb5-023a409617c0", + "w": 12, + "x": 36, + "y": 80 + }, + "panelIndex": "6fa2127f-76a0-4cf4-aeb5-023a409617c0", + "title": "Internal DNS Server [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "7b7288b0-fc66-447a-bf87-ca75657077c1", + "includeInFitToBounds": true, + "label": null, + "locale": "autoselect", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "lightModeDefault": "road_map_desaturated", + "type": "EMS_TMS" + }, + "style": { + "color": "", + "type": "EMS_VECTOR_TILE" + }, + "type": "EMS_VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "disableTooltips": false, + "id": "7b5c7da7-406a-42b5-94d2-ab72f2c41241", + "includeInFitToBounds": true, + "joins": [ + { + "leftField": "iso2", + "right": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "id": "9fd3b304-7881-47a0-acaf-8f181f818c92", + "indexPatternRefName": "layer_1_join_0_index_pattern", + "metrics": [ + { + "type": "count" + } + ], + "term": "destination.geo.country_iso_code", + "type": "ES_TERM_SOURCE" + } + } + ], + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "id": "world_countries", + "tooltipProperties": [ + "iso2" + ], + "type": "EMS_FILE" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "Yellow to Red", + "colorCategory": "palette_0", + "field": { + "name": "__kbnjoin__count__9fd3b304-7881-47a0-acaf-8f181f818c92", + "origin": "join" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "type": "ORDINAL" + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelPosition": { + "options": { + "position": "CENTER" + } + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "field": { + "name": "__kbnjoin__count__9fd3b304-7881-47a0-acaf-8f181f818c92", + "origin": "join" + } + }, + "type": "DYNAMIC" + }, + "labelZoomRange": { + "options": { + "maxZoom": 24, + "minZoom": 0, + "useLayerZoomRange": true + } + }, + "lineColor": { + "options": { + "color": "#3d3d3d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "GEOJSON_VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "adHocDataViews": [], + "center": { + "lat": 48.09839, + "lon": 38.19049 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 60000, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "customIcons": [], + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "keydownScrollZoom": false, + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-15y", + "to": "now" + }, + "zoom": 1.4 + }, + "title": "", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [ + "7b5c7da7-406a-42b5-94d2-ab72f2c41241" + ] + } + }, + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": false, + "mapBuffer": { + "maxLat": 85.05113, + "maxLon": 360, + "minLat": -66.51326, + "minLon": -270 + }, + "mapCenter": { + "lat": 48.09839, + "lon": 38.19049, + "zoom": 1.4 + }, + "openTOCDetails": [ + "7b5c7da7-406a-42b5-94d2-ab72f2c41241" + ] + }, + "gridData": { + "h": 16, + "i": "89bdbbdd-970b-48f0-b467-454690ac31ba", + "w": 48, + "x": 0, + "y": 92 + }, + "panelIndex": "89bdbbdd-970b-48f0-b467-454690ac31ba", + "title": "Geolocation of DNS Responses [Logs Corelight]", + "type": "map" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "## Remote Management Hygiene", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "26018340-67af-4538-b428-d8d46f43eaa5", + "w": 48, + "x": 0, + "y": 108 + }, + "panelIndex": "26018340-67af-4538-b428-d8d46f43eaa5", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "26f1e5e7-9541-4f11-82c6-fd14f199c8a9": { + "columnOrder": [ + "830012a1-ead9-47d0-a1b9-c730c12d2f03", + "4efb03c4-7bfb-467b-95d1-f2f597a54474" + ], + "columns": { + "4efb03c4-7bfb-467b-95d1-f2f597a54474": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "830012a1-ead9-47d0-a1b9-c730c12d2f03": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top VPN destinations", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4efb03c4-7bfb-467b-95d1-f2f597a54474", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_name" + } + }, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4efb03c4-7bfb-467b-95d1-f2f597a54474" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "830012a1-ead9-47d0-a1b9-c730c12d2f03" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d", + "w": 48, + "x": 0, + "y": 112 + }, + "panelIndex": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d", + "title": "Top VPN destinations by Country [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "26f1e5e7-9541-4f11-82c6-fd14f199c8a9": { + "columnOrder": [ + "212b9fd6-2b67-4044-beda-34a878fd7cb3", + "6f9821bc-ee05-4453-b430-4ed07b6ce616" + ], + "columns": { + "212b9fd6-2b67-4044-beda-34a878fd7cb3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top 10 Country Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6f9821bc-ee05-4453-b430-4ed07b6ce616", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.geo.country_name" + }, + "6f9821bc-ee05-4453-b430-4ed07b6ce616": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "e94b43c3-8743-4cdd-9c76-227f19f352e4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6f9821bc-ee05-4453-b430-4ed07b6ce616" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_percentage_stacked", + "showGridlines": false, + "splitAccessor": "212b9fd6-2b67-4044-beda-34a878fd7cb3" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal_percentage_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "show" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "5ab5369a-3203-444a-a6df-c6e53a2012d9", + "w": 48, + "x": 0, + "y": 128 + }, + "panelIndex": "5ab5369a-3203-444a-a6df-c6e53a2012d9", + "title": "Percentage of Top VPN Destinations by Country [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-21891190-3fbe-4509-b194-a3b4d9de210e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "21891190-3fbe-4509-b194-a3b4d9de210e": { + "columnOrder": [ + "d51d895a-e07e-4c6e-abcb-adb341992490", + "d12a96af-d3e0-4deb-a399-7e915cb41e3a", + "2277bb8e-b9c9-41db-bedd-33aa905a38d9" + ], + "columns": { + "2277bb8e-b9c9-41db-bedd-33aa905a38d9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d12a96af-d3e0-4deb-a399-7e915cb41e3a": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "d51d895a-e07e-4c6e-abcb-adb341992490": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Auth Success", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2277bb8e-b9c9-41db-bedd-33aa905a38d9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 2 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "4d08dd32-2d05-4ae8-b983-359e174f07f1", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "2277bb8e-b9c9-41db-bedd-33aa905a38d9" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "21891190-3fbe-4509-b194-a3b4d9de210e", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "d51d895a-e07e-4c6e-abcb-adb341992490", + "xAccessor": "d12a96af-d3e0-4deb-a399-7e915cb41e3a" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "c19bc596-61ef-4f39-b512-18356caee0dc", + "w": 48, + "x": 0, + "y": 144 + }, + "panelIndex": "c19bc596-61ef-4f39-b512-18356caee0dc", + "title": "RDP Authentication Attempts [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "9fcfb3e5-a699-459e-a209-16c7ff98fd11": { + "columns": [ + { + "columnId": "count", + "fieldName": "count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "@timestamp", + "fieldName": "@timestamp", + "meta": { + "esType": "date", + "type": "date" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as count\r\n| keep count,@timestamp" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null\r\n| stats count() by @timestamp\r\n| rename `count()` as count\r\n| keep count,@timestamp" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "count" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "9fcfb3e5-a699-459e-a209-16c7ff98fd11", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "@timestamp" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "Bar vertical stacked", + "type": "lens", + "visualizationType": "lnsXY" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "b88e5afc-74f6-45df-ac1a-19655138a7d3", + "w": 48, + "x": 0, + "y": 160 + }, + "panelIndex": "b88e5afc-74f6-45df-ac1a-19655138a7d3", + "title": "VPN Connections [Logs Corelight]", + "type": "lens" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Corelight] Security Posture", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-02T13:54:03.182Z", + "id": "corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:indexpattern-datasource-layer-17987725-38cf-441b-80f5-bfac6ffdd8f9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:indexpattern-datasource-layer-bc293d4e-883c-49c6-b57d-21b1018e67d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9ac116d2-1c6e-409f-8634-c296d2589f92:5918839a-d5a1-4a87-8971-05283f0052f3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2eab540d-c7cd-4a10-b705-98cf81bff3f6:indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4:indexpattern-datasource-layer-33e5de0f-9cd9-4d05-b5a3-0d7f1903829d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f0568a59-ec5c-4d4b-a4e1-7a3f8b41bcd4:209a539e-6ce4-41e8-a3b7-9b4bce41794e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "96ea21c5-b69c-422b-a146-5e603cb86fc4:indexpattern-datasource-layer-3a8fc291-604b-469a-b1f0-04af963f3bdb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "96ea21c5-b69c-422b-a146-5e603cb86fc4:5ec12ef5-06e7-451b-b5af-4320d1a9a19b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:indexpattern-datasource-layer-86bf3a2f-1ace-4808-98ea-397ca4104587", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:indexpattern-datasource-layer-9bfe18c9-d1a3-4896-bed6-c1a097ce8d87", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "32fe97ea-4e8a-48ab-a02a-b527bc130376:3dfb3090-5395-444a-b3c5-5ff9f4829845", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:indexpattern-datasource-layer-b49f0771-93f3-4c27-9748-204bc03d4f42", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "55bac572-9e7e-4580-b674-a4a7a51b4be4:0b079edd-048e-4c1b-9a02-e01af8675bb1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:indexpattern-datasource-layer-3dab57e3-501b-44f3-b26e-ea81181d3096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:indexpattern-datasource-layer-ba4af475-eb29-4ff6-a6dd-04d8175fb81b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c05df282-f5e3-4635-89d9-2c3824b7c713:cefd7f6f-f96e-4a32-802d-00a5fbc38a4b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ee6608a6-a905-4e49-acd2-18a119dc633a:indexpattern-datasource-layer-a43b081c-d4f3-4e85-926b-1297b06b22e0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29799cca-01ae-4c3f-911d-d07b116968eb:indexpattern-datasource-layer-66267767-efdd-44d5-b1f9-df14b732b457", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "29799cca-01ae-4c3f-911d-d07b116968eb:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b:indexpattern-datasource-layer-071618ce-0873-4d00-ad7c-002474b23ceb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05a73a98-0c87-4c2d-9d5d-823a595c3f8b:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:indexpattern-datasource-layer-d4281ac5-0f1f-408e-b630-0496df8a6abd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:indexpattern-datasource-layer-ec2d913a-dfac-492b-8897-0684cb5e8384", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a1ac69-2b1b-4bb0-af16-ae78e8ba244a:b8977309-8b15-43e2-a989-d584a507e76c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "89bdbbdd-970b-48f0-b467-454690ac31ba:layer_1_join_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6e2b3328-d18a-4d8c-995f-975ce87f7b7d:indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5ab5369a-3203-444a-a6df-c6e53a2012d9:indexpattern-datasource-layer-26f1e5e7-9541-4f11-82c6-fd14f199c8a9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c19bc596-61ef-4f39-b512-18356caee0dc:indexpattern-datasource-layer-21891190-3fbe-4509-b194-a3b4d9de210e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_42578746-ab6b-48bc-b4b7-4453f4bbf187:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json b/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json new file mode 100644 index 00000000000..5cd1474a354 --- /dev/null +++ b/packages/corelight/kibana/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e.json @@ -0,0 +1,2587 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "597c5dc5-3e91-4307-8a43-32592d3367d0": { + "explicitInput": { + "enhancements": {}, + "fieldName": "observer.hostname", + "grow": true, + "id": "597c5dc5-3e91-4307-8a43-32592d3367d0", + "searchTechnique": "prefix", + "title": "Sensor", + "width": "medium" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "small" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- [**Name Resolution Insights (This Page)**](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n- [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n- [Remote Activity Insights](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 29, + "i": "55f817d6-cbfd-4e16-9621-fc14df6a215b", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "55f817d6-cbfd-4e16-9621-fc14df6a215b", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "## DNS Hygiene", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 5, + "i": "1d899748-4702-43fe-b613-1c193501840f", + "w": 36, + "x": 12, + "y": 0 + }, + "panelIndex": "1d899748-4702-43fe-b613-1c193501840f", + "title": "DNS Hygiene [Logs Corelight]", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "name": "logs-corelight.conn-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "timeField": "@timestamp", + "title": "logs-corelight.conn-*" + } + ], + "layers": { + "3ebf3d0c-088a-4be6-acbf-002858ebb189": { + "columns": [ + { + "columnId": "Responding DNS Servers", + "fieldName": "Responding DNS Servers", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| stats count(), count_distinct(source.ip), values(destination.geo.country_name) , values(conn.local_resp) by destination.ip\r\n| eval `values(destination.geo.country_name)` = case(`values(destination.geo.country_name)` is null, \"Unknown\",\r\n`values(destination.geo.country_name)`)\r\n| eval Internal = case(\r\n `values(conn.local_resp)` == true, \"yes\", \"no\")\r\n| rename destination.ip as Destination, `count()` as `# of Queries`, `count_distinct(source.ip)` as `# of Unique Clients`, `values(destination.geo.country_name)` as Country\r\n| sort `# of Queries` DESC, `# of Unique Clients` ASC\r\n| keep Destination, `# of Queries`,`# of Unique Clients`,`Country`, Internal\r\n| stats count()\r\n| rename `count()` as `Responding DNS Servers`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| stats count(), count_distinct(source.ip), values(destination.geo.country_name) , values(conn.local_resp) by destination.ip\r\n| eval `values(destination.geo.country_name)` = case(`values(destination.geo.country_name)` is null, \"Unknown\",\r\n`values(destination.geo.country_name)`)\r\n| eval Internal = case(\r\n `values(conn.local_resp)` == true, \"yes\", \"no\")\r\n| rename destination.ip as Destination, `count()` as `# of Queries`, `count_distinct(source.ip)` as `# of Unique Clients`, `values(destination.geo.country_name)` as Country\r\n| sort `# of Queries` DESC, `# of Unique Clients` ASC\r\n| keep Destination, `# of Queries`,`# of Unique Clients`,`Country`, Internal\r\n| stats count()\r\n| rename `count()` as `Responding DNS Servers`" + }, + "visualization": { + "layerId": "3ebf3d0c-088a-4be6-acbf-002858ebb189", + "layerType": "data", + "metricAccessor": "Responding DNS Servers" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "c4622aff-b737-42c1-bb80-e23e7c2c1497", + "w": 21, + "x": 12, + "y": 5 + }, + "panelIndex": "c4622aff-b737-42c1-bb80-e23e7c2c1497", + "title": "DNS Servers actively responding to queries [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "DNS servers actively responding in the network are key to secure operations, translating domain names to IP addresses and directing traffic. It also logs the number of queries and unique clients interacting with the DNS servers, offering insights into possible rogue DNS servers and detecting patterns that may suggest data exfiltration attempts.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "74d88c5b-bf5a-460a-94d3-36f9ab45665c", + "w": 15, + "x": 33, + "y": 5 + }, + "panelIndex": "74d88c5b-bf5a-460a-94d3-36f9ab45665c", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "name": "logs-corelight.conn-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.conn-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "timeField": "@timestamp", + "title": "logs-corelight.conn-*" + } + ], + "layers": { + "4e79664b-da6b-45c7-bf56-28f4cb40ee64": { + "columns": [ + { + "columnId": "Destination", + "fieldName": "Destination", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "# of Queries", + "fieldName": "# of Queries", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "# of Unique Clients", + "fieldName": "# of Unique Clients", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + }, + { + "columnId": "Country", + "fieldName": "Country", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Internal", + "fieldName": "Internal", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "30745a83f179da5f11b16656250be0a248d7293f796a233331383a8b71ff135a", + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| stats count(), count_distinct(source.ip), values(destination.geo.country_name) , values(conn.local_resp) by destination.ip\r\n| eval `values(destination.geo.country_name)` = case(`values(destination.geo.country_name)` is null, \"Unknown\",\r\n`values(destination.geo.country_name)`)\r\n| eval Internal = case(\r\n `values(conn.local_resp)` == true, \"yes\", \"no\")\r\n| rename destination.ip as Destination, `count()` as `# of Queries`, `count_distinct(source.ip)` as `# of Unique Clients`, `values(destination.geo.country_name)` as Country\r\n| sort `# of Queries` DESC, `# of Unique Clients` ASC\r\n| keep Destination, `# of Queries`,`# of Unique Clients`,`Country`, Internal" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.conn-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"conn\" and observer.hostname is not null and network.protocol == \"dns\"\r\n| stats count(), count_distinct(source.ip), values(destination.geo.country_name) , values(conn.local_resp) by destination.ip\r\n| eval `values(destination.geo.country_name)` = case(`values(destination.geo.country_name)` is null, \"Unknown\",\r\n`values(destination.geo.country_name)`)\r\n| eval Internal = case(\r\n `values(conn.local_resp)` == true, \"yes\", \"no\")\r\n| rename destination.ip as Destination, `count()` as `# of Queries`, `count_distinct(source.ip)` as `# of Unique Clients`, `values(destination.geo.country_name)` as Country\r\n| sort `# of Queries` DESC, `# of Unique Clients` ASC\r\n| keep Destination, `# of Queries`,`# of Unique Clients`,`Country`, Internal" + }, + "visualization": { + "columns": [ + { + "columnId": "Destination" + }, + { + "columnId": "# of Queries" + }, + { + "columnId": "# of Unique Clients" + }, + { + "columnId": "Country" + }, + { + "columnId": "Internal" + } + ], + "layerId": "4e79664b-da6b-45c7-bf56-28f4cb40ee64", + "layerType": "data" + } + }, + "title": "Table Destination \u0026 # of Queries \u0026 # of Unique Clients \u0026 Country \u0026 Internal", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "5fd9db5e-4b67-4705-864f-9da458ae559c", + "w": 36, + "x": 12, + "y": 13 + }, + "panelIndex": "5fd9db5e-4b67-4705-864f-9da458ae559c", + "title": "DNS Servers actively responding to queries [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "name": "logs-corelight.dns-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.dns-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "timeField": "@timestamp", + "title": "logs-corelight.dns-*" + } + ], + "layers": { + "018938b7-4189-40e7-a4b9-4827a2e82073": { + "columns": [ + { + "columnId": "NXDOMAIN Responses", + "fieldName": "NXDOMAIN Responses", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null and dns.response_code == \"NXDOMAIN\"\r\n| stats count() by source.ip, destination.ip, dns.question.name, dns.flags.rejected\r\n| rename source.ip as Source, destination.ip as Responder, dns.question.name as Query, dns.flags.rejected as query_rejected, `count()` as Count\r\n|eval `Rejected?` = case(query_rejected == true, \"Yes\", \"No\")\r\n| keep Source, Responder, Query, `Rejected?`, Count\r\n| stats sum(Count)\r\n| rename `sum(Count)` as `NXDOMAIN Responses`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null and dns.response_code == \"NXDOMAIN\"\r\n| stats count() by source.ip, destination.ip, dns.question.name, dns.flags.rejected\r\n| rename source.ip as Source, destination.ip as Responder, dns.question.name as Query, dns.flags.rejected as query_rejected, `count()` as Count\r\n|eval `Rejected?` = case(query_rejected == true, \"Yes\", \"No\")\r\n| keep Source, Responder, Query, `Rejected?`, Count\r\n| stats sum(Count)\r\n| rename `sum(Count)` as `NXDOMAIN Responses`" + }, + "visualization": { + "layerId": "018938b7-4189-40e7-a4b9-4827a2e82073", + "layerType": "data", + "metricAccessor": "NXDOMAIN Responses" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "7ad0699b-c6f3-4d65-9eac-4b64bb2f2ac7", + "w": 9, + "x": 0, + "y": 29 + }, + "panelIndex": "7ad0699b-c6f3-4d65-9eac-4b64bb2f2ac7", + "title": "NXDOMAIN Responses [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "High rates of DNS NXDOMAIN responses might suggest misconfigured domains, typographical errors in network requests, or malicious activities such as DNS reconnaissance. Close examination is advised to correct configurations or identify security incidents. Review DNS logs for patterns, validate domain configurations, and check endpoint security for signs of malware.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "51e44b2d-b0f2-4594-9994-ef11c1d5c6fc", + "w": 15, + "x": 9, + "y": 29 + }, + "panelIndex": "51e44b2d-b0f2-4594-9994-ef11c1d5c6fc", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c4e9e0a6-f825-4c30-aff3-e4bdbeed88f4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fce80aa0-379e-4ef0-92bc-44d99401530d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c4e9e0a6-f825-4c30-aff3-e4bdbeed88f4": { + "columnOrder": [ + "caa40fd6-ef59-4f69-8206-e6a56d3415fc" + ], + "columns": { + "caa40fd6-ef59-4f69-8206-e6a56d3415fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Qtypes", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.question.type" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + }, + "fce80aa0-379e-4ef0-92bc-44d99401530d": { + "columnOrder": [ + "77c870d2-fb5e-4085-be69-ec02c9ab3638", + "b246490e-7f57-4a6a-a0c2-a151024b8b6b" + ], + "columns": { + "77c870d2-fb5e-4085-be69-ec02c9ab3638": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b246490e-7f57-4a6a-a0c2-a151024b8b6b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Qtypes", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.question.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "linkToLayers": [ + "c4e9e0a6-f825-4c30-aff3-e4bdbeed88f4" + ], + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "d231056f-f69b-475d-8c67-3d4781691d7b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "c4e9e0a6-f825-4c30-aff3-e4bdbeed88f4", + "layerType": "data", + "metricAccessor": "caa40fd6-ef59-4f69-8206-e6a56d3415fc", + "showBar": false, + "trendlineLayerId": "fce80aa0-379e-4ef0-92bc-44d99401530d", + "trendlineLayerType": "metricTrendline", + "trendlineMetricAccessor": "b246490e-7f57-4a6a-a0c2-a151024b8b6b", + "trendlineTimeAccessor": "77c870d2-fb5e-4085-be69-ec02c9ab3638" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "c3d12a34-7130-4e0d-ad7e-32d744f883c8", + "w": 9, + "x": 24, + "y": 29 + }, + "panelIndex": "c3d12a34-7130-4e0d-ad7e-32d744f883c8", + "title": "Unusual Qtypes [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Unusual DNS query types can indicate misconfigurations, experimental features, or potential security threats like data exfiltration or tunneling. Analysts should scrutinize such queries for anomalies and address identified risks to safeguard network security.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "4198f90d-1e35-43d3-8215-ee4bbcb43ef8", + "w": 15, + "x": 33, + "y": 29 + }, + "panelIndex": "4198f90d-1e35-43d3-8215-ee4bbcb43ef8", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "name": "logs-corelight.dns-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.dns-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "timeField": "@timestamp", + "title": "logs-corelight.dns-*" + } + ], + "layers": { + "023b380c-de3d-46b1-8a33-78b5e61aeec1": { + "columns": [ + { + "columnId": "Source", + "fieldName": "Source", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Responder", + "fieldName": "Responder", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Query", + "fieldName": "Query", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Rejected?", + "fieldName": "Rejected?", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Count", + "fieldName": "Count", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null and dns.response_code == \"NXDOMAIN\"\r\n| stats count() by source.ip, destination.ip, dns.question.name, dns.flags.rejected\r\n| rename source.ip as Source, destination.ip as Responder, dns.question.name as Query, dns.flags.rejected as query_rejected, `count()` as Count\r\n|eval `Rejected?` = case(query_rejected == true, \"Yes\", \"No\")\r\n| sort Count desc\r\n| keep Source, Responder, Query, `Rejected?`, Count" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null and dns.response_code == \"NXDOMAIN\"\r\n| stats count() by source.ip, destination.ip, dns.question.name, dns.flags.rejected\r\n| rename source.ip as Source, destination.ip as Responder, dns.question.name as Query, dns.flags.rejected as query_rejected, `count()` as Count\r\n|eval `Rejected?` = case(query_rejected == true, \"Yes\", \"No\")\r\n| sort Count desc\r\n| keep Source, Responder, Query, `Rejected?`, Count" + }, + "visualization": { + "columns": [ + { + "columnId": "Source" + }, + { + "columnId": "Responder" + }, + { + "columnId": "Query" + }, + { + "columnId": "Rejected?" + }, + { + "columnId": "Count" + } + ], + "layerId": "023b380c-de3d-46b1-8a33-78b5e61aeec1", + "layerType": "data" + } + }, + "title": "Table Source \u0026 Responder \u0026 Query \u0026 Rejected? \u0026 Count", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "a419d7f8-5778-4ca5-9ff9-458c48780c63", + "w": 24, + "x": 0, + "y": 37 + }, + "panelIndex": "a419d7f8-5778-4ca5-9ff9-458c48780c63", + "title": "Network Evidence for NXDOMAIN Responses [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-57e304c4-38a3-414e-ade3-7fde09dea5ea", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "57e304c4-38a3-414e-ade3-7fde09dea5ea": { + "columnOrder": [ + "2baf2b55-3dec-4804-9479-778def74f831", + "ec51ba7c-550f-421d-b8d4-80435d1a2393", + "48be70d1-5a92-45f7-93fa-edffa0ae347c", + "3754cf2d-a7ed-4929-a64a-bad0bb414306", + "5aa24d03-8701-4413-8d61-337eaccebc62" + ], + "columns": { + "2baf2b55-3dec-4804-9479-778def74f831": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Qtype", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "dns.question.type" + }, + "3754cf2d-a7ed-4929-a64a-bad0bb414306": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "\"dns.question.name\": *" + }, + "isBucketed": false, + "label": "Query", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "dns.question.name" + }, + "48be70d1-5a92-45f7-93fa-edffa0ae347c": { + "customLabel": true, + "dataType": "ip", + "filter": { + "language": "kuery", + "query": "\"source.ip\": *" + }, + "isBucketed": false, + "label": "Source", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "5aa24d03-8701-4413-8d61-337eaccebc62": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ec51ba7c-550f-421d-b8d4-80435d1a2393": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Responder", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5aa24d03-8701-4413-8d61-337eaccebc62", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "292f84a8-5325-419b-a0c5-16eb5bd6ff86", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.question.type", + "index": "logs-*", + "key": "dns.question.type", + "negate": false, + "params": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ], + "type": "phrases", + "value": [ + "AXFR", + "IXFR", + "ANY", + "TXT" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.question.type": "AXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "IXFR" + } + }, + { + "match_phrase": { + "dns.question.type": "ANY" + } + }, + { + "match_phrase": { + "dns.question.type": "TXT" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "2baf2b55-3dec-4804-9479-778def74f831", + "hidden": false, + "isMetric": false, + "isTransposed": false, + "width": 200.6 + }, + { + "columnId": "3754cf2d-a7ed-4929-a64a-bad0bb414306", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "48be70d1-5a92-45f7-93fa-edffa0ae347c", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "5aa24d03-8701-4413-8d61-337eaccebc62", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "ec51ba7c-550f-421d-b8d4-80435d1a2393", + "hidden": false, + "isMetric": false, + "isTransposed": false + } + ], + "headerRowHeight": "auto", + "layerId": "57e304c4-38a3-414e-ade3-7fde09dea5ea", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "a7fe7917-bfed-40c7-b78c-d89131368db4", + "w": 24, + "x": 24, + "y": 37 + }, + "panelIndex": "a7fe7917-bfed-40c7-b78c-d89131368db4", + "title": "Unusual Query Types found [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-727942dc-ec2c-489f-953b-dd5cdab0d17c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "727942dc-ec2c-489f-953b-dd5cdab0d17c": { + "columnOrder": [ + "ed474aed-58a9-47bf-8aa5-33753ddaca07" + ], + "columns": { + "ed474aed-58a9-47bf-8aa5-33753ddaca07": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed DNS Queries", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "dns.response_code" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "baebe57a-478c-46bd-b9a0-47c98ac5ee8b", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "727942dc-ec2c-489f-953b-dd5cdab0d17c", + "layerType": "data", + "metricAccessor": "ed474aed-58a9-47bf-8aa5-33753ddaca07" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "7d2bfb7d-5b46-45af-9a08-1f7d423aa13a", + "w": 9, + "x": 0, + "y": 53 + }, + "panelIndex": "7d2bfb7d-5b46-45af-9a08-1f7d423aa13a", + "title": "NXDOMAIN Responses [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Failed DNS queries may point to misconfigurations, outdated systems, or security threats such as network infiltration or DNS poisoning. Analysts should investigate the sources and patterns of these failures to identify and remediate underlying causes, thereby ensuring network integrity and security.", + "openLinksInNewTab": false + }, + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "69a868ad-16f7-4750-a2c3-3334a957b453", + "w": 15, + "x": 9, + "y": 53 + }, + "panelIndex": "69a868ad-16f7-4750-a2c3-3334a957b453", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "name": "logs-corelight.dns-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.dns-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "timeField": "@timestamp", + "title": "logs-corelight.dns-*" + } + ], + "layers": { + "35fb5d46-f4f8-4272-ab64-39c9ee6092f6": { + "columns": [ + { + "columnId": "Monitoring DNS Query Response Times \u003e 15ms", + "fieldName": "Monitoring DNS Query Response Times \u003e 15ms", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null\r\n| stats avg_rtt = avg(dns.rtt) by dns.question.name,destination.ip\r\n| where avg_rtt \u003e 0.015\r\n| eval avg_rtt = to_string(round(avg_rtt*1000, 2))\r\n| rename dns.question.name as Query, destination.ip as Responder, avg_rtt as `Avg. Response Time (ms)`\r\n| stats count(Query) \r\n| rename `count(Query)` as `Monitoring DNS Query Response Times \u003e 15ms`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null\r\n| stats avg_rtt = avg(dns.rtt) by dns.question.name,destination.ip\r\n| where avg_rtt \u003e 0.015\r\n| eval avg_rtt = to_string(round(avg_rtt*1000, 2))\r\n| rename dns.question.name as Query, destination.ip as Responder, avg_rtt as `Avg. Response Time (ms)`\r\n| stats count(Query) \r\n| rename `count(Query)` as `Monitoring DNS Query Response Times \u003e 15ms`" + }, + "visualization": { + "layerId": "35fb5d46-f4f8-4272-ab64-39c9ee6092f6", + "layerType": "data", + "metricAccessor": "Monitoring DNS Query Response Times \u003e 15ms" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "c500aeac-2fbc-4c4e-88de-a6401716befd", + "w": 9, + "x": 24, + "y": 53 + }, + "panelIndex": "c500aeac-2fbc-4c4e-88de-a6401716befd", + "title": "Monitoring DNS Query Response Times \u003e 15ms [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Long DNS query response times may indicate network congestion, server performance issues, or potential security threats. Timely analysis is crucial for maintaining optimal network performance and security. Investigate extended response times by examining server configurations, network traffic, and potential external attacks.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "e79912a9-d452-4e96-832d-fc6e7866de02", + "w": 15, + "x": 33, + "y": 53 + }, + "panelIndex": "e79912a9-d452-4e96-832d-fc6e7866de02", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-727942dc-ec2c-489f-953b-dd5cdab0d17c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "727942dc-ec2c-489f-953b-dd5cdab0d17c": { + "columnOrder": [ + "9f5bb817-f888-44e6-a08c-e16aa3818603", + "5a1d6ef6-c325-468c-af82-72fa6b51a5d7", + "79eb71be-2bbc-4710-97c6-6219b4716016", + "4be8d5b0-dc64-4f9b-991c-251b7e70d1bb", + "9a848fff-e882-4622-9c70-61255b537a53" + ], + "columns": { + "4be8d5b0-dc64-4f9b-991c-251b7e70d1bb": { + "customLabel": true, + "dataType": "string", + "filter": { + "language": "kuery", + "query": "\"dns.question.name\": *" + }, + "isBucketed": false, + "label": "Query", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "dns.question.name" + }, + "5a1d6ef6-c325-468c-af82-72fa6b51a5d7": { + "customLabel": true, + "dataType": "ip", + "filter": { + "language": "kuery", + "query": "\"source.ip\": *" + }, + "isBucketed": false, + "label": "Source", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "79eb71be-2bbc-4710-97c6-6219b4716016": { + "customLabel": true, + "dataType": "ip", + "filter": { + "language": "kuery", + "query": "\"destination.ip\": *" + }, + "isBucketed": false, + "label": "Responder", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "9a848fff-e882-4622-9c70-61255b537a53": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9f5bb817-f888-44e6-a08c-e16aa3818603": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Response Code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "dns.response_code" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "568d23b1-2259-41d0-96cb-29eda7008a47", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "dns.response_code", + "index": "logs-*", + "key": "dns.response_code", + "negate": false, + "params": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ], + "type": "phrases", + "value": [ + "SERVFAIL", + "REFUSED", + "FORMERR", + "NOTIMP", + "NOTAUTH" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "dns.response_code": "SERVFAIL" + } + }, + { + "match_phrase": { + "dns.response_code": "REFUSED" + } + }, + { + "match_phrase": { + "dns.response_code": "FORMERR" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTIMP" + } + }, + { + "match_phrase": { + "dns.response_code": "NOTAUTH" + } + } + ] + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "5a1d6ef6-c325-468c-af82-72fa6b51a5d7", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "79eb71be-2bbc-4710-97c6-6219b4716016", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "4be8d5b0-dc64-4f9b-991c-251b7e70d1bb", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "9a848fff-e882-4622-9c70-61255b537a53", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "9f5bb817-f888-44e6-a08c-e16aa3818603", + "isMetric": false, + "isTransposed": false + } + ], + "headerRowHeight": "auto", + "layerId": "727942dc-ec2c-489f-953b-dd5cdab0d17c", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "59ffbbf5-e70a-4d7d-8b0d-c7768b83b6c7", + "w": 24, + "x": 0, + "y": 61 + }, + "panelIndex": "59ffbbf5-e70a-4d7d-8b0d-c7768b83b6c7", + "title": "Network Evidence for Failed DNS Queries [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "name": "logs-corelight.dns-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.dns-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "timeField": "@timestamp", + "title": "logs-corelight.dns-*" + } + ], + "layers": { + "edc2bdb5-61b7-42da-911c-40d192c3d539": { + "columns": [ + { + "columnId": "Query", + "fieldName": "Query", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Responder", + "fieldName": "Responder", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Avg. Response Time (ms)", + "fieldName": "Avg. Response Time (ms)", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "2822558581c97b9590f6300cb704338209e089678c681675277821265127a97a", + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null\r\n| stats avg_rtt = avg(dns.rtt) by dns.question.name,destination.ip\r\n| where avg_rtt \u003e 0.015\r\n| eval avg_rtt = to_string(round(avg_rtt*1000, 2))\r\n| rename dns.question.name as Query, destination.ip as Responder, avg_rtt as `Avg. Response Time (ms)`\r\n| keep Query,Responder,`Avg. Response Time (ms)`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.dns-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"dns\" and observer.hostname is not null\r\n| stats avg_rtt = avg(dns.rtt) by dns.question.name,destination.ip\r\n| where avg_rtt \u003e 0.015\r\n| eval avg_rtt = to_string(round(avg_rtt*1000, 2))\r\n| rename dns.question.name as Query, destination.ip as Responder, avg_rtt as `Avg. Response Time (ms)`\r\n| keep Query,Responder,`Avg. Response Time (ms)`" + }, + "visualization": { + "columns": [ + { + "columnId": "Query" + }, + { + "columnId": "Responder" + }, + { + "columnId": "Avg. Response Time (ms)" + } + ], + "layerId": "edc2bdb5-61b7-42da-911c-40d192c3d539", + "layerType": "data" + } + }, + "title": "Table Query \u0026 Responder \u0026 Avg. Response Time (ms)", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "91479e99-d3f4-4b75-8622-2c1428d26beb", + "w": 24, + "x": 24, + "y": 61 + }, + "panelIndex": "91479e99-d3f4-4b75-8622-2c1428d26beb", + "title": "Monitoring Query Types by AVG time [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9f47d832-8719-4ec7-9561-e41bd686ab1d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "9f47d832-8719-4ec7-9561-e41bd686ab1d": { + "columnOrder": [ + "6dab638f-2018-4dfc-9347-e3c433f77eb6" + ], + "columns": { + "6dab638f-2018-4dfc-9347-e3c433f77eb6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "DNS Query Volume Over Time", + "operationType": "sum", + "params": { + "emptyAsNull": false, + "format": { + "id": "bytes", + "params": { + "decimals": 2 + } + } + }, + "scale": "ratio", + "sourceField": "source.bytes" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "93a71a88-d4bf-463f-87ef-b291ff153658", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "conn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "conn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "network.protocol", + "index": "logs-*", + "key": "network.protocol", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "network.protocol": "dns" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "9f47d832-8719-4ec7-9561-e41bd686ab1d", + "layerType": "data", + "metricAccessor": "6dab638f-2018-4dfc-9347-e3c433f77eb6" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 8, + "i": "c387e630-592c-4b76-b9a4-4186cc9cddb8", + "w": 9, + "x": 0, + "y": 77 + }, + "panelIndex": "c387e630-592c-4b76-b9a4-4186cc9cddb8", + "title": "DNS Query Volume Over Time [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Monitor total DNS-related network traffic in MB/GB. Sudden spikes or unusual patterns could signal configuration errors, compromised devices making excessive queries, or potential data exfiltration attempts.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "2b1667e8-6a7c-4aed-a897-34e44869f093", + "w": 15, + "x": 9, + "y": 77 + }, + "panelIndex": "2b1667e8-6a7c-4aed-a897-34e44869f093", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-92edaee0-ac50-487f-93a8-4fbe36f2ea1c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3bd035d5-676a-4c93-8123-c2e088c5aa69", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "92edaee0-ac50-487f-93a8-4fbe36f2ea1c": { + "columnOrder": [ + "9895e8c8-37a8-4dbd-8747-eeba6d504a03", + "03df8242-dd49-4d36-8d97-c09ad1cac1a6" + ], + "columns": { + "03df8242-dd49-4d36-8d97-c09ad1cac1a6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Monitoring Query Types by AVG time", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9895e8c8-37a8-4dbd-8747-eeba6d504a03": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3bd035d5-676a-4c93-8123-c2e088c5aa69", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "dns" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "dns" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "03df8242-dd49-4d36-8d97-c09ad1cac1a6" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "92edaee0-ac50-487f-93a8-4fbe36f2ea1c", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "9895e8c8-37a8-4dbd-8747-eeba6d504a03" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "07fc5f04-6a47-4808-9d47-8ea30554891d", + "w": 24, + "x": 0, + "y": 85 + }, + "panelIndex": "07fc5f04-6a47-4808-9d47-8ea30554891d", + "title": "Monitoring Query Types by AVG time [Logs Corelight]", + "type": "lens" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-24h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Corelight] Name Resolution Insights", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-02T13:54:00.560Z", + "id": "corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "c3d12a34-7130-4e0d-ad7e-32d744f883c8:indexpattern-datasource-layer-c4e9e0a6-f825-4c30-aff3-e4bdbeed88f4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c3d12a34-7130-4e0d-ad7e-32d744f883c8:indexpattern-datasource-layer-fce80aa0-379e-4ef0-92bc-44d99401530d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a7fe7917-bfed-40c7-b78c-d89131368db4:indexpattern-datasource-layer-57e304c4-38a3-414e-ade3-7fde09dea5ea", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d2bfb7d-5b46-45af-9a08-1f7d423aa13a:indexpattern-datasource-layer-727942dc-ec2c-489f-953b-dd5cdab0d17c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "59ffbbf5-e70a-4d7d-8b0d-c7768b83b6c7:indexpattern-datasource-layer-727942dc-ec2c-489f-953b-dd5cdab0d17c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c387e630-592c-4b76-b9a4-4186cc9cddb8:indexpattern-datasource-layer-9f47d832-8719-4ec7-9561-e41bd686ab1d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07fc5f04-6a47-4808-9d47-8ea30554891d:indexpattern-datasource-layer-92edaee0-ac50-487f-93a8-4fbe36f2ea1c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07fc5f04-6a47-4808-9d47-8ea30554891d:3bd035d5-676a-4c93-8123-c2e088c5aa69", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_597c5dc5-3e91-4307-8a43-32592d3367d0:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json b/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json new file mode 100644 index 00000000000..1e43b617b24 --- /dev/null +++ b/packages/corelight/kibana/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf.json @@ -0,0 +1,2588 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "31c87e45-d99f-4836-b47c-d7bf6892d9f6": { + "explicitInput": { + "enhancements": {}, + "fieldName": "observer.hostname", + "grow": true, + "id": "31c87e45-d99f-4836-b47c-d7bf6892d9f6", + "searchTechnique": "prefix", + "title": "Sensor", + "width": "medium" + }, + "grow": false, + "order": 0, + "type": "optionsListControl", + "width": "small" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Corelight**\n\n- [Security Posture](#/dashboard/corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b)\n- [Name Resolution Insights](#/dashboard/corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e)\n- [Secure Channel Insights](#/dashboard/corelight-45197477-c13f-4e52-a5dd-fb4f53564963)\n- [**Remote Activity Insights (This Page)**](#/dashboard/corelight-f4864774-ed73-4b78-b861-5b8235ec12cf)\n\n[**Integrations Page**](/app/integrations/detail/corelight/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 29, + "i": "43029a30-7d70-4db4-92f5-4f5992b2178b", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "43029a30-7d70-4db4-92f5-4f5992b2178b", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "## Remote Access Hygiene", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "5b19625f-8f5d-4c8a-bc8a-d824d1fab1d6", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "5b19625f-8f5d-4c8a-bc8a-d824d1fab1d6", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2e54ff62-b4f5-4b5c-b0ee-13094977e6bd": { + "columnOrder": [ + "a6693805-be86-4a53-90d1-4af157b5d88f" + ], + "columns": { + "a6693805-be86-4a53-90d1-4af157b5d88f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "RDP Authentication Attempts", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "646f43db-a468-43ae-8853-1972c048abc4", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ], + "type": "phrases", + "value": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "rdp.result": "Success" + } + }, + { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "event.outcome" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "layerType": "data", + "metricAccessor": "a6693805-be86-4a53-90d1-4af157b5d88f" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "Total count of RDP success and failed actions within the specified time.", + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "2012fa54-ef50-4fbd-a1a4-7990ab45274f", + "w": 9, + "x": 10, + "y": 4 + }, + "panelIndex": "2012fa54-ef50-4fbd-a1a4-7990ab45274f", + "title": "Total count of RDP success and failed actions within the specified time.", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Monitoring RDP authentications is crucial for identifying unauthorized access and distinguishing between successful and failed login attempts. Security teams should analyze trends and cross-reference user activity for rapid response and mitigation.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 10, + "i": "4fe94c1d-5c85-4424-8137-e6824feac312", + "w": 10, + "x": 19, + "y": 4 + }, + "panelIndex": "4fe94c1d-5c85-4424-8137-e6824feac312", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Total count of users with login failures within the specified time.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2e54ff62-b4f5-4b5c-b0ee-13094977e6bd": { + "columnOrder": [ + "a6693805-be86-4a53-90d1-4af157b5d88f" + ], + "columns": { + "a6693805-be86-4a53-90d1-4af157b5d88f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Identifying Failed RDP Logins", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "rdp.cookie" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "83380797-fbed-492f-a0be-648f9c64bcc5", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": { + "query": "SSL_NOT_ALLOWED_BY_SERVER" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "layerType": "data", + "metricAccessor": "a6693805-be86-4a53-90d1-4af157b5d88f" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "Total count of users with login failures within the specified time.", + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "a5180f32-e1ff-4084-8532-fbdfe73bdaa3", + "w": 8, + "x": 29, + "y": 4 + }, + "panelIndex": "a5180f32-e1ff-4084-8532-fbdfe73bdaa3", + "title": "Total count of users with login failures within the specified time.", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "Monitoring failed RDP logins is essential for detecting unauthorized access attempts. Security teams should analyze patterns of failed entries against user and IP data to identify potential breaches. This focus helps in quickly addressing vulnerabilities in RDP security. Effective monitoring of these incidents is crucial for maintaining system integrity.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 10, + "i": "2caec4ad-b5d0-4676-af97-3af995c2b490", + "w": 11, + "x": 37, + "y": 4 + }, + "panelIndex": "2caec4ad-b5d0-4676-af97-3af995c2b490", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fed94441-e867-42b0-b267-643f8091135a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b854fb52-d4a2-4935-bbc4-3be2f348a3c9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fed94441-e867-42b0-b267-643f8091135a": { + "columnOrder": [ + "3d58c5c9-18ea-4086-a197-933c9e7d98ba", + "b5308f15-28e3-46f9-8ff8-7e153226e9ed", + "887ab77a-3c1e-4c85-967a-73f9be01231f" + ], + "columns": { + "3d58c5c9-18ea-4086-a197-933c9e7d98ba": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Authentications", + "operationType": "filters", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "rdp.result : \"Success\" or event.outcome : \"success\" " + }, + "label": "Success" + }, + { + "input": { + "language": "kuery", + "query": "rdp.result : \"SSL_NOT_ALLOWED_BY_SERVER\" or event.outcome : \"failure\" " + }, + "label": "Failure" + } + ] + }, + "scale": "ordinal" + }, + "887ab77a-3c1e-4c85-967a-73f9be01231f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Failed vs Successful Authentications", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b5308f15-28e3-46f9-8ff8-7e153226e9ed": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b854fb52-d4a2-4935-bbc4-3be2f348a3c9", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ], + "type": "phrases", + "value": [ + "Success", + "SSL_NOT_ALLOWED_BY_SERVER" + ] + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "rdp.result": "Success" + } + }, + { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + ] + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "event.outcome" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "887ab77a-3c1e-4c85-967a-73f9be01231f" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "fed94441-e867-42b0-b267-643f8091135a", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "3d58c5c9-18ea-4086-a197-933c9e7d98ba", + "xAccessor": "b5308f15-28e3-46f9-8ff8-7e153226e9ed" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a176a473-9362-4fa8-8c52-32cf231b3ec5", + "w": 19, + "x": 10, + "y": 14 + }, + "panelIndex": "a176a473-9362-4fa8-8c52-32cf231b3ec5", + "title": "Failed vs Successful Authentications [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "35400392-619e-40cf-aae1-7cc1635b3a11", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "2e54ff62-b4f5-4b5c-b0ee-13094977e6bd": { + "columnOrder": [ + "0a6bb5b6-3803-4372-a831-db523690a4d9", + "872086ca-7927-4c91-87fc-ddb64fe6e793", + "e7ce2eea-8b7e-4c50-9400-1764a25c5bcd", + "f3806585-17b6-4e62-a27b-4ce316521975", + "6e32462e-277b-4c29-9877-e24c97c5e8d3", + "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b" + ], + "columns": { + "0a6bb5b6-3803-4372-a831-db523690a4d9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "rdp.cookie" + }, + "6e32462e-277b-4c29-9877-e24c97c5e8d3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Result", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "rdp.result" + }, + "872086ca-7927-4c91-87fc-ddb64fe6e793": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "rdp.cookie" + }, + "e7ce2eea-8b7e-4c50-9400-1764a25c5bcd": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Destination", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "f3806585-17b6-4e62-a27b-4ce316521975": { + "customLabel": true, + "dataType": "boolean", + "isBucketed": true, + "label": "Auth_Success?", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "rdp.auth_successful" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "35400392-619e-40cf-aae1-7cc1635b3a11", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "rdp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "rdp" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "logs-*", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "rdp.result", + "index": "logs-*", + "key": "rdp.result", + "negate": false, + "params": { + "query": "SSL_NOT_ALLOWED_BY_SERVER" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "rdp.result": "SSL_NOT_ALLOWED_BY_SERVER" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.outcome", + "index": "logs-*", + "key": "event.outcome", + "negate": false, + "params": { + "query": "failure" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "failure" + } + } + } + ], + "relation": "OR", + "type": "combined" + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "0a6bb5b6-3803-4372-a831-db523690a4d9", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "right", + "columnId": "d8ed4b5b-db0c-4d78-ace0-c27f4431d05b", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "872086ca-7927-4c91-87fc-ddb64fe6e793", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "e7ce2eea-8b7e-4c50-9400-1764a25c5bcd", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "f3806585-17b6-4e62-a27b-4ce316521975", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "6e32462e-277b-4c29-9877-e24c97c5e8d3", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "7ddbc57e-e1ee-4e57-b7b0-46548ef7653d", + "w": 19, + "x": 29, + "y": 14 + }, + "panelIndex": "7ddbc57e-e1ee-4e57-b7b0-46548ef7653d", + "title": "Identifying Failed RDP Logins - Data [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "## VPN Insights", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "9a5a75be-5ec6-4d18-9288-ab3af34e3c55", + "w": 48, + "x": 0, + "y": 29 + }, + "panelIndex": "9a5a75be-5ec6-4d18-9288-ab3af34e3c55", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-70e9ebb6-137c-4c65-ad17-0dfafeacc079", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "70e9ebb6-137c-4c65-ad17-0dfafeacc079": { + "columnOrder": [ + "04783de7-2a7f-4f35-94ab-758be2a94acf" + ], + "columns": { + "04783de7-2a7f-4f35-94ab-758be2a94acf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unusual Remote Activity", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "964c174e-b61d-4dd0-ab95-34c18ad549ee", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "COM" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "COM" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "RW" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "RW" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "NSP" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "NSP" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#FFFFFF", + "layerId": "70e9ebb6-137c-4c65-ad17-0dfafeacc079", + "layerType": "data", + "metricAccessor": "04783de7-2a7f-4f35-94ab-758be2a94acf" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "Total count of VPN connections that have the following inferences NSP - Non-Standard Port RW - Road warrior configuration detected (i.e. Cisco Anyconnect) COM - Commercial VPN service occurring at the same time which is deemed suspicious.", + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "cfa6fd75-a8ac-4091-ad4a-52d65c8c128b", + "w": 11, + "x": 0, + "y": 33 + }, + "panelIndex": "cfa6fd75-a8ac-4091-ad4a-52d65c8c128b", + "title": "Total count of VPN connections that have the following inferences NSP - Non-Standard Port RW - Road warrior configuration detected (i.e. Cisco Anyconnect) COM - Commercial VPN service occurring at the same time which is deemed suspicious. [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "The combination of the \"COM\", \"RW\", and \"NSP\" inferences in a single VPN connection raises questions: Policy Violation: Is the use of commercial VPNs allowed in your organization's security policy? If not, this could indicate a violation. Hidden Activity: Is the non-standard port usage an attempt to mask other activities happening over the VPN tunnel?", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 10, + "i": "f370f213-6f10-4fbb-899c-dbd30b0a8b61", + "w": 13, + "x": 11, + "y": 33 + }, + "panelIndex": "f370f213-6f10-4fbb-899c-dbd30b0a8b61", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "1645eae3-d806-40a8-bde9-3bf7bd7762b8": { + "columns": [ + { + "columnId": "Suspected Data Exfiltration", + "fieldName": "Suspected Data Exfiltration", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"COM\", \"NSP\", \"SK\")\r\n| stats count(),values(vpn.inferences), values(destination.geo.country_iso_code), values(vpn.name) by source.ip,destination.ip\r\n| eval `values(vpn.inferences)` = mv_concat(`values(vpn.inferences)`,\":\")\r\n| rename source.ip as Source, destination.ip as Responder, `values(destination.geo.country_iso_code)` as `Responder Country`, `values(vpn.name)` as `VPN Type`, `values(vpn.inferences)` as Inferences, `count()` as count\r\n| keep Source, Responder,Inferences,`Responder Country`, `VPN Type`, count\r\n| stats count()\r\n| rename `count()` as `Suspected Data Exfiltration`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"COM\", \"NSP\", \"SK\")\r\n| stats count(),values(vpn.inferences), values(destination.geo.country_iso_code), values(vpn.name) by source.ip,destination.ip\r\n| eval `values(vpn.inferences)` = mv_concat(`values(vpn.inferences)`,\":\")\r\n| rename source.ip as Source, destination.ip as Responder, `values(destination.geo.country_iso_code)` as `Responder Country`, `values(vpn.name)` as `VPN Type`, `values(vpn.inferences)` as Inferences, `count()` as count\r\n| keep Source, Responder,Inferences,`Responder Country`, `VPN Type`, count\r\n| stats count()\r\n| rename `count()` as `Suspected Data Exfiltration`" + }, + "visualization": { + "layerId": "1645eae3-d806-40a8-bde9-3bf7bd7762b8", + "layerType": "data", + "metricAccessor": "Suspected Data Exfiltration" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "Total count of VPN connections using potentially unusual connection configurations such as static TLS key auth", + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "76d8039e-5068-469a-b565-ccfeead4662d", + "w": 11, + "x": 24, + "y": 33 + }, + "panelIndex": "76d8039e-5068-469a-b565-ccfeead4662d", + "title": "Total count of VPN connections using potentially unusual connection configurations such as static TLS key auth [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Unmonitored commercial VPNs with atypical traffic patterns or static keys could be used to bypass security controls for data theft.\n\nInvestigate: Examine VPN sessions with large outgoing transfers, focusing on unusual destinations or protocols.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 10, + "i": "3fb99537-0782-4dec-b0d2-c6a21d2adb5d", + "w": 13, + "x": 35, + "y": 33 + }, + "panelIndex": "3fb99537-0782-4dec-b0d2-c6a21d2adb5d", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "df419d83-5fc9-439c-b36f-8f9472900796": { + "columns": [ + { + "columnId": "Possible Unauthorized Remote Access Attempts", + "fieldName": "Possible Unauthorized Remote Access Attempts", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in ( \"RW\", \"FW\" )\r\n| stats count(), values(source.ip),values(destination.ip), values(proto),values(vpn.inferences), values(destination.port),values(source.bytes) by event.id\r\n| rename `values(source.ip)` as Source, `values(destination.ip)` as Destination, `values(proto)` as Proto, `values(vpn.inferences)` as Inferences,`values(destination.port)` as dest_port,`values(source.bytes)` as Bytes, `count()` as count\r\n| keep Source, Destination,Proto,Inferences,dest_port,Bytes,count\r\n| stats count()\r\n| rename `count()` as `Possible Unauthorized Remote Access Attempts`" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in ( \"RW\", \"FW\" )\r\n| stats count(), values(source.ip),values(destination.ip), values(proto),values(vpn.inferences), values(destination.port),values(source.bytes) by event.id\r\n| rename `values(source.ip)` as Source, `values(destination.ip)` as Destination, `values(proto)` as Proto, `values(vpn.inferences)` as Inferences,`values(destination.port)` as dest_port,`values(source.bytes)` as Bytes, `count()` as count\r\n| keep Source, Destination,Proto,Inferences,dest_port,Bytes,count\r\n| stats count()\r\n| rename `count()` as `Possible Unauthorized Remote Access Attempts`" + }, + "visualization": { + "layerId": "df419d83-5fc9-439c-b36f-8f9472900796", + "layerType": "data", + "metricAccessor": "Possible Unauthorized Remote Access Attempts" + } + }, + "title": "Metric", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "description": "Total count of VPN connections that are using the RW- Road warrior configuration detected (i.e. Cisco Anyconnect) and FW - Firewall subversion inferences", + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 10, + "i": "f123b762-4065-4c82-b5c3-fde12cbd8c39", + "w": 11, + "x": 0, + "y": 58 + }, + "panelIndex": "f123b762-4065-4c82-b5c3-fde12cbd8c39", + "title": "Total count of VPN connections that are using the RW- Road warrior configuration detected (i.e. Cisco Anyconnect) and FW - Firewall subversion inferences [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "Monitoring for \"RW\" (Road Warrior) and \"FW\" (Firewall subversion) inferences is crucial for detecting potential unauthorized access, as these patterns may indicate attempts to bypass security controls. Security teams should prioritize correlating these inferences with internal IP ranges and device logs to identify suspicious activities.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 10, + "i": "c8e73976-f9ff-4774-8403-dd5171153ebd", + "w": 13, + "x": 11, + "y": 58 + }, + "panelIndex": "c8e73976-f9ff-4774-8403-dd5171153ebd", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "7ed05fa2-5d4e-4ddb-b835-5dd0a73a94f0": { + "columns": [ + { + "columnId": "Source", + "fieldName": "Source", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Responder", + "fieldName": "Responder", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Inferences", + "fieldName": "Inferences", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Responder Country", + "fieldName": "Responder Country", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "VPN Type", + "fieldName": "VPN Type", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"COM\", \"NSP\", \"SK\")\r\n| stats count(),values(vpn.inferences), values(destination.geo.country_iso_code), values(vpn.name) by source.ip,destination.ip\r\n| eval `values(vpn.inferences)` = mv_concat(`values(vpn.inferences)`,\":\")\r\n| rename source.ip as Source, destination.ip as Responder, `values(destination.geo.country_iso_code)` as `Responder Country`, `values(vpn.name)` as `VPN Type`, `values(vpn.inferences)` as Inferences, `count()` as Count\r\n| keep Source, Responder,Inferences,`Responder Country`, `VPN Type`, Count" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"COM\", \"NSP\", \"SK\")\r\n| stats count(),values(vpn.inferences), values(destination.geo.country_iso_code), values(vpn.name) by source.ip,destination.ip\r\n| eval `values(vpn.inferences)` = mv_concat(`values(vpn.inferences)`,\":\")\r\n| rename source.ip as Source, destination.ip as Responder, `values(destination.geo.country_iso_code)` as `Responder Country`, `values(vpn.name)` as `VPN Type`, `values(vpn.inferences)` as Inferences, `count()` as Count\r\n| keep Source, Responder,Inferences,`Responder Country`, `VPN Type`, Count" + }, + "visualization": { + "columns": [ + { + "columnId": "Source" + }, + { + "columnId": "Responder" + }, + { + "columnId": "Inferences" + }, + { + "columnId": "Responder Country" + }, + { + "columnId": "VPN Type" + } + ], + "layerId": "7ed05fa2-5d4e-4ddb-b835-5dd0a73a94f0", + "layerType": "data" + } + }, + "title": "Table Source \u0026 Responder \u0026 Inferences \u0026 Responder Country \u0026 VPN Type", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "e06a79ec-f324-4344-9e79-23fc0138ecda", + "w": 24, + "x": 24, + "y": 43 + }, + "panelIndex": "e06a79ec-f324-4344-9e79-23fc0138ecda", + "title": "Suspected Data Exfiltration - Data [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-70e9ebb6-137c-4c65-ad17-0dfafeacc079", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "34be19f7-42d1-4889-8d3f-928ef606c522", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "70e9ebb6-137c-4c65-ad17-0dfafeacc079": { + "columnOrder": [ + "ec0cde5b-1209-4854-ba50-d0c5bf88fa7e", + "a6b2a0bd-fcf4-4725-a930-8b80de96ff19", + "cc407129-df00-42ce-8d1d-297d5cd8c838", + "17902afb-25fe-4ce8-8096-5908e65800a9", + "04783de7-2a7f-4f35-94ab-758be2a94acf" + ], + "columns": { + "04783de7-2a7f-4f35-94ab-758be2a94acf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "17902afb-25fe-4ce8-8096-5908e65800a9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "VPN Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "04783de7-2a7f-4f35-94ab-758be2a94acf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "vpn.name" + }, + "a6b2a0bd-fcf4-4725-a930-8b80de96ff19": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Responder", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "04783de7-2a7f-4f35-94ab-758be2a94acf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "cc407129-df00-42ce-8d1d-297d5cd8c838": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "inferences", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "04783de7-2a7f-4f35-94ab-758be2a94acf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "vpn.inferences" + }, + "ec0cde5b-1209-4854-ba50-d0c5bf88fa7e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "04783de7-2a7f-4f35-94ab-758be2a94acf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10000 + }, + "scale": "ordinal", + "sourceField": "source.ip" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "34be19f7-42d1-4889-8d3f-928ef606c522", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "observer.vendor", + "index": "logs-*", + "key": "observer.vendor", + "negate": false, + "params": { + "query": "Corelight" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "observer.vendor": "Corelight" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "event.dataset", + "index": "logs-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "vpn" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "vpn" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "observer.hostname", + "index": "logs-*", + "key": "observer.hostname", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "observer.hostname" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "COM" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "COM" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "RW" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "RW" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "vpn.inferences", + "index": "logs-*", + "key": "vpn.inferences", + "negate": false, + "params": { + "query": "NSP" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "vpn.inferences": "NSP" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "ec0cde5b-1209-4854-ba50-d0c5bf88fa7e", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "a6b2a0bd-fcf4-4725-a930-8b80de96ff19", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "cc407129-df00-42ce-8d1d-297d5cd8c838", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "17902afb-25fe-4ce8-8096-5908e65800a9", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "04783de7-2a7f-4f35-94ab-758be2a94acf", + "isMetric": true, + "isTransposed": false + } + ], + "headerRowHeight": "auto", + "layerId": "70e9ebb6-137c-4c65-ad17-0dfafeacc079", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "auto" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "b7d175df-42dc-4523-81f3-e95811f54089", + "w": 24, + "x": 0, + "y": 43 + }, + "panelIndex": "b7d175df-42dc-4523-81f3-e95811f54089", + "title": "Unusual Remote Activity - Data [Logs Corelight]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "adHocDataViews": { + "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb": { + "allowHidden": false, + "allowNoIndex": false, + "fieldFormats": {}, + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "name": "logs-corelight.various-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-corelight.various-*", + "type": "esql" + } + }, + "datasourceStates": { + "textBased": { + "indexPatternRefs": [ + { + "id": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "timeField": "@timestamp", + "title": "logs-corelight.various-*" + } + ], + "layers": { + "da497649-6bd4-4cb4-9e63-d3d8701db3ce": { + "columns": [ + { + "columnId": "Source", + "fieldName": "Source", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Destination", + "fieldName": "Destination", + "inMetricDimension": true, + "meta": { + "esType": "ip", + "type": "ip" + } + }, + { + "columnId": "Proto", + "fieldName": "Proto", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Inferences", + "fieldName": "Inferences", + "inMetricDimension": true, + "meta": { + "esType": "keyword", + "type": "string" + } + }, + { + "columnId": "Dest Port", + "fieldName": "Dest Port", + "inMetricDimension": true, + "meta": { + "esType": "long", + "type": "number" + } + } + ], + "index": "b2bcbb11fd7b30e2a9f2ee93a6a5ffd1f700ee82fff0bfc92dd439c707a35ebb", + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"RW\", \"FW\")\r\n| stats count(), values(source.ip),values(destination.ip), values(proto),values(vpn.inferences), values(destination.port),values(source.bytes) by event.id\r\n| rename `values(source.ip)` as Source, `values(destination.ip)` as Destination, `values(proto)` as Proto, `values(vpn.inferences)` as Inferences,`values(destination.port)` as `Dest Port`,`values(source.bytes)` as Bytes, `count()` as Count\r\n| keep Source, Destination,Proto,Inferences,`Dest Port`,Bytes, Count" + }, + "timeField": "@timestamp" + } + } + } + }, + "filters": [], + "query": { + "esql": "from logs-corelight.various-*\r\n| limit 10000\r\n| where observer.vendor == \"Corelight\" and event.dataset == \"vpn\" and observer.hostname is not null and vpn.inferences in (\"RW\", \"FW\")\r\n| stats count(), values(source.ip),values(destination.ip), values(proto),values(vpn.inferences), values(destination.port),values(source.bytes) by event.id\r\n| rename `values(source.ip)` as Source, `values(destination.ip)` as Destination, `values(proto)` as Proto, `values(vpn.inferences)` as Inferences,`values(destination.port)` as `Dest Port`,`values(source.bytes)` as Bytes, `count()` as Count\r\n| keep Source, Destination,Proto,Inferences,`Dest Port`,Bytes, Count" + }, + "visualization": { + "columns": [ + { + "columnId": "Source" + }, + { + "columnId": "Destination" + }, + { + "columnId": "Proto" + }, + { + "columnId": "Inferences" + }, + { + "columnId": "Dest Port" + } + ], + "layerId": "da497649-6bd4-4cb4-9e63-d3d8701db3ce", + "layerType": "data" + } + }, + "title": "Table Source \u0026 Destination \u0026 Proto \u0026 Inferences \u0026 Dest Port", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "disabledActions": [ + "OPEN_FLYOUT_ADD_DRILLDOWN" + ], + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "da9cff0e-22d9-4da1-819f-8160ec61f922", + "w": 24, + "x": 0, + "y": 68 + }, + "panelIndex": "da9cff0e-22d9-4da1-819f-8160ec61f922", + "title": "Possible Unauthorized Remote Access Attempts - Data [Logs Corelight]", + "type": "lens" + } + ], + "refreshInterval": { + "pause": true, + "value": 60000 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Corelight] Remote Activity Insights", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-02T13:54:01.158Z", + "id": "corelight-f4864774-ed73-4b78-b861-5b8235ec12cf", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "2012fa54-ef50-4fbd-a1a4-7990ab45274f:indexpattern-datasource-layer-2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a5180f32-e1ff-4084-8532-fbdfe73bdaa3:indexpattern-datasource-layer-2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a176a473-9362-4fa8-8c52-32cf231b3ec5:indexpattern-datasource-layer-fed94441-e867-42b0-b267-643f8091135a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a176a473-9362-4fa8-8c52-32cf231b3ec5:b854fb52-d4a2-4935-bbc4-3be2f348a3c9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ddbc57e-e1ee-4e57-b7b0-46548ef7653d:indexpattern-datasource-layer-2e54ff62-b4f5-4b5c-b0ee-13094977e6bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7ddbc57e-e1ee-4e57-b7b0-46548ef7653d:35400392-619e-40cf-aae1-7cc1635b3a11", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cfa6fd75-a8ac-4091-ad4a-52d65c8c128b:indexpattern-datasource-layer-70e9ebb6-137c-4c65-ad17-0dfafeacc079", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7d175df-42dc-4523-81f3-e95811f54089:indexpattern-datasource-layer-70e9ebb6-137c-4c65-ad17-0dfafeacc079", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7d175df-42dc-4523-81f3-e95811f54089:34be19f7-42d1-4889-8d3f-928ef606c522", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_31c87e45-d99f-4836-b47c-d7bf6892d9f6:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/corelight/manifest.yml b/packages/corelight/manifest.yml new file mode 100644 index 00000000000..dd0c5c81e29 --- /dev/null +++ b/packages/corelight/manifest.yml @@ -0,0 +1,42 @@ +format_version: 3.2.1 +name: corelight +title: Corelight +version: 0.1.0 +description: Collect logs from Corelight with Elastic Agent. +type: integration +categories: + - security + - dns_security + - network + - network_security + - vpn_security +conditions: + kibana: + version: ^8.14.0 + elastic: + subscription: basic +screenshots: + - src: /img/remote-activity-insights-screenshot.png + title: Remote Activity Insights Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/name-resolution-insights.png + title: Name Resolution Insights Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/secure-channel-insights.png + title: Secure Channel Insights Dashboard Screenshot + size: 600x600 + type: image/png + - src: /img/security-posture.png + title: Security Posture Dashboard Screenshot + size: 600x600 + type: image/png +icons: + - src: /img/corelight-logo.svg + title: Corelight logo + size: 32x32 + type: image/svg+xml +owner: + github: elastic/security-service-integrations + type: partner diff --git a/packages/corelight/validation.yml b/packages/corelight/validation.yml new file mode 100644 index 00000000000..6871445cd07 --- /dev/null +++ b/packages/corelight/validation.yml @@ -0,0 +1,6 @@ +errors: + exclude_checks: + - SVR00001 # Saved query, but no filter. + - SVR00002 # Mandatory filters in dashboards. + - SVR00004 # Saved search not allowed? + - SVR00005 # Kibana version for saved tags.