diff --git a/dashboards/Data Explorer/AWS VPC Flow.json b/dashboards/Data Explorer/AWS VPC Flow.json index 28b988b..309f76b 100644 --- a/dashboards/Data Explorer/AWS VPC Flow.json +++ b/dashboards/Data Explorer/AWS VPC Flow.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "2daea321-d146-4551-9579-d18077383af8", + "name": "2ef412f8-234b-47a1-8ad6-5e12227cc64b", "displayName": "Corelight → Data Explorer → AWS VPC Flow", "definition": { "filters": [ @@ -20,38 +20,38 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "5cd1f577-d7dd-4a39-96f6-17b7ab358281", - "51a38bb8-b3f8-4a06-9ab2-96112b779c13", - "b87a4481-b100-4617-805e-72445b5a5c0c", - "3e8540a5-3ee8-4520-8f45-d371ef5c9cb3", - "49da3bb7-7bad-4c7f-b15a-90efeb959388", - "13e72c89-6b0c-479a-ae94-99ddd1019b9e", - "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", - "0da11e32-bc50-4819-9442-571b4c721784", - "2bfe0677-ed81-4d12-99fc-c1421dd8b498", - "12576e75-ab82-400e-ad6d-017f9ab95735", - "6676ac88-2e11-4ce0-970a-d2869bc83db8", - "b9365c41-8ee3-497b-8965-cdd53bc55fb5", - "2631fb80-499b-4f97-9578-8eafc76ea23d", - "037d597c-2d88-4ac4-8c8d-fbfb9313a0a5", - "60ed8d64-e57d-411d-8060-964bb57b3640", - "4b783225-8c70-4400-a7b8-2324262d506c", - "2072c73b-3fa1-468c-bb85-769c85e55119", - "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", - "060d7610-4a50-4304-8067-e2b725262ad0", - "a4c36dd1-8964-4422-ad69-6392f1dbf5bd", - "f8af546e-0756-48ff-822f-bd45995ff2b3", - "2d1ed672-f776-4b58-9b36-22dfc796f393", - "338ba913-2620-4f9e-af41-a209752e1cb6", - "3d1a7f33-3438-4c8a-9099-a75aa07f31db", - "94024995-85fe-433a-bebd-3f2d3733108b", - "58532191-20db-4307-a42b-fb9601e1fffd", - "b3b7da40-5c21-4284-9ced-51f56dfb2c4c", - "1df26207-4d03-4846-9574-18876dcefbf9", - "a11ac70d-72eb-4bb0-b521-6616574f4419", - "e760f074-e47a-4758-8b33-748876e665a3", - "83fbed94-c2f2-43f7-8669-6e124629eb60", - "4f71cabd-e4a6-4836-a8f2-8c9bd3db0976" + "88125c84-1c0b-44aa-9be5-eb875124d029", + "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", + "daab088d-f338-4ff8-a885-c1381384d63d", + "b43c9b26-6e0e-4c04-be1d-cabac973880d", + "cfe62af6-41fd-4497-bec5-3fc93b8ac859", + "f999c92f-277b-4736-bca7-4f974a44971d", + "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", + "b78f2967-e4e1-4a61-8f1b-653c8f51eb99", + "641aff8d-1227-45b1-bbc6-b76fe57a9957", + "fc0f0982-348b-4687-8572-2707aa84ee2e", + "116ebfbb-564d-442f-aed1-18695fc5af1b", + "fd9c6ed4-defc-451e-b067-fa272bd22ee3", + "1fae576c-a921-4084-8bd5-bd2305103c6d", + "2f42c475-baa6-48cb-bf71-eb64d32b0bcb", + "95f68023-81de-4baa-b12e-7e7bcc1101f7", + "6852d570-36ef-4184-bfd3-cdc840760a4d", + "719d3e4c-1555-4efb-9cd7-4820baa796d1", + "921260e9-755c-40ed-88cc-c221ba1f56f0", + "f53087a8-0089-4787-b3d1-d22d3321de09", + "4cf4d500-f234-4bce-9578-4d032044851d", + "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", + "9afdb030-e362-4271-96ec-6467a3fc163b", + "94a9a3a7-df77-467d-9e61-17103729fbcb", + "e678b75f-4d1a-4277-9bfa-24fe40653ff1", + "5a915634-d589-400b-8545-f0f4c4185892", + "3bae6bb0-196e-4b49-be81-4d701dc2b1db", + "a8483e46-636f-4222-928e-6d9b088ed0c9", + "091ffc00-c87e-4f2a-96f0-5afce467f47f", + "03ae4910-b4a4-4c41-8d17-3864f9672e75", + "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a", + "85bdc1c4-3aca-4157-bf63-c0b324f2323b", + "5dbb9dbe-d0f3-4897-8d96-6b80b175917d" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -70,36 +70,36 @@ ], "displayName": "VPC ID", "chartIds": [ - "3e8540a5-3ee8-4520-8f45-d371ef5c9cb3", - "51a38bb8-b3f8-4a06-9ab2-96112b779c13", - "5cd1f577-d7dd-4a39-96f6-17b7ab358281", - "49da3bb7-7bad-4c7f-b15a-90efeb959388", - "b87a4481-b100-4617-805e-72445b5a5c0c", - "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", - "13e72c89-6b0c-479a-ae94-99ddd1019b9e", - "12576e75-ab82-400e-ad6d-017f9ab95735", - "2bfe0677-ed81-4d12-99fc-c1421dd8b498", - "b9365c41-8ee3-497b-8965-cdd53bc55fb5", - "6676ac88-2e11-4ce0-970a-d2869bc83db8", - "60ed8d64-e57d-411d-8060-964bb57b3640", - "2631fb80-499b-4f97-9578-8eafc76ea23d", - "037d597c-2d88-4ac4-8c8d-fbfb9313a0a5", - "4b783225-8c70-4400-a7b8-2324262d506c", - "2072c73b-3fa1-468c-bb85-769c85e55119", - "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", - "060d7610-4a50-4304-8067-e2b725262ad0", - "f8af546e-0756-48ff-822f-bd45995ff2b3", - "2d1ed672-f776-4b58-9b36-22dfc796f393", - "338ba913-2620-4f9e-af41-a209752e1cb6", - "3d1a7f33-3438-4c8a-9099-a75aa07f31db", - "94024995-85fe-433a-bebd-3f2d3733108b", - "58532191-20db-4307-a42b-fb9601e1fffd", - "b3b7da40-5c21-4284-9ced-51f56dfb2c4c", - "1df26207-4d03-4846-9574-18876dcefbf9", - "a11ac70d-72eb-4bb0-b521-6616574f4419", - "e760f074-e47a-4758-8b33-748876e665a3", - "83fbed94-c2f2-43f7-8669-6e124629eb60", - "4f71cabd-e4a6-4836-a8f2-8c9bd3db0976" + "b43c9b26-6e0e-4c04-be1d-cabac973880d", + "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", + "88125c84-1c0b-44aa-9be5-eb875124d029", + "cfe62af6-41fd-4497-bec5-3fc93b8ac859", + "daab088d-f338-4ff8-a885-c1381384d63d", + "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", + "f999c92f-277b-4736-bca7-4f974a44971d", + "fc0f0982-348b-4687-8572-2707aa84ee2e", + "641aff8d-1227-45b1-bbc6-b76fe57a9957", + "fd9c6ed4-defc-451e-b067-fa272bd22ee3", + "116ebfbb-564d-442f-aed1-18695fc5af1b", + "95f68023-81de-4baa-b12e-7e7bcc1101f7", + "1fae576c-a921-4084-8bd5-bd2305103c6d", + "2f42c475-baa6-48cb-bf71-eb64d32b0bcb", + "6852d570-36ef-4184-bfd3-cdc840760a4d", + "719d3e4c-1555-4efb-9cd7-4820baa796d1", + "921260e9-755c-40ed-88cc-c221ba1f56f0", + "f53087a8-0089-4787-b3d1-d22d3321de09", + "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", + "9afdb030-e362-4271-96ec-6467a3fc163b", + "94a9a3a7-df77-467d-9e61-17103729fbcb", + "e678b75f-4d1a-4277-9bfa-24fe40653ff1", + "5a915634-d589-400b-8545-f0f4c4185892", + "3bae6bb0-196e-4b49-be81-4d701dc2b1db", + "a8483e46-636f-4222-928e-6d9b088ed0c9", + "091ffc00-c87e-4f2a-96f0-5afce467f47f", + "03ae4910-b4a4-4c41-8d17-3864f9672e75", + "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a", + "85bdc1c4-3aca-4157-bf63-c0b324f2323b", + "5dbb9dbe-d0f3-4897-8d96-6b80b175917d" ] }, { @@ -116,37 +116,37 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "3e8540a5-3ee8-4520-8f45-d371ef5c9cb3", - "51a38bb8-b3f8-4a06-9ab2-96112b779c13", - "5cd1f577-d7dd-4a39-96f6-17b7ab358281", - "49da3bb7-7bad-4c7f-b15a-90efeb959388", - "b87a4481-b100-4617-805e-72445b5a5c0c", - "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", - "13e72c89-6b0c-479a-ae94-99ddd1019b9e", - "12576e75-ab82-400e-ad6d-017f9ab95735", - "2bfe0677-ed81-4d12-99fc-c1421dd8b498", - "b9365c41-8ee3-497b-8965-cdd53bc55fb5", - "6676ac88-2e11-4ce0-970a-d2869bc83db8", - "60ed8d64-e57d-411d-8060-964bb57b3640", - "2631fb80-499b-4f97-9578-8eafc76ea23d", - "037d597c-2d88-4ac4-8c8d-fbfb9313a0a5", - "4b783225-8c70-4400-a7b8-2324262d506c", - "2072c73b-3fa1-468c-bb85-769c85e55119", - "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", - "060d7610-4a50-4304-8067-e2b725262ad0", - "a4c36dd1-8964-4422-ad69-6392f1dbf5bd", - "f8af546e-0756-48ff-822f-bd45995ff2b3", - "2d1ed672-f776-4b58-9b36-22dfc796f393", - "338ba913-2620-4f9e-af41-a209752e1cb6", - "3d1a7f33-3438-4c8a-9099-a75aa07f31db", - "94024995-85fe-433a-bebd-3f2d3733108b", - "58532191-20db-4307-a42b-fb9601e1fffd", - "b3b7da40-5c21-4284-9ced-51f56dfb2c4c", - "1df26207-4d03-4846-9574-18876dcefbf9", - "a11ac70d-72eb-4bb0-b521-6616574f4419", - "e760f074-e47a-4758-8b33-748876e665a3", - "83fbed94-c2f2-43f7-8669-6e124629eb60", - "4f71cabd-e4a6-4836-a8f2-8c9bd3db0976" + "b43c9b26-6e0e-4c04-be1d-cabac973880d", + "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", + "88125c84-1c0b-44aa-9be5-eb875124d029", + "cfe62af6-41fd-4497-bec5-3fc93b8ac859", + "daab088d-f338-4ff8-a885-c1381384d63d", + "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", + "f999c92f-277b-4736-bca7-4f974a44971d", + "fc0f0982-348b-4687-8572-2707aa84ee2e", + "641aff8d-1227-45b1-bbc6-b76fe57a9957", + "fd9c6ed4-defc-451e-b067-fa272bd22ee3", + "116ebfbb-564d-442f-aed1-18695fc5af1b", + "95f68023-81de-4baa-b12e-7e7bcc1101f7", + "1fae576c-a921-4084-8bd5-bd2305103c6d", + "2f42c475-baa6-48cb-bf71-eb64d32b0bcb", + "6852d570-36ef-4184-bfd3-cdc840760a4d", + "719d3e4c-1555-4efb-9cd7-4820baa796d1", + "921260e9-755c-40ed-88cc-c221ba1f56f0", + "f53087a8-0089-4787-b3d1-d22d3321de09", + "4cf4d500-f234-4bce-9578-4d032044851d", + "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", + "9afdb030-e362-4271-96ec-6467a3fc163b", + "94a9a3a7-df77-467d-9e61-17103729fbcb", + "e678b75f-4d1a-4277-9bfa-24fe40653ff1", + "5a915634-d589-400b-8545-f0f4c4185892", + "3bae6bb0-196e-4b49-be81-4d701dc2b1db", + "a8483e46-636f-4222-928e-6d9b088ed0c9", + "091ffc00-c87e-4f2a-96f0-5afce467f47f", + "03ae4910-b4a4-4c41-8d17-3864f9672e75", + "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a", + "85bdc1c4-3aca-4157-bf63-c0b324f2323b", + "5dbb9dbe-d0f3-4897-8d96-6b80b175917d" ] }, { @@ -163,7 +163,7 @@ ], "displayName": "Source AWS Organization ID", "chartIds": [ - "e760f074-e47a-4758-8b33-748876e665a3" + "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a" ] }, { @@ -180,23 +180,23 @@ ], "displayName": "Direction", "chartIds": [ - "3e8540a5-3ee8-4520-8f45-d371ef5c9cb3", - "51a38bb8-b3f8-4a06-9ab2-96112b779c13", - "5cd1f577-d7dd-4a39-96f6-17b7ab358281", - "49da3bb7-7bad-4c7f-b15a-90efeb959388", - "b87a4481-b100-4617-805e-72445b5a5c0c", - "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", - "13e72c89-6b0c-479a-ae94-99ddd1019b9e", - "12576e75-ab82-400e-ad6d-017f9ab95735", - "2bfe0677-ed81-4d12-99fc-c1421dd8b498", - "b9365c41-8ee3-497b-8965-cdd53bc55fb5", - "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", - "060d7610-4a50-4304-8067-e2b725262ad0", - "2d1ed672-f776-4b58-9b36-22dfc796f393", - "3d1a7f33-3438-4c8a-9099-a75aa07f31db", - "94024995-85fe-433a-bebd-3f2d3733108b", - "58532191-20db-4307-a42b-fb9601e1fffd", - "b3b7da40-5c21-4284-9ced-51f56dfb2c4c" + "b43c9b26-6e0e-4c04-be1d-cabac973880d", + "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", + "88125c84-1c0b-44aa-9be5-eb875124d029", + "cfe62af6-41fd-4497-bec5-3fc93b8ac859", + "daab088d-f338-4ff8-a885-c1381384d63d", + "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", + "f999c92f-277b-4736-bca7-4f974a44971d", + "fc0f0982-348b-4687-8572-2707aa84ee2e", + "641aff8d-1227-45b1-bbc6-b76fe57a9957", + "fd9c6ed4-defc-451e-b067-fa272bd22ee3", + "921260e9-755c-40ed-88cc-c221ba1f56f0", + "f53087a8-0089-4787-b3d1-d22d3321de09", + "9afdb030-e362-4271-96ec-6467a3fc163b", + "e678b75f-4d1a-4277-9bfa-24fe40653ff1", + "5a915634-d589-400b-8545-f0f4c4185892", + "3bae6bb0-196e-4b49-be81-4d701dc2b1db", + "a8483e46-636f-4222-928e-6d9b088ed0c9" ] }, { @@ -213,20 +213,20 @@ ], "displayName": "Source IP", "chartIds": [ - "4b783225-8c70-4400-a7b8-2324262d506c", - "2072c73b-3fa1-468c-bb85-769c85e55119", - "51a38bb8-b3f8-4a06-9ab2-96112b779c13", - "49da3bb7-7bad-4c7f-b15a-90efeb959388", - "b87a4481-b100-4617-805e-72445b5a5c0c", - "5cd1f577-d7dd-4a39-96f6-17b7ab358281", - "13e72c89-6b0c-479a-ae94-99ddd1019b9e", - "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", - "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", - "060d7610-4a50-4304-8067-e2b725262ad0", - "a4c36dd1-8964-4422-ad69-6392f1dbf5bd", - "f8af546e-0756-48ff-822f-bd45995ff2b3", - "338ba913-2620-4f9e-af41-a209752e1cb6", - "3d1a7f33-3438-4c8a-9099-a75aa07f31db" + "6852d570-36ef-4184-bfd3-cdc840760a4d", + "719d3e4c-1555-4efb-9cd7-4820baa796d1", + "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", + "cfe62af6-41fd-4497-bec5-3fc93b8ac859", + "daab088d-f338-4ff8-a885-c1381384d63d", + "88125c84-1c0b-44aa-9be5-eb875124d029", + "f999c92f-277b-4736-bca7-4f974a44971d", + "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", + "921260e9-755c-40ed-88cc-c221ba1f56f0", + "f53087a8-0089-4787-b3d1-d22d3321de09", + "4cf4d500-f234-4bce-9578-4d032044851d", + "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", + "94a9a3a7-df77-467d-9e61-17103729fbcb", + "e678b75f-4d1a-4277-9bfa-24fe40653ff1" ] }, { @@ -243,20 +243,20 @@ ], "displayName": "Destination IP", "chartIds": [ - "4b783225-8c70-4400-a7b8-2324262d506c", - "2072c73b-3fa1-468c-bb85-769c85e55119", - "51a38bb8-b3f8-4a06-9ab2-96112b779c13", - "b87a4481-b100-4617-805e-72445b5a5c0c", - "49da3bb7-7bad-4c7f-b15a-90efeb959388", - "5cd1f577-d7dd-4a39-96f6-17b7ab358281", - "13e72c89-6b0c-479a-ae94-99ddd1019b9e", - "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", - "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", - "060d7610-4a50-4304-8067-e2b725262ad0", - "a4c36dd1-8964-4422-ad69-6392f1dbf5bd", - "f8af546e-0756-48ff-822f-bd45995ff2b3", - "338ba913-2620-4f9e-af41-a209752e1cb6", - "3d1a7f33-3438-4c8a-9099-a75aa07f31db" + "6852d570-36ef-4184-bfd3-cdc840760a4d", + "719d3e4c-1555-4efb-9cd7-4820baa796d1", + "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", + "daab088d-f338-4ff8-a885-c1381384d63d", + "cfe62af6-41fd-4497-bec5-3fc93b8ac859", + "88125c84-1c0b-44aa-9be5-eb875124d029", + "f999c92f-277b-4736-bca7-4f974a44971d", + "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", + "921260e9-755c-40ed-88cc-c221ba1f56f0", + "f53087a8-0089-4787-b3d1-d22d3321de09", + "4cf4d500-f234-4bce-9578-4d032044851d", + "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", + "94a9a3a7-df77-467d-9e61-17103729fbcb", + "e678b75f-4d1a-4277-9bfa-24fe40653ff1" ] }, { @@ -273,13 +273,13 @@ ], "displayName": "Destination AWS Organization ID", "chartIds": [ - "e760f074-e47a-4758-8b33-748876e665a3" + "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a" ] } ], "charts": [ { - "dashboardChart": "3e8540a5-3ee8-4520-8f45-d371ef5c9cb3", + "dashboardChart": "b43c9b26-6e0e-4c04-be1d-cabac973880d", "chartLayout": { "startX": 0, "spanX": 40, @@ -294,7 +294,7 @@ ] }, { - "dashboardChart": "51a38bb8-b3f8-4a06-9ab2-96112b779c13", + "dashboardChart": "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", "chartLayout": { "startX": 0, "spanX": 32, @@ -311,7 +311,7 @@ ] }, { - "dashboardChart": "5cd1f577-d7dd-4a39-96f6-17b7ab358281", + "dashboardChart": "88125c84-1c0b-44aa-9be5-eb875124d029", "chartLayout": { "startX": 0, "spanX": 32, @@ -328,7 +328,7 @@ ] }, { - "dashboardChart": "49da3bb7-7bad-4c7f-b15a-90efeb959388", + "dashboardChart": "cfe62af6-41fd-4497-bec5-3fc93b8ac859", "chartLayout": { "startX": 32, "spanX": 32, @@ -345,7 +345,7 @@ ] }, { - "dashboardChart": "b87a4481-b100-4617-805e-72445b5a5c0c", + "dashboardChart": "daab088d-f338-4ff8-a885-c1381384d63d", "chartLayout": { "startX": 32, "spanX": 32, @@ -362,7 +362,7 @@ ] }, { - "dashboardChart": "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", + "dashboardChart": "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", "chartLayout": { "startX": 64, "spanX": 32, @@ -379,7 +379,7 @@ ] }, { - "dashboardChart": "13e72c89-6b0c-479a-ae94-99ddd1019b9e", + "dashboardChart": "f999c92f-277b-4736-bca7-4f974a44971d", "chartLayout": { "startX": 64, "spanX": 32, @@ -396,7 +396,7 @@ ] }, { - "dashboardChart": "0da11e32-bc50-4819-9442-571b4c721784", + "dashboardChart": "b78f2967-e4e1-4a61-8f1b-653c8f51eb99", "chartLayout": { "startX": 40, "spanX": 56, @@ -408,7 +408,7 @@ ] }, { - "dashboardChart": "12576e75-ab82-400e-ad6d-017f9ab95735", + "dashboardChart": "fc0f0982-348b-4687-8572-2707aa84ee2e", "chartLayout": { "startX": 0, "spanX": 29, @@ -423,7 +423,7 @@ ] }, { - "dashboardChart": "2bfe0677-ed81-4d12-99fc-c1421dd8b498", + "dashboardChart": "641aff8d-1227-45b1-bbc6-b76fe57a9957", "chartLayout": { "startX": 29, "spanX": 32, @@ -438,7 +438,7 @@ ] }, { - "dashboardChart": "b9365c41-8ee3-497b-8965-cdd53bc55fb5", + "dashboardChart": "fd9c6ed4-defc-451e-b067-fa272bd22ee3", "chartLayout": { "startX": 48, "spanX": 48, @@ -453,7 +453,7 @@ ] }, { - "dashboardChart": "6676ac88-2e11-4ce0-970a-d2869bc83db8", + "dashboardChart": "116ebfbb-564d-442f-aed1-18695fc5af1b", "chartLayout": { "startX": 0, "spanX": 62, @@ -467,7 +467,7 @@ ] }, { - "dashboardChart": "60ed8d64-e57d-411d-8060-964bb57b3640", + "dashboardChart": "95f68023-81de-4baa-b12e-7e7bcc1101f7", "chartLayout": { "startX": 62, "spanX": 34, @@ -481,7 +481,7 @@ ] }, { - "dashboardChart": "2631fb80-499b-4f97-9578-8eafc76ea23d", + "dashboardChart": "1fae576c-a921-4084-8bd5-bd2305103c6d", "chartLayout": { "startX": 0, "spanX": 62, @@ -495,7 +495,7 @@ ] }, { - "dashboardChart": "037d597c-2d88-4ac4-8c8d-fbfb9313a0a5", + "dashboardChart": "2f42c475-baa6-48cb-bf71-eb64d32b0bcb", "chartLayout": { "startX": 62, "spanX": 34, @@ -509,7 +509,7 @@ ] }, { - "dashboardChart": "4b783225-8c70-4400-a7b8-2324262d506c", + "dashboardChart": "6852d570-36ef-4184-bfd3-cdc840760a4d", "chartLayout": { "startX": 0, "spanX": 32, @@ -525,7 +525,7 @@ ] }, { - "dashboardChart": "2072c73b-3fa1-468c-bb85-769c85e55119", + "dashboardChart": "719d3e4c-1555-4efb-9cd7-4820baa796d1", "chartLayout": { "startX": 32, "spanX": 32, @@ -541,7 +541,7 @@ ] }, { - "dashboardChart": "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", + "dashboardChart": "921260e9-755c-40ed-88cc-c221ba1f56f0", "chartLayout": { "startX": 48, "spanX": 48, @@ -558,7 +558,7 @@ ] }, { - "dashboardChart": "060d7610-4a50-4304-8067-e2b725262ad0", + "dashboardChart": "f53087a8-0089-4787-b3d1-d22d3321de09", "chartLayout": { "startX": 0, "spanX": 48, @@ -575,7 +575,7 @@ ] }, { - "dashboardChart": "f8af546e-0756-48ff-822f-bd45995ff2b3", + "dashboardChart": "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", "chartLayout": { "startX": 0, "spanX": 32, @@ -591,7 +591,7 @@ ] }, { - "dashboardChart": "a4c36dd1-8964-4422-ad69-6392f1dbf5bd", + "dashboardChart": "4cf4d500-f234-4bce-9578-4d032044851d", "chartLayout": { "startX": 64, "spanX": 32, @@ -606,7 +606,7 @@ ] }, { - "dashboardChart": "2d1ed672-f776-4b58-9b36-22dfc796f393", + "dashboardChart": "9afdb030-e362-4271-96ec-6467a3fc163b", "chartLayout": { "startX": 48, "spanX": 48, @@ -621,7 +621,7 @@ ] }, { - "dashboardChart": "3d1a7f33-3438-4c8a-9099-a75aa07f31db", + "dashboardChart": "e678b75f-4d1a-4277-9bfa-24fe40653ff1", "chartLayout": { "startX": 0, "spanX": 96, @@ -638,7 +638,7 @@ ] }, { - "dashboardChart": "338ba913-2620-4f9e-af41-a209752e1cb6", + "dashboardChart": "94a9a3a7-df77-467d-9e61-17103729fbcb", "chartLayout": { "startX": 32, "spanX": 32, @@ -654,7 +654,7 @@ ] }, { - "dashboardChart": "c178996e-b467-4fc7-9337-dd281df4634f", + "dashboardChart": "86a02c01-2308-4013-ab3a-727a4b6f4a66", "chartLayout": { "startX": 0, "spanX": 96, @@ -663,7 +663,7 @@ } }, { - "dashboardChart": "ba148b13-9f43-433e-9475-5a918ea1c1fb", + "dashboardChart": "d4a75cdc-b682-4a00-a285-b44727a008d0", "chartLayout": { "startX": 0, "spanX": 96, @@ -672,7 +672,7 @@ } }, { - "dashboardChart": "94024995-85fe-433a-bebd-3f2d3733108b", + "dashboardChart": "5a915634-d589-400b-8545-f0f4c4185892", "chartLayout": { "startX": 0, "spanX": 48, @@ -687,7 +687,7 @@ ] }, { - "dashboardChart": "58532191-20db-4307-a42b-fb9601e1fffd", + "dashboardChart": "3bae6bb0-196e-4b49-be81-4d701dc2b1db", "chartLayout": { "startX": 48, "spanX": 48, @@ -702,7 +702,7 @@ ] }, { - "dashboardChart": "b3b7da40-5c21-4284-9ced-51f56dfb2c4c", + "dashboardChart": "a8483e46-636f-4222-928e-6d9b088ed0c9", "chartLayout": { "startX": 61, "spanX": 35, @@ -717,7 +717,7 @@ ] }, { - "dashboardChart": "1df26207-4d03-4846-9574-18876dcefbf9", + "dashboardChart": "091ffc00-c87e-4f2a-96f0-5afce467f47f", "chartLayout": { "startX": 0, "spanX": 48, @@ -731,7 +731,7 @@ ] }, { - "dashboardChart": "a11ac70d-72eb-4bb0-b521-6616574f4419", + "dashboardChart": "03ae4910-b4a4-4c41-8d17-3864f9672e75", "chartLayout": { "startX": 0, "spanX": 34, @@ -745,7 +745,7 @@ ] }, { - "dashboardChart": "e760f074-e47a-4758-8b33-748876e665a3", + "dashboardChart": "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a", "chartLayout": { "startX": 34, "spanX": 62, @@ -761,7 +761,7 @@ ] }, { - "dashboardChart": "83fbed94-c2f2-43f7-8669-6e124629eb60", + "dashboardChart": "85bdc1c4-3aca-4157-bf63-c0b324f2323b", "chartLayout": { "startX": 34, "spanX": 62, @@ -775,7 +775,7 @@ ] }, { - "dashboardChart": "4f71cabd-e4a6-4836-a8f2-8c9bd3db0976", + "dashboardChart": "5dbb9dbe-d0f3-4897-8d96-6b80b175917d", "chartLayout": { "startX": 0, "spanX": 34, @@ -791,15 +791,15 @@ ] }, "type": "CUSTOM", - "etag": "0d8af351b3dd8ce8cd5dd8f10f099a3a2b0032958091324971f12404648572ce", + "etag": "20e71f4e80e17eef0825c17e9aefabf46f1f7abdb7426e850d7845d0af23fb03", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "12576e75-ab82-400e-ad6d-017f9ab95735", + "name": "fc0f0982-348b-4687-8572-2707aa84ee2e", "displayName": "Top 10 Source IPs with Most Sent Data", "chartDatasource": { - "dashboardQuery": "75b019a3-84f4-4d91-a765-d7ad1bf677a4", + "dashboardQuery": "ea1357de-3b5f-4cbc-bdb8-abecff32091c", "dataSources": [ "UDM" ] @@ -833,14 +833,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "9af8f5f93b8f1aecf82b56bdcfb01bc98526f95a867c374607d3f88325736051", + "etag": "15e7d92207838d0d910982b43a4b53df54061a6718240057ae2857d199232acb", "drillDownConfig": {} }, { - "name": "6676ac88-2e11-4ce0-970a-d2869bc83db8", + "name": "116ebfbb-564d-442f-aed1-18695fc5af1b", "displayName": "Inbound Connections by Source Country", "chartDatasource": { - "dashboardQuery": "faf3f1bf-467a-4eb0-becc-a8cdf0505b6d", + "dashboardQuery": "4dbce465-9f9e-4ec0-85ba-9839f6040412", "dataSources": [ "UDM" ] @@ -873,14 +873,14 @@ } }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a0234544bfe1b0b49664ec30ee09774e3d403f79454871d3f5650a1dc817ccf3", + "etag": "8ed7e147b4a337c4e2c0f5fac48f5393e231dac8869daeb43a7950bba74d00a8", "drillDownConfig": {} }, { - "name": "51a38bb8-b3f8-4a06-9ab2-96112b779c13", + "name": "3d0ece5a-994d-4edd-adbe-b7d5af6d32bd", "displayName": "Total Connections", "chartDatasource": { - "dashboardQuery": "6d1c2f8e-b783-4efc-b1b8-5879479215a3", + "dashboardQuery": "01f6e1e6-0c51-4932-bb8b-6a9fef64cc77", "dataSources": [ "UDM" ] @@ -916,14 +916,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2617bd5c8c701bc88d759c2fcdfa6f5f4352efbebc733ab69267b5ea40f82da3", + "etag": "c033dfc4ce656551efadc3346b7015f847044e337de0ab1caa543762a6554732", "drillDownConfig": {} }, { - "name": "a4c36dd1-8964-4422-ad69-6392f1dbf5bd", + "name": "4cf4d500-f234-4bce-9578-4d032044851d", "displayName": "Corelight Data Sets", "chartDatasource": { - "dashboardQuery": "d799a8e1-d753-45d1-8c63-9fb6fbc54140", + "dashboardQuery": "54a78693-b86d-4561-9d66-e4c93f56fc70", "dataSources": [ "UDM" ] @@ -1110,11 +1110,11 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "b4d3ce78a95da8f56e941b7542e0b5c1e18bd56cf4511b7f47363c428be2cabc", + "etag": "6cb2bb4dc78a01969828bf2f48108b5338068e087d64794b7f4d8ac33b970679", "drillDownConfig": {} }, { - "name": "ba148b13-9f43-433e-9475-5a918ea1c1fb", + "name": "d4a75cdc-b682-4a00-a285-b44727a008d0", "displayName": "markdown", "visualization": { "markdown": { @@ -1125,13 +1125,13 @@ } }, "tileType": "TILE_TYPE_MARKDOWN", - "etag": "30d50883a422b6610d94b7226157413606669d0d53a6509454fdce290b945422" + "etag": "d84bb3e2e54c61238149c3bbbb857981caeef1840334987537c064e5b2e6a547" }, { - "name": "49da3bb7-7bad-4c7f-b15a-90efeb959388", + "name": "cfe62af6-41fd-4497-bec5-3fc93b8ac859", "displayName": "Unique Source IPs", "chartDatasource": { - "dashboardQuery": "0f74add2-6cf5-4793-ad20-7bc86642e433", + "dashboardQuery": "812022e6-625b-4075-93f8-00339e384025", "dataSources": [ "UDM" ] @@ -1167,14 +1167,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "cd26066db84a801ad01d0fb02f707290dfe8eb987663c07a9b9a9d3123ce21dd", + "etag": "d2bc37b95020f4ab8514be3422fcef4a9fe4c52ebc3b761124b7b24f3fe77c50", "drillDownConfig": {} }, { - "name": "9f2761d4-2f4b-4e6e-9151-c4ea0df1717d", + "name": "7fe7a0fd-ce05-4a9c-b9ca-4c591072738d", "displayName": "Unique Destination IPs", "chartDatasource": { - "dashboardQuery": "589df87c-f85e-4328-ab7f-9abd73136b21", + "dashboardQuery": "97f5e3cf-3a94-4be5-b610-67b08b010b6f", "dataSources": [ "UDM" ] @@ -1210,14 +1210,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "cf59a3a615f3744337104617889bc907cdce31aa4e55ba5382327474678ee024", + "etag": "2d624e39c1148416d0ab0c9f3be058a4ee0fb7e7bc7a44f2b70649686a3717b5", "drillDownConfig": {} }, { - "name": "83fbed94-c2f2-43f7-8669-6e124629eb60", + "name": "85bdc1c4-3aca-4157-bf63-c0b324f2323b", "displayName": "Lateral Traffic between Availability Zones", "chartDatasource": { - "dashboardQuery": "dd3b00d9-993e-4a30-a6e2-32d1667142f4", + "dashboardQuery": "9d5eb4d9-cc7d-4bd0-b93d-c9de5709adce", "dataSources": [ "UDM" ] @@ -1259,14 +1259,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "57b2ed8698cbf338a3f1a7b5798f5374259ebd085b18718a8d11838b80d67b82", + "etag": "28c5674273cec3172785b34ccceea7f2ba390ae5b8f13b1c3789bf9fa268269b", "drillDownConfig": {} }, { - "name": "5cd1f577-d7dd-4a39-96f6-17b7ab358281", + "name": "88125c84-1c0b-44aa-9be5-eb875124d029", "displayName": "Total Connections over Time", "chartDatasource": { - "dashboardQuery": "3f86466e-d221-4179-a3d7-f14e77d4e17b", + "dashboardQuery": "78aca484-9a59-468c-8551-98d93e7fe7af", "dataSources": [ "UDM" ] @@ -1308,14 +1308,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "3393eef1bd714ad7254b19d4671dca0865abb4532c5466abc3308d71664be0a5", + "etag": "2a941695af0a94126118654b41b518befad470b4935e8e402e1e4f5250c6934f", "drillDownConfig": {} }, { - "name": "338ba913-2620-4f9e-af41-a209752e1cb6", + "name": "94a9a3a7-df77-467d-9e61-17103729fbcb", "displayName": "Top Outbound Ports & Protocols", "chartDatasource": { - "dashboardQuery": "ae28cb8e-ab5b-4174-9890-2f824a0c6481", + "dashboardQuery": "02e5ad37-681d-4def-8115-40d9114ad19c", "dataSources": [ "UDM" ] @@ -1369,15 +1369,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ed61bc00e2bb4cb08063de549a98e8d8904a5ea75cb03f79fb074cfe4fbde232", + "etag": "65e323b04ef181f5a8c935cbf1466c1b0bf16b0410cd185b11849171aa8a15b3", "drillDownConfig": {} }, { - "name": "a11ac70d-72eb-4bb0-b521-6616574f4419", + "name": "03ae4910-b4a4-4c41-8d17-3864f9672e75", "displayName": "Traffic By AWS Account", "description": "Top 10 Total Connections", "chartDatasource": { - "dashboardQuery": "59645b01-d19c-44e8-9450-339ebc8c0a49", + "dashboardQuery": "97199b1f-9949-47b9-bc03-843e632e9d0d", "dataSources": [ "UDM" ] @@ -1431,14 +1431,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "73ddc460de9e4aeaab7e2d9480a059100d415ba9ccf382fe0a11578844d3447e", + "etag": "4f2d681a9078984b57606fbf8ee8a1b8a85666367779108c6447050935721c91", "drillDownConfig": {} }, { - "name": "2072c73b-3fa1-468c-bb85-769c85e55119", + "name": "719d3e4c-1555-4efb-9cd7-4820baa796d1", "displayName": "Total Data Outbound", "chartDatasource": { - "dashboardQuery": "da91240d-2b0f-4bd8-9db3-83654b5be2fb", + "dashboardQuery": "9c2b219b-24ac-41c8-b9c2-6c53e9b4fc48", "dataSources": [ "UDM" ] @@ -1474,14 +1474,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2ebdf344e825612cf2b390ba72e113414c24a1b4d63e8b9b44b17e67f89d84b1", + "etag": "0c1bebae97f8861f4faeda977e9446bdd8c0432dea1f46f64726302aede35d8b", "drillDownConfig": {} }, { - "name": "13e72c89-6b0c-479a-ae94-99ddd1019b9e", + "name": "f999c92f-277b-4736-bca7-4f974a44971d", "displayName": "Unique Destination IPs over Time", "chartDatasource": { - "dashboardQuery": "50e352f6-1a86-4672-9d5f-d59d18a60517", + "dashboardQuery": "2db3ed96-ac5a-4b38-8a8d-dd9c631317e8", "dataSources": [ "UDM" ] @@ -1523,14 +1523,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "706de798bb7495e5dd756e1b6387df40a3ff6ea4db00f0d4d1dfa3acfa211631", + "etag": "9527f49eda98dec3951da28b8994001948e00c2e567fab9cf4d4250b11fe0f0e", "drillDownConfig": {} }, { - "name": "7e4156f9-44c7-4d94-b6fa-6c276d60dfb2", + "name": "921260e9-755c-40ed-88cc-c221ba1f56f0", "displayName": "VPC IDs by Connection Count", "chartDatasource": { - "dashboardQuery": "75a3aeee-3454-421c-a2c4-61f0fc19da06", + "dashboardQuery": "3518005e-286f-4ca8-bb55-fcb9ef515174", "dataSources": [ "UDM" ] @@ -1619,14 +1619,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2b565a0ea5cea638943f4ce97c18b2ee2d90977b9400f2f7a9b2360f0ea0cab4", + "etag": "dad6dfb5f8e099e0807eec62df1635d10173a3ea15ed806c85a3f455ed1d22b8", "drillDownConfig": {} }, { - "name": "060d7610-4a50-4304-8067-e2b725262ad0", + "name": "f53087a8-0089-4787-b3d1-d22d3321de09", "displayName": "Connections by Direction", "chartDatasource": { - "dashboardQuery": "420ebc98-fe67-4d0e-b01b-525728b13209", + "dashboardQuery": "2f3a8137-1e8c-4613-ab92-bcbf6aed442d", "dataSources": [ "UDM" ] @@ -1708,14 +1708,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2378eaafd16131f47288a1187be4989be9df879e36826b612b8219a84bb36578", + "etag": "07484f81dd18f3d0adf8fbde85a812432dc3a17e6daa8b806ce4ec799ef6cc5b", "drillDownConfig": {} }, { - "name": "60ed8d64-e57d-411d-8060-964bb57b3640", + "name": "95f68023-81de-4baa-b12e-7e7bcc1101f7", "displayName": "Inbound Connections by Source Country", "chartDatasource": { - "dashboardQuery": "65f564e3-fe3b-482d-9a14-0f195a4885c3", + "dashboardQuery": "0b6af4c3-7c1f-417e-8696-10c16a0bc1fd", "dataSources": [ "UDM" ] @@ -1749,7 +1749,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2f87a01e5d6716b31845caa6102637e66cdc88f7cfe4f4a41e40634d07b21b75", + "etag": "30e73e6e96f826bf48df3934cb00e9d021a39012c6a103a4cb11a4ca12439248", "drillDownConfig": { "leftDrillDowns": [ { @@ -1763,10 +1763,10 @@ } }, { - "name": "2d1ed672-f776-4b58-9b36-22dfc796f393", + "name": "9afdb030-e362-4271-96ec-6467a3fc163b", "displayName": "Traffic by Direction for Bytes_In over Time", "chartDatasource": { - "dashboardQuery": "c8747a03-559c-4e76-b95e-4c14f3f7595b", + "dashboardQuery": "c04a733f-b25e-4f50-ba4a-bd4a8bc8bd93", "dataSources": [ "UDM" ] @@ -1854,14 +1854,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "611d5bcb2fc76405d41a08f96ed7912b697000ce97846d3c539ef6700fd487ca", + "etag": "3c35960150f49016b3c0722e1adf91d895d91c4414ec2a63710dbcc4a83aa183", "drillDownConfig": {} }, { - "name": "1df26207-4d03-4846-9574-18876dcefbf9", + "name": "091ffc00-c87e-4f2a-96f0-5afce467f47f", "displayName": "Outbound Connection Outliers", "chartDatasource": { - "dashboardQuery": "67588ccf-cc2e-4cce-b713-2fcd3e3d1bfb", + "dashboardQuery": "ace48bbc-4322-4270-890d-996518df1823", "dataSources": [ "UDM" ] @@ -1869,82 +1869,12 @@ "visualization": { "series": [ { - "seriesName": "12.14.5.6", "seriesType": "SCATTERPLOT", "encode": { "x": "bytes_out", "y": "duration" }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "12.14.5.6" - }, - { - "seriesName": "1.1.2.2", - "seriesType": "SCATTERPLOT", - "encode": { - "x": "bytes_out", - "y": "duration" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "1.1.2.2" - }, - { - "seriesName": "34.52.2.4", - "seriesType": "SCATTERPLOT", - "encode": { - "x": "bytes_out", - "y": "duration" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "34.52.2.4" - }, - { - "seriesName": "2.78.4.6", - "seriesType": "SCATTERPLOT", - "encode": { - "x": "bytes_out", - "y": "duration" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#ec453b" - }, - "seriesUniqueValue": "2.78.4.6" - }, - { - "seriesName": "45.52.2.4", - "seriesType": "SCATTERPLOT", - "encode": { - "x": "bytes_out", - "y": "duration" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "45.52.2.4" - }, - { - "seriesName": "34.5.6.4", - "seriesType": "SCATTERPLOT", - "encode": { - "x": "bytes_out", - "y": "duration" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "34.5.6.4" + "dataLabel": {} } ], "xAxes": [ @@ -1955,7 +1885,7 @@ ], "yAxes": [ { - "axisType": "VALUE", + "axisType": "CATEGORY", "displayName": "Duration (s)" } ], @@ -1971,14 +1901,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "4664853a69e8099344889672edcc1aa4c5a140d79ef2d38a50ecc577028e361b", + "etag": "a129e22469683ae2a3cbf54cb554b530fa05344faf270f20c17890e10f0bfc7b", "drillDownConfig": {} }, { - "name": "4b783225-8c70-4400-a7b8-2324262d506c", + "name": "6852d570-36ef-4184-bfd3-cdc840760a4d", "displayName": "Total Data Inbound", "chartDatasource": { - "dashboardQuery": "743b6312-1766-4d62-ba1a-4edadd20f01e", + "dashboardQuery": "ab43c120-7e6c-4236-9c84-a5902c870b9f", "dataSources": [ "UDM" ] @@ -2014,14 +1944,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "387204f8cda5a6982f7b24d5f628c032402cf99b6b84c3fc643c87d7bca1766f", + "etag": "b45b79dcaadde20c93d7f35e2c35d777f3e959e64f81cf599014a755ea8b0021", "drillDownConfig": {} }, { - "name": "037d597c-2d88-4ac4-8c8d-fbfb9313a0a5", + "name": "2f42c475-baa6-48cb-bf71-eb64d32b0bcb", "displayName": "Outbound Connections by Destination Country", "chartDatasource": { - "dashboardQuery": "164c4ed7-c4c7-4180-95a2-03f179f7d9ea", + "dashboardQuery": "e32f0c5b-7015-47bc-ba74-59e7557c1201", "dataSources": [ "UDM" ] @@ -2055,7 +1985,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "8d785942bad7f83857e94c0c0309ba9a851ea09ec89f19ff6ba0aa44607ca0ef", + "etag": "1c734ebf1601cd3c027109d6569925120a73250dfda356b73c1107b002579f56", "drillDownConfig": { "leftDrillDowns": [ { @@ -2069,10 +1999,10 @@ } }, { - "name": "b9365c41-8ee3-497b-8965-cdd53bc55fb5", + "name": "fd9c6ed4-defc-451e-b067-fa272bd22ee3", "displayName": "Traffic by Direction for Bytes_Out over Time", "chartDatasource": { - "dashboardQuery": "f8e1e208-0b86-4f91-a33b-e32f2721946c", + "dashboardQuery": "68d14960-d7c9-41aa-ab22-2787dc820797", "dataSources": [ "UDM" ] @@ -2160,14 +2090,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fce333f9cb22179a6737c851e47a5ae5b95139326d83477016a41c0fc7ba4280", + "etag": "8a0ca59576facfc80c3661abe1628a72877da29d9aedc072b8a0108d8c156ec8", "drillDownConfig": {} }, { - "name": "2bfe0677-ed81-4d12-99fc-c1421dd8b498", + "name": "641aff8d-1227-45b1-bbc6-b76fe57a9957", "displayName": "Top 10 Destination IPs with Most Received Data", "chartDatasource": { - "dashboardQuery": "b4276263-e2bf-44aa-a3c3-29dcc064b05f", + "dashboardQuery": "3e466230-8715-4378-a407-bd386650bcb7", "dataSources": [ "UDM" ] @@ -2201,14 +2131,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fa018f77a29dce10a229ff9f9e4e0f31e519c70058da7abed1ee4218ea9c5596", + "etag": "ad499e1fda08f99ea8b9accedbd6eb278a3573db76c4e707af03633f15913015", "drillDownConfig": {} }, { - "name": "2631fb80-499b-4f97-9578-8eafc76ea23d", + "name": "1fae576c-a921-4084-8bd5-bd2305103c6d", "displayName": "Outbound Connections by Destination Country", "chartDatasource": { - "dashboardQuery": "9546f570-b54c-4f38-9a98-7941daba0456", + "dashboardQuery": "68e93ee8-6989-492f-b879-0dbe31db823c", "dataSources": [ "UDM" ] @@ -2241,14 +2171,14 @@ } }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d1c92d52d8505b030e1f194b085373e13958ce93d7058103b2681206a6211257", + "etag": "96e658040ddbefe6e6a6e1074c39504f366b795d66de31980066f5966769f88a", "drillDownConfig": {} }, { - "name": "b87a4481-b100-4617-805e-72445b5a5c0c", + "name": "daab088d-f338-4ff8-a885-c1381384d63d", "displayName": "Unique Source IPs over Time", "chartDatasource": { - "dashboardQuery": "c9ef2d39-14a4-4f38-a95b-83692c8595e0", + "dashboardQuery": "ed5f83d3-568d-4106-9de5-6fe730ace16e", "dataSources": [ "UDM" ] @@ -2290,14 +2220,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0fa41d02853802a224d2a2e7621bbed10cbaf032f01d84ac6e0ab8e1ad424e43", + "etag": "6a178f42079a2ac4c14032b571d9d9fe5aa44b027198143bbd35c462487424e2", "drillDownConfig": {} }, { - "name": "b3b7da40-5c21-4284-9ced-51f56dfb2c4c", + "name": "a8483e46-636f-4222-928e-6d9b088ed0c9", "displayName": "Top 20 Largest Byte Transfers", "chartDatasource": { - "dashboardQuery": "18b4c738-57a8-4082-9888-b46812faeb0d", + "dashboardQuery": "ca6410ab-d045-4730-8b01-fb6c713aeb08", "dataSources": [ "UDM" ] @@ -2335,11 +2265,11 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2883ef45b4e69e57233765b24f41188a680f3d01ed7656b69591c05653619df3", + "etag": "a752af81f96f36e5f343010309522a8c283c105463819e8bdf4f470c85e8ecd4", "drillDownConfig": {} }, { - "name": "c178996e-b467-4fc7-9337-dd281df4634f", + "name": "86a02c01-2308-4013-ab3a-727a4b6f4a66", "displayName": "markdown", "visualization": { "markdown": { @@ -2350,14 +2280,14 @@ } }, "tileType": "TILE_TYPE_MARKDOWN", - "etag": "8d084bb431a369caa326ab8d92d6bdea6f6482dfc7c160a5f6efe1b6d2f098bc" + "etag": "ca09d45fbacf312a39e7812fef3fa66cb26362792f7b4d5c7c22ce669a09a663" }, { - "name": "4f71cabd-e4a6-4836-a8f2-8c9bd3db0976", + "name": "5dbb9dbe-d0f3-4897-8d96-6b80b175917d", "displayName": "Inbound Traffic by Security Group", "description": "External Source Inbound to Internal Responding Security Group", "chartDatasource": { - "dashboardQuery": "fa16c5a2-2aa4-421b-9a18-828735c7ee4d", + "dashboardQuery": "74954cde-5538-438b-b9ea-5562d9a83abe", "dataSources": [ "UDM" ] @@ -2395,14 +2325,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a819347069798d25327b0073ffa670d1acc15acc1ca8628e0860b7b992135aac", + "etag": "f497de5026a451c731784d72c462a4a3c209191a7496efefb1f8be481d447a61", "drillDownConfig": {} }, { - "name": "0da11e32-bc50-4819-9442-571b4c721784", + "name": "b78f2967-e4e1-4a61-8f1b-653c8f51eb99", "displayName": "Cloud Enrichment", "chartDatasource": { - "dashboardQuery": "8c2d07a2-4752-41d9-b8c9-0e08fa6c8148", + "dashboardQuery": "be288019-6e32-4b50-89ed-27b4008b08a5", "dataSources": [ "UDM" ] @@ -2438,14 +2368,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "cab68632d1e9ebd2ed3e8550c4e127171231e9fe95f356de6cad45037b701b37", + "etag": "56bc3b6ec3617e085d0e495b4451bd8d359a1caa9eea307e96903fce9108ecf7", "drillDownConfig": {} }, { - "name": "3e8540a5-3ee8-4520-8f45-d371ef5c9cb3", + "name": "b43c9b26-6e0e-4c04-be1d-cabac973880d", "displayName": "Total Volume", "chartDatasource": { - "dashboardQuery": "9303b481-647f-4334-87a7-d052a71bec4b", + "dashboardQuery": "a31f4bbc-2390-4664-863b-e798bc56ea15", "dataSources": [ "UDM" ] @@ -2481,14 +2411,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "dcad82befee303256b570d388e278591762003907cd5abf6aa88772ab8539e6e", + "etag": "76cc292971d5c2464078eb83b85a8b4f27bd779d04f58f325d60378587c81b64", "drillDownConfig": {} }, { - "name": "58532191-20db-4307-a42b-fb9601e1fffd", + "name": "3bae6bb0-196e-4b49-be81-4d701dc2b1db", "displayName": "Top 20 Protocol and Port Distribution", "chartDatasource": { - "dashboardQuery": "84633e85-7cf7-4d28-af8a-9205ee10e1be", + "dashboardQuery": "1cb399d3-d826-46d7-b592-647a792684e4", "dataSources": [ "UDM" ] @@ -2570,15 +2500,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "46d54a0383334e804d1220b2449fc7cb75b6a135d983973cdc67cceeb03077f4", + "etag": "8de6291bc3a0ed0374cf10766058f9372dce5ed14284b2562d2549b87b3c5da5", "drillDownConfig": {} }, { - "name": "3d1a7f33-3438-4c8a-9099-a75aa07f31db", + "name": "e678b75f-4d1a-4277-9bfa-24fe40653ff1", "displayName": "Connections", "description": "Top Connections/Services by Bytes Transferred", "chartDatasource": { - "dashboardQuery": "2955bfa6-5912-41c8-b242-59af87d33941", + "dashboardQuery": "acf8097d-e33d-44b5-ad40-bad4d662735c", "dataSources": [ "UDM" ] @@ -2648,14 +2578,70 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "20bdd95409aa7d58df32b600133467db51c8cadce78323937fef31841cb4f8b0", - "drillDownConfig": {} + "etag": "482152e241c41779171c168d8eba392eeb9c1c7986c27662ca18c6e097dee35e", + "drillDownConfig": { + "leftDrillDowns": [ + { + "id": "uid", + "displayName": "Run Search on UID", + "defaultSettings": { + "enabled": true + } + } + ], + "rightDrillDowns": [ + { + "id": "F6A61BDB-A203-4B54-8E08-9E7255F748D1", + "displayName": "Filter Source IP", + "customSettings": { + "newTab": true, + "filter": { + "dashboardFilters": [ + { + "dashboardFilterId": "6e6b3547-b76d-4445-91c0-08edc2978e37", + "filterOperatorAndValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "${principal.ip}" + ] + } + ] + } + ] + } + } + }, + { + "id": "703890E5-7263-4881-8D2E-8ED42778F4D7", + "displayName": "Filter Destination IP", + "customSettings": { + "newTab": true, + "filter": { + "dashboardFilters": [ + { + "dashboardFilterId": "39a7d510-e328-4e65-bdce-6db0060cf742", + "filterOperatorAndValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "${target.ip}" + ] + } + ] + } + ] + } + } + } + ] + } }, { - "name": "f8af546e-0756-48ff-822f-bd45995ff2b3", + "name": "6cc8ce1d-7516-46ce-92c2-1c07c35e8175", "displayName": "Top Inbound Ports & Protocols", "chartDatasource": { - "dashboardQuery": "657364d2-e19c-4363-95b7-0731e852ed34", + "dashboardQuery": "291c9d1b-5654-4aba-b974-7ac6ca486402", "dataSources": [ "UDM" ] @@ -2709,15 +2695,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "45887e02cc8be3d1ad70042dbbbba8ef41bbbdb9bd26bce1c1071831e825410e", + "etag": "b967cee6e8ded0ffe1aba5f8e8fa21f7e97035296e4eace3b5894675f095be99", "drillDownConfig": {} }, { - "name": "e760f074-e47a-4758-8b33-748876e665a3", + "name": "abcc4ec5-6c16-40a3-aae9-87b516ab9b2a", "displayName": "Outbound Traffic by EC2 Instance Names", "description": "Top 10 Total Bytes Sent", "chartDatasource": { - "dashboardQuery": "b888717d-c418-4063-90e1-45a4552c3010", + "dashboardQuery": "ad30b00e-eec1-4659-b7f8-3aa983a4924a", "dataSources": [ "UDM" ] @@ -2759,14 +2745,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "408d37bd78c4bad7813b9f7fa4150fcb8f4be749b991a69125990f4ce98fea3d", + "etag": "b4b8af128b165f1a31a30efc0196da7186af149791390dc4156a111ca3299e2c", "drillDownConfig": {} }, { - "name": "94024995-85fe-433a-bebd-3f2d3733108b", + "name": "5a915634-d589-400b-8545-f0f4c4185892", "displayName": "Connections between Source IPs and Destination IPs", "chartDatasource": { - "dashboardQuery": "bfa5dc64-0a0c-47a7-8afe-ae85782f9055", + "dashboardQuery": "710118b9-30f5-4c19-a371-410eec4911be", "dataSources": [ "UDM" ] @@ -2812,13 +2798,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "1945f7015a89ba3101684d1034a2e99a5f08494b981921e868a300c295877702", + "etag": "057efeb79b2b4b7582f99df2fe071038f73241d15e58acb3c17ce641f31cf5c5", "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "c9ef2d39-14a4-4f38-a95b-83692c8595e0", + "name": "ed5f83d3-568d-4106-9de5-6fe730ace16e", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count = count_distinct(principal.ip)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -2826,10 +2812,10 @@ "startTimeVal": "1" } }, - "etag": "569d6bd10b386bfe93a7c001687c1e965af2f0d313428b779c77a7261db51b30" + "etag": "af80262ef8a2ca59856283adde3a46080bdf5cf664a3936bea8e44b165798141" }, { - "name": "dd3b00d9-993e-4a30-a6e2-32d1667142f4", + "name": "9d5eb4d9-cc7d-4bd0-b93d-c9de5709adce", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n((principal.location.name!=\"\" OR principal.resource.product_object_id!=\"\" OR principal.resource.name!=\"\" OR principal.resource.attribute.labels.key = \"org_id\" OR\r\n principal.resource.attribute.labels.key = \"sg_id\" OR principal.resource.attribute.labels.key =\"subnet_id\" OR principal.resource.attribute.labels.key = \"vpc_id\" OR\r\n principal.resource.attribute.labels.key = \"profile\") OR\r\n (target.location.name!=\"\" OR target.resource.product_object_id!=\"\" OR target.resource.name!=\"\" OR target.resource.attribute.labels.key = \"org_id\" OR\r\n target.resource.attribute.labels.key = \"sg_id\" OR target.resource.attribute.labels.key =\"subnet_id\" OR target.resource.attribute.labels.key = \"vpc_id\" OR\r\n target.resource.attribute.labels.key = \"profile\"))\r\n\r\nmatch:\r\n principal.location.name, target.location.name\r\noutcome:\r\n $total_bytes_sent = math.round(sum(cast.as_float(principal.labels[\"orig_ip_bytes\"])/1073741824), 2)\r\n $count = count(network.session_id)\r\norder:\r\n $total_bytes_sent desc\r\nlimit:\r\n 20", "input": { "relativeTime": { @@ -2837,10 +2823,10 @@ "startTimeVal": "1" } }, - "etag": "6c34a0824f07ac05c5dee2b693fbe949e5839be6e7e3f2612d25a054a94be6cd" + "etag": "a850f00f1099f81b85587716b3953edf986f2e736e37eab411ca6f4e705e2e4a" }, { - "name": "59645b01-d19c-44e8-9450-339ebc8c0a49", + "name": "97199b1f-9949-47b9-bc03-843e632e9d0d", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n((principal.location.name!=\"\" OR principal.resource.product_object_id!=\"\" OR principal.resource.name!=\"\" OR principal.resource.attribute.labels.key = \"org_id\" OR\r\n principal.resource.attribute.labels.key = \"sg_id\" OR principal.resource.attribute.labels.key =\"subnet_id\" OR principal.resource.attribute.labels.key = \"vpc_id\" OR\r\n principal.resource.attribute.labels.key = \"profile\") OR\r\n (target.location.name!=\"\" OR target.resource.product_object_id!=\"\" OR target.resource.name!=\"\" OR target.resource.attribute.labels.key = \"org_id\" OR\r\n target.resource.attribute.labels.key = \"sg_id\" OR target.resource.attribute.labels.key =\"subnet_id\" OR target.resource.attribute.labels.key = \"vpc_id\" OR\r\n target.resource.attribute.labels.key = \"profile\"))\r\n\r\nmatch:\r\n principal.resource.attribute.labels[\"org_id\"]\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -2848,10 +2834,10 @@ "startTimeVal": "1" } }, - "etag": "9caa5521b002b77c5d711c38f7d04133308e09ba65d23a1a6dd31367ce804e35" + "etag": "4dd4d9d3b141b6df766ea28b7f39603fbd0f2bd912da227714b283c0792a21ab" }, { - "name": "67588ccf-cc2e-4cce-b713-2fcd3e3d1bfb", + "name": "ace48bbc-4322-4270-890d-996518df1823", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nadditional.fields[\"direction\"] = \"outbound\"\r\nnetwork.session_duration.seconds > 0\r\n$bytes_out = math.round(cast.as_float(principal.labels[\"orig_ip_bytes\"])/1048576, 2)\r\n$duration = network.session_duration.seconds\r\n$src_ip = principal.ip\r\n\r\nmatch:\r\n $bytes_out, $duration, $src_ip\r\norder:\r\n $bytes_out asc\r\nlimit:\r\n 10000", "input": { "relativeTime": { @@ -2859,10 +2845,10 @@ "startTimeVal": "1" } }, - "etag": "377d692b2dfafec0815f9489d5e701647e012f7a64ce0496e4a88772361a5e82" + "etag": "c96a57078e646615086cebf00924b3c3bf1ab24b1e9be2182308a2101aceaadc" }, { - "name": "da91240d-2b0f-4bd8-9db3-83654b5be2fb", + "name": "9c2b219b-24ac-41c8-b9c2-6c53e9b4fc48", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] = \"outbound\"\r\n\r\noutcome:\r\n $bytes_in = sum(cast.as_float(target.labels[\"resp_ip_bytes\"]))\r\n $bytes_out = sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]))\r\n $total_bytes = math.round(($bytes_in + $bytes_out)/1073741824, 2)", "input": { "relativeTime": { @@ -2870,10 +2856,10 @@ "startTimeVal": "1" } }, - "etag": "e7f8208aede3cd70eab4b3d726bb69352c79c338c0f74fa8c355b9a36e04ffdb" + "etag": "8985fa5953ea3bf5d5d9886c788ac8c0e4f806276f8b46d17ec336044360b226" }, { - "name": "2955bfa6-5912-41c8-b242-59af87d33941", + "name": "acf8097d-e33d-44b5-ad40-bad4d662735c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] != \"\"\r\n$transport_port = strings.concat(if(network.ip_protocol = \"EIGRP\", \"EIGRP\", if(network.ip_protocol = \"ESP\", \"ESP\", if(network.ip_protocol = \"ETHERIP\", \"ETHERIP\",\r\n if(network.ip_protocol = \"GRE\", \"GRE\", if(network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`), \"ICMP6\", if(network.ip_protocol = \"ICMP\", \"ICMP\",\r\n if(network.ip_protocol = \"IGMP\", \"IGMP\", if(network.ip_protocol = \"IP6IN4\", \"IP6IN4\", if(network.ip_protocol = \"PIM\", \"PIM\", if(network.ip_protocol = \"SCTP\", \"SCTP\",\r\n if(network.ip_protocol = \"TCP\", \"TCP\", if(network.ip_protocol = \"UDP\", \"UDP\", if(network.ip_protocol = \"VRRP\", \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"\r\n ))))))))))))), \"/\", cast.as_string(target.port))\r\n\r\nmatch:\r\n principal.ip, target.ip, $transport_port\r\n\r\noutcome:\r\n $first_alert_time = timestamp.get_timestamp(min(metadata.event_timestamp.seconds), \"%Y-%m-%d %H:%M:%S\")\r\n $last_alert_time = timestamp.get_timestamp(max(metadata.event_timestamp.seconds), \"%Y-%m-%d %H:%M:%S\")\r\n $total_duration = sum(network.session_duration.seconds)\r\n $total_bytes_sent = math.round(sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]))/1073741824, 2)\r\n $total_bytes_recv = math.round(sum(cast.as_float(target.labels[\"resp_ip_bytes\"]))/1073741824, 2)\r\n $total_connections = count(network.session_id)\r\n $direction = array_distinct(additional.fields[\"direction\"])\r\n $vpc_id = array(about.resource.product_object_id)\r\n\r\norder:\r\n $total_connections desc", "input": { "relativeTime": { @@ -2881,10 +2867,10 @@ "startTimeVal": "1" } }, - "etag": "a4c50c62adbc727af567e251a2290bffc63f0ea0652a54915db4a437acaf4b18" + "etag": "1605c45fe6b59e2c8feb27fa7f730ebdab2c027240cc66ad6ba349cfe990ba88" }, { - "name": "420ebc98-fe67-4d0e-b01b-525728b13209", + "name": "2f3a8137-1e8c-4613-ab92-bcbf6aed442d", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$direction = additional.fields[\"direction\"]\r\n$direction != \"\"\r\n\r\nmatch:\r\n $direction\r\noutcome:\r\n $count = count(network.session_id)", "input": { "relativeTime": { @@ -2892,10 +2878,10 @@ "startTimeVal": "1" } }, - "etag": "c1ac8935f72466e849ff271fc4564849e0b0c94ca87041cdfce409e61860a324" + "etag": "41addcf84972b66bbc217ee7aefcb0c4f5a6721a7ddc98c1eb17170ce3d8f65f" }, { - "name": "3f86466e-d221-4179-a3d7-f14e77d4e17b", + "name": "78aca484-9a59-468c-8551-98d93e7fe7af", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -2903,10 +2889,10 @@ "startTimeVal": "1" } }, - "etag": "1d3adbb294f6d5569fca743465439b39682036002d27b8eadcd27c28f99d4f8a" + "etag": "6d2d467c81c82249979651f0943d49436fd87bd177d9b91d0c814ffe9096ade5" }, { - "name": "164c4ed7-c4c7-4180-95a2-03f179f7d9ea", + "name": "e32f0c5b-7015-47bc-ba74-59e7557c1201", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nadditional.fields[\"direction\"] = \"outbound\"\r\n$country = target.location.country_or_region\r\n$country != \"\"\r\n\r\nmatch:\r\n $country\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -2914,10 +2900,10 @@ "startTimeVal": "1" } }, - "etag": "1e6a1174bc2c64d81f48b72cfbf230508b596fb979cebcfdef7bb005c39cb128" + "etag": "e35efef34fe4a801c469b5023479e80086e8947c3cd2d4cebe6bddd57b60a8e8" }, { - "name": "84633e85-7cf7-4d28-af8a-9205ee10e1be", + "name": "1cb399d3-d826-46d7-b592-647a792684e4", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$transport_port = strings.concat(if(network.ip_protocol = \"EIGRP\", \"EIGRP\", if(network.ip_protocol = \"ESP\", \"ESP\", if(network.ip_protocol = \"ETHERIP\", \"ETHERIP\",\r\n if(network.ip_protocol = \"GRE\", \"GRE\", if(network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`), \"ICMP6\", if(network.ip_protocol = \"ICMP\", \"ICMP\",\r\n if(network.ip_protocol = \"IGMP\", \"IGMP\", if(network.ip_protocol = \"IP6IN4\", \"IP6IN4\", if(network.ip_protocol = \"PIM\", \"PIM\", if(network.ip_protocol = \"SCTP\", \"SCTP\",\r\n if(network.ip_protocol = \"TCP\", \"TCP\", if(network.ip_protocol = \"UDP\", \"UDP\", if(network.ip_protocol = \"VRRP\", \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"\r\n ))))))))))))), \"/\", cast.as_string(target.port))\r\n\r\nmatch:\r\n $transport_port\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", "input": { "relativeTime": { @@ -2925,10 +2911,10 @@ "startTimeVal": "1" } }, - "etag": "796633215e7df5340b6cda63fa8900ed9193e88cfc73194ab6d2cf362617e561" + "etag": "95a4a35f489a41b98c94f646c5d9d28f95c8c0a571b9744d0ce6e5ec44b82d67" }, { - "name": "f8e1e208-0b86-4f91-a33b-e32f2721946c", + "name": "68d14960-d7c9-41aa-ab22-2787dc820797", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$date_hour = timestamp.get_date(metadata.event_timestamp.seconds)\r\n$direction = additional.fields[\"direction\"]\r\n$direction != \"\"\r\n$direction != \"unknown\"\r\n\r\nmatch:\r\n $date_hour, $direction\r\noutcome:\r\n $bytes_out = math.round(sum(cast.as_float(principal.labels[\"orig_ip_bytes\"])/1073741824), 2)", "input": { "relativeTime": { @@ -2936,10 +2922,10 @@ "startTimeVal": "1" } }, - "etag": "fc123e8524c759d7610ff32c119c393746907e25078b340d62835ca1ce7105a0" + "etag": "580ffb1abb14b91c3b4900e4548150926c5ee94fbed2f605393cd81f65401281" }, { - "name": "743b6312-1766-4d62-ba1a-4edadd20f01e", + "name": "ab43c120-7e6c-4236-9c84-a5902c870b9f", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] = \"inbound\"\r\n\r\noutcome:\r\n $bytes_in = sum(cast.as_float(target.labels[\"resp_ip_bytes\"]))\r\n $bytes_out = sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]))\r\n $total_bytes = math.round(($bytes_in + $bytes_out)/1073741824, 2)", "input": { "relativeTime": { @@ -2947,10 +2933,10 @@ "startTimeVal": "1" } }, - "etag": "b42687b42df906c3ba646d1a4252460d6496da87ff635d9652411438eb0a375b" + "etag": "5fd7b0999f56ee01a82e314cfdb7f84f818b0e6c03a4f8ccf5831468f034a34d" }, { - "name": "50e352f6-1a86-4672-9d5f-d59d18a60517", + "name": "2db3ed96-ac5a-4b38-8a8d-dd9c631317e8", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count = count_distinct(target.ip)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -2958,10 +2944,10 @@ "startTimeVal": "1" } }, - "etag": "930976d40c60eef83fd376e12acc603eacc8b85bd56ad1e8e6f8f2badb183620" + "etag": "6350f6a2dccffb228db8c398c56b52413fc141fca1779c5968fe9eebf8a7b92f" }, { - "name": "0f74add2-6cf5-4793-ad20-7bc86642e433", + "name": "812022e6-625b-4075-93f8-00339e384025", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\noutcome:\r\n $count = count_distinct(principal.ip)", "input": { "relativeTime": { @@ -2969,10 +2955,10 @@ "startTimeVal": "1" } }, - "etag": "d502f9235b0452c80e226e858b3f13dd80516544c720355a6ed2972c7dd6d285" + "etag": "418b198e42d6d85d795ef8ec972e8b6db3e128928dd72a9f4d0167e121858b63" }, { - "name": "65f564e3-fe3b-482d-9a14-0f195a4885c3", + "name": "0b6af4c3-7c1f-417e-8696-10c16a0bc1fd", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nadditional.fields[\"direction\"] = \"inbound\"\r\n$country = principal.location.country_or_region\r\n$country != \"\"\r\n\r\nmatch:\r\n $country\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -2980,10 +2966,10 @@ "startTimeVal": "1" } }, - "etag": "30a57b803e015cd1cafd56e3444b9ab256f0a0fca1f2420fcb57097fe06dd64a" + "etag": "04eff166280356ab445eff6ade2196f903c99e90458658c43b53793056751a3b" }, { - "name": "b4276263-e2bf-44aa-a3c3-29dcc064b05f", + "name": "3e466230-8715-4378-a407-bd386650bcb7", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\nmatch:\r\n target.ip\r\noutcome:\r\n $count = math.round(sum(cast.as_float(target.labels[\"resp_ip_bytes\"]))/1073741824, 2)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -2991,10 +2977,10 @@ "startTimeVal": "1" } }, - "etag": "43948b9ca58fbc9a704b751b58abf52c5d7f3a39651569ace7ff722b9072dc57" + "etag": "0c8b3be853c2ebb16ba2879c7fc123fb5d1320407d0e5558d017649febd73613" }, { - "name": "75a3aeee-3454-421c-a2c4-61f0fc19da06", + "name": "3518005e-286f-4ca8-bb55-fcb9ef515174", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\nmatch:\r\n about.resource.product_object_id\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -3002,10 +2988,10 @@ "startTimeVal": "60" } }, - "etag": "35e56c37b9dd008afa6a5a3e135f099b00c6b7c9d51b680baf78f88e44440ada" + "etag": "408c5d297695b76b196197c2320c707517b0ee4a84a2d91be874b3732bc62156" }, { - "name": "18b4c738-57a8-4082-9888-b46812faeb0d", + "name": "ca6410ab-d045-4730-8b01-fb6c713aeb08", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\nmatch:\r\n principal.ip, target.port\r\noutcome:\r\n $volume = math.round((sum(cast.as_float(target.labels[\"resp_ip_bytes\"])) + sum(cast.as_float(principal.labels[\"orig_ip_bytes\"])))/1073741824, 2)\r\norder:\r\n $volume desc\r\nlimit:\r\n 20", "input": { "relativeTime": { @@ -3013,10 +2999,10 @@ "startTimeVal": "1" } }, - "etag": "4679640a14c839a9978294116b7992c445e5c6e3e1d7bbc58a8956157a91e01d" + "etag": "7a3761d499d76816a3a7a0b61dc7b56a5ce59548e12bda09ce395ea8c81780d2" }, { - "name": "9303b481-647f-4334-87a7-d052a71bec4b", + "name": "a31f4bbc-2390-4664-863b-e798bc56ea15", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\noutcome:\r\n $bytes_in = sum(cast.as_float(target.labels[\"resp_ip_bytes\"]))\r\n $bytes_out = sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]))\r\n $total_bytes = math.round(($bytes_in + $bytes_out)/1073741824, 2)", "input": { "relativeTime": { @@ -3024,10 +3010,10 @@ "startTimeVal": "1" } }, - "etag": "2895ab6b0b519cb27b3e83910080fa6e45451078b15fb3d672763c75a41f6e77" + "etag": "b73d5581ae714e8f85a8805f64bc8103e6868712e1c14099d332e38b939c24d0" }, { - "name": "6d1c2f8e-b783-4efc-b1b8-5879479215a3", + "name": "01f6e1e6-0c51-4932-bb8b-6a9fef64cc77", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\noutcome:\r\n $count = count(network.session_id)", "input": { "relativeTime": { @@ -3035,10 +3021,10 @@ "startTimeVal": "1" } }, - "etag": "fd502e90b83f44c2da9775f34d2de7ef0e7095163ebf06461e49ff4f13773a16" + "etag": "20febf01a37a6f97b955b7bedd4a8d33199b48ecf58a020feddd34134a79ad59" }, { - "name": "c8747a03-559c-4e76-b95e-4c14f3f7595b", + "name": "c04a733f-b25e-4f50-ba4a-bd4a8bc8bd93", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$date_hour = timestamp.get_date(metadata.event_timestamp.seconds)\r\n$direction = additional.fields[\"direction\"]\r\n$direction != \"\"\r\n$direction != \"unknown\"\r\n\r\nmatch:\r\n $date_hour, $direction\r\noutcome:\r\n $bytes_in = math.round(sum(cast.as_float(target.labels[\"resp_ip_bytes\"])/1073741824), 2)", "input": { "relativeTime": { @@ -3046,10 +3032,10 @@ "startTimeVal": "1" } }, - "etag": "0b9027166288cb6b92cc2e0659be671ffc83e4396ff42c78697b99661031cbfd" + "etag": "5535a3e695ba6690140f2b60adf9a1df37cac5b24b4c084ae4a51a09fed43898" }, { - "name": "d799a8e1-d753-45d1-8c63-9fb6fbc54140", + "name": "54a78693-b86d-4561-9d66-e4c93f56fc70", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type != \"conn\"\r\nmetadata.product_event_type != \"conn_red\"\r\nmetadata.product_event_type != \"conn_long\"\r\nmetadata.product_event_type != \"conn_agg\"\r\n\r\nmatch:\r\n metadata.product_event_type\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", "input": { "relativeTime": { @@ -3057,10 +3043,10 @@ "startTimeVal": "1" } }, - "etag": "31ff148266ee649740a3750badab3b0682c8eff563da151cb0ca83518a44c456" + "etag": "414d2dd2e970a386dcb6ad981af8740d6843788f1e1ac86ceeaf7bceb18198d2" }, { - "name": "faf3f1bf-467a-4eb0-becc-a8cdf0505b6d", + "name": "4dbce465-9f9e-4ec0-85ba-9839f6040412", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nadditional.fields[\"direction\"] = \"inbound\"\r\nprincipal.ip_geo_artifact.location.country_or_region != \"\"\r\n\r\n$latitude = principal.ip_geo_artifact.location.region_coordinates.latitude\r\n$longitude = principal.ip_geo_artifact.location.region_coordinates.longitude\r\n$latitude != 0\r\n$longitude != 0\r\n\r\nmatch:\r\n $latitude, $longitude\r\noutcome:\r\n $count = count(network.session_id)", "input": { "relativeTime": { @@ -3068,10 +3054,10 @@ "startTimeVal": "1" } }, - "etag": "65a280f977aa321dde171944e9da738090cae8f0f6e7eef1c3eba7e6f53d8608" + "etag": "7016fa3b12cea0c467ca2a847d3859c030963ed01c840067393d9ed15bb44eeb" }, { - "name": "75b019a3-84f4-4d91-a765-d7ad1bf677a4", + "name": "ea1357de-3b5f-4cbc-bdb8-abecff32091c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count = math.round(sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]))/1073741824, 2)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -3079,10 +3065,10 @@ "startTimeVal": "1" } }, - "etag": "6a69e14a69f4e326fdf0b12e6d89c6c30793d5856104feff3fe2a8e52976f174" + "etag": "1762ce525b56409f67413752bbbb21bfd95c54e3992a75baf31e320790d74ce0" }, { - "name": "ae28cb8e-ab5b-4174-9890-2f824a0c6481", + "name": "02e5ad37-681d-4def-8115-40d9114ad19c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] = \"outbound\"\r\n$transport_port = strings.concat(if(network.ip_protocol = \"EIGRP\", \"EIGRP\", if(network.ip_protocol = \"ESP\", \"ESP\", if(network.ip_protocol = \"ETHERIP\", \"ETHERIP\",\r\n if(network.ip_protocol = \"GRE\", \"GRE\", if(network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`), \"ICMP6\", if(network.ip_protocol = \"ICMP\", \"ICMP\",\r\n if(network.ip_protocol = \"IGMP\", \"IGMP\", if(network.ip_protocol = \"IP6IN4\", \"IP6IN4\", if(network.ip_protocol = \"PIM\", \"PIM\", if(network.ip_protocol = \"SCTP\", \"SCTP\",\r\n if(network.ip_protocol = \"TCP\", \"TCP\", if(network.ip_protocol = \"UDP\", \"UDP\", if(network.ip_protocol = \"VRRP\", \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"\r\n ))))))))))))), \"/\", cast.as_string(target.port))\r\n\r\nmatch:\r\n $transport_port\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -3090,10 +3076,10 @@ "startTimeVal": "1" } }, - "etag": "a8e3af712b2528d3f7338d63d5530bd5c94202051a00bd8eb001798238b2e43c" + "etag": "2caa27b64902388513b92c7804c4dfcf8ee770bd68375eebb11700ebc65657c4" }, { - "name": "fa16c5a2-2aa4-421b-9a18-828735c7ee4d", + "name": "74954cde-5538-438b-b9ea-5562d9a83abe", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] = \"inbound\"\r\ntarget.resource.attribute.labels[\"sg_id\"] != \"\"\r\n\r\n((principal.location.name!=\"\" OR principal.resource.product_object_id!=\"\" OR principal.resource.name!=\"\" OR principal.resource.attribute.labels.key = \"org_id\" OR\r\n principal.resource.attribute.labels.key = \"sg_id\" OR principal.resource.attribute.labels.key =\"subnet_id\" OR principal.resource.attribute.labels.key = \"vpc_id\" OR\r\n principal.resource.attribute.labels.key = \"profile\") OR\r\n (target.location.name!=\"\" OR target.resource.product_object_id!=\"\" OR target.resource.name!=\"\" OR target.resource.attribute.labels.key = \"org_id\" OR\r\n target.resource.attribute.labels.key = \"sg_id\" OR target.resource.attribute.labels.key =\"subnet_id\" OR target.resource.attribute.labels.key = \"vpc_id\" OR\r\n target.resource.attribute.labels.key = \"profile\"))\r\n\r\nmatch:\r\n target.resource.attribute.labels[\"sg_id\"], target.port\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -3101,10 +3087,10 @@ "startTimeVal": "1" } }, - "etag": "d3aefc99e7210ed5c84749d0634f1e9be44a52a44e728b7009c683cc91b24f53" + "etag": "e61c1b3160526fb141e01b42db2f2199920a17780b7e9606e671e71088680f1a" }, { - "name": "8c2d07a2-4752-41d9-b8c9-0e08fa6c8148", + "name": "be288019-6e32-4b50-89ed-27b4008b08a5", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\n((principal.location.name!=\"\" OR principal.resource.product_object_id!=\"\" OR principal.resource.name!=\"\" OR principal.resource.attribute.labels.key = \"org_id\" OR\r\n principal.resource.attribute.labels.key = \"sg_id\" OR principal.resource.attribute.labels.key =\"subnet_id\" OR principal.resource.attribute.labels.key = \"vpc_id\" OR\r\n principal.resource.attribute.labels.key = \"profile\") OR\r\n (target.location.name!=\"\" OR target.resource.product_object_id!=\"\" OR target.resource.name!=\"\" OR target.resource.attribute.labels.key = \"org_id\" OR\r\n target.resource.attribute.labels.key = \"sg_id\" OR target.resource.attribute.labels.key =\"subnet_id\" OR target.resource.attribute.labels.key = \"vpc_id\" OR\r\n target.resource.attribute.labels.key = \"profile\"))\r\n \r\noutcome:\r\n $count = count(network.session_id)\r\n $output = if($count>0, \"Enriched Conn Logs are Present\", \"Enriched Conn Logs are not Present\")", "input": { "relativeTime": { @@ -3112,10 +3098,10 @@ "startTimeVal": "1" } }, - "etag": "4353f1360449af492300a1a30e705b0730239614455ebc9785e3cde90f01881e" + "etag": "3f3e3792d6b2588ff7c74c4884196324196ea495888be548d03a1630f1ec68e5" }, { - "name": "589df87c-f85e-4328-ab7f-9abd73136b21", + "name": "97f5e3cf-3a94-4be5-b610-67b08b010b6f", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n\r\noutcome:\r\n $count = count_distinct(target.ip)", "input": { "relativeTime": { @@ -3123,10 +3109,10 @@ "startTimeVal": "1" } }, - "etag": "1aa67976600b6120cf9323d0bbe8056b1108e79c7533c69846f12b1a80b2fd80" + "etag": "0bfad0cb6e67f15c5e5414f51736cf04792cae24a8599539d05f9f0164181bd9" }, { - "name": "657364d2-e19c-4363-95b7-0731e852ed34", + "name": "291c9d1b-5654-4aba-b974-7ac6ca486402", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] = \"inbound\"\r\n$transport_port = strings.concat(if(network.ip_protocol = \"EIGRP\", \"EIGRP\", if(network.ip_protocol = \"ESP\", \"ESP\", if(network.ip_protocol = \"ETHERIP\", \"ETHERIP\",\r\n if(network.ip_protocol = \"GRE\", \"GRE\", if(network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`), \"ICMP6\", if(network.ip_protocol = \"ICMP\", \"ICMP\",\r\n if(network.ip_protocol = \"IGMP\", \"IGMP\", if(network.ip_protocol = \"IP6IN4\", \"IP6IN4\", if(network.ip_protocol = \"PIM\", \"PIM\", if(network.ip_protocol = \"SCTP\", \"SCTP\",\r\n if(network.ip_protocol = \"TCP\", \"TCP\", if(network.ip_protocol = \"UDP\", \"UDP\", if(network.ip_protocol = \"VRRP\", \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"\r\n ))))))))))))), \"/\", cast.as_string(target.port))\r\n\r\nmatch:\r\n $transport_port\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -3134,10 +3120,10 @@ "startTimeVal": "1" } }, - "etag": "4c5d632f11f92914b6d630627a3bc9e01a1fd935d9ed6819627b45fe82f5db9d" + "etag": "db5c03ccedad5eaecbf6a78d1f9e68be2b0e0763a7e38f5de5e8553def5d9911" }, { - "name": "b888717d-c418-4063-90e1-45a4552c3010", + "name": "ad30b00e-eec1-4659-b7f8-3aa983a4924a", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\nadditional.fields[\"direction\"] = \"outbound\"\r\n\r\n((principal.location.name!=\"\" OR principal.resource.product_object_id!=\"\" OR principal.resource.name!=\"\" OR principal.resource.attribute.labels.key = \"org_id\" OR\r\n principal.resource.attribute.labels.key = \"sg_id\" OR principal.resource.attribute.labels.key =\"subnet_id\" OR principal.resource.attribute.labels.key = \"vpc_id\" OR\r\n principal.resource.attribute.labels.key = \"profile\") OR\r\n (target.location.name!=\"\" OR target.resource.product_object_id!=\"\" OR target.resource.name!=\"\" OR target.resource.attribute.labels.key = \"org_id\" OR\r\n target.resource.attribute.labels.key = \"sg_id\" OR target.resource.attribute.labels.key =\"subnet_id\" OR target.resource.attribute.labels.key = \"vpc_id\" OR\r\n target.resource.attribute.labels.key = \"profile\"))\r\n \r\nmatch:\r\n principal.resource.name, principal.ip, target.ip\r\noutcome:\r\n $bytes_out = math.round(sum(cast.as_float(principal.labels[\"orig_ip_bytes\"])/1073741824), 2)\r\norder:\r\n $bytes_out desc", "input": { "relativeTime": { @@ -3145,10 +3131,10 @@ "startTimeVal": "1" } }, - "etag": "df16aa254e2f1f9c12d7d10e0ad2387a0dd50f3618a9612a9de337bec89c958a" + "etag": "43ac5cb7f777ebf15a3be4daf07c00119a5dfbfec4bf8c16a204c808eded404c" }, { - "name": "9546f570-b54c-4f38-9a98-7941daba0456", + "name": "68e93ee8-6989-492f-b879-0dbe31db823c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nadditional.fields[\"direction\"] = \"outbound\"\r\ntarget.ip_geo_artifact.location.country_or_region != \"\"\r\n\r\n$latitude = target.ip_geo_artifact.location.region_coordinates.latitude\r\n$longitude = target.ip_geo_artifact.location.region_coordinates.longitude\r\n$latitude != 0\r\n$longitude != 0\r\n\r\nmatch:\r\n $latitude, $longitude\r\noutcome:\r\n $count = count(network.session_id)", "input": { "relativeTime": { @@ -3156,10 +3142,10 @@ "startTimeVal": "1" } }, - "etag": "de80b05e49bc3874d925f85b7b565d66823445a78584cf52d71ecc2a1570c3bd" + "etag": "61198c3b97cc2979a9ff4beed4dd2225fe757d6fbb0228b34a4d796ead9e11d1" }, { - "name": "bfa5dc64-0a0c-47a7-8afe-ae85782f9055", + "name": "710118b9-30f5-4c19-a371-410eec4911be", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\"\r\nabout.resource.attribute.labels[\"capture_source\"] = \"vpcflow\"\r\nnetwork.ip_protocol != \"ICMP\" OR (network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`))\r\n$transport = if(network.ip_protocol = \"ICMP\" AND re.regex(principal.ip, `.*:.*`), \"ICMP6\", network.ip_protocol)\r\n\r\nmatch:\r\n principal.ip, $transport, target.port, target.ip\r\noutcome:\r\n $count = count(network.session_id)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", "input": { "relativeTime": { @@ -3167,7 +3153,7 @@ "startTimeVal": "1" } }, - "etag": "4021b45856069924047e7283ff3ae7fbdb9029968ea515619d76bbf813d62b25" + "etag": "8d9a6f731b0b1e1fbe1cc5c6ff5949ec399c1beea0017c7725e7357fb7978d05" } ] } diff --git a/dashboards/Data Explorer/Connections.json b/dashboards/Data Explorer/Connections.json index 86c9ea0..08e7369 100644 --- a/dashboards/Data Explorer/Connections.json +++ b/dashboards/Data Explorer/Connections.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "133c40d8-f3cc-4fcc-868c-3a3d254545a7", + "name": "6bf274a5-88eb-4b3f-8cfa-433bbde71d0d", "displayName": "Corelight → Data Explorer → Connections", "definition": { "filters": [ @@ -20,13 +20,13 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", - "99de37d8-3b97-4dde-87df-9bb883ec28bd", - "496a7765-732c-4258-8c9b-0c76638fd048", - "689d67ef-7ab2-43bf-8bba-54fc8956c42b", - "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", - "2252573e-1b2b-425c-b2d5-5fc9be17ff29", - "6e3026d2-bef9-41c0-8814-de77d0966ae0" + "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", + "6b8ed618-a4da-4995-b33a-c48dda296113", + "a9ce5023-9637-4056-ab3f-51124ade1f7c", + "ba8d8144-322e-495f-a8f3-528f7553de21", + "6331cd40-8dd5-4e90-b204-bb6034c7c19b", + "5b2bc67e-109b-4f82-8238-e4436fbed57b", + "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -45,13 +45,13 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", - "99de37d8-3b97-4dde-87df-9bb883ec28bd", - "496a7765-732c-4258-8c9b-0c76638fd048", - "689d67ef-7ab2-43bf-8bba-54fc8956c42b", - "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", - "2252573e-1b2b-425c-b2d5-5fc9be17ff29", - "6e3026d2-bef9-41c0-8814-de77d0966ae0" + "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", + "6b8ed618-a4da-4995-b33a-c48dda296113", + "a9ce5023-9637-4056-ab3f-51124ade1f7c", + "ba8d8144-322e-495f-a8f3-528f7553de21", + "6331cd40-8dd5-4e90-b204-bb6034c7c19b", + "5b2bc67e-109b-4f82-8238-e4436fbed57b", + "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781" ] }, { @@ -68,13 +68,13 @@ ], "displayName": "Source IP", "chartIds": [ - "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", - "99de37d8-3b97-4dde-87df-9bb883ec28bd", - "496a7765-732c-4258-8c9b-0c76638fd048", - "689d67ef-7ab2-43bf-8bba-54fc8956c42b", - "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", - "2252573e-1b2b-425c-b2d5-5fc9be17ff29", - "6e3026d2-bef9-41c0-8814-de77d0966ae0" + "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", + "6b8ed618-a4da-4995-b33a-c48dda296113", + "a9ce5023-9637-4056-ab3f-51124ade1f7c", + "ba8d8144-322e-495f-a8f3-528f7553de21", + "6331cd40-8dd5-4e90-b204-bb6034c7c19b", + "5b2bc67e-109b-4f82-8238-e4436fbed57b", + "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781" ] }, { @@ -91,13 +91,13 @@ ], "displayName": "Source Port", "chartIds": [ - "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", - "99de37d8-3b97-4dde-87df-9bb883ec28bd", - "496a7765-732c-4258-8c9b-0c76638fd048", - "689d67ef-7ab2-43bf-8bba-54fc8956c42b", - "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", - "2252573e-1b2b-425c-b2d5-5fc9be17ff29", - "6e3026d2-bef9-41c0-8814-de77d0966ae0" + "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", + "6b8ed618-a4da-4995-b33a-c48dda296113", + "a9ce5023-9637-4056-ab3f-51124ade1f7c", + "ba8d8144-322e-495f-a8f3-528f7553de21", + "6331cd40-8dd5-4e90-b204-bb6034c7c19b", + "5b2bc67e-109b-4f82-8238-e4436fbed57b", + "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781" ] }, { @@ -114,13 +114,13 @@ ], "displayName": "Destination IP", "chartIds": [ - "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", - "496a7765-732c-4258-8c9b-0c76638fd048", - "99de37d8-3b97-4dde-87df-9bb883ec28bd", - "689d67ef-7ab2-43bf-8bba-54fc8956c42b", - "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", - "2252573e-1b2b-425c-b2d5-5fc9be17ff29", - "6e3026d2-bef9-41c0-8814-de77d0966ae0" + "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", + "a9ce5023-9637-4056-ab3f-51124ade1f7c", + "6b8ed618-a4da-4995-b33a-c48dda296113", + "ba8d8144-322e-495f-a8f3-528f7553de21", + "6331cd40-8dd5-4e90-b204-bb6034c7c19b", + "5b2bc67e-109b-4f82-8238-e4436fbed57b", + "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781" ] }, { @@ -137,19 +137,19 @@ ], "displayName": "Destination Port", "chartIds": [ - "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", - "99de37d8-3b97-4dde-87df-9bb883ec28bd", - "496a7765-732c-4258-8c9b-0c76638fd048", - "689d67ef-7ab2-43bf-8bba-54fc8956c42b", - "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", - "2252573e-1b2b-425c-b2d5-5fc9be17ff29", - "6e3026d2-bef9-41c0-8814-de77d0966ae0" + "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", + "6b8ed618-a4da-4995-b33a-c48dda296113", + "a9ce5023-9637-4056-ab3f-51124ade1f7c", + "ba8d8144-322e-495f-a8f3-528f7553de21", + "6331cd40-8dd5-4e90-b204-bb6034c7c19b", + "5b2bc67e-109b-4f82-8238-e4436fbed57b", + "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781" ] } ], "charts": [ { - "dashboardChart": "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", + "dashboardChart": "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", "chartLayout": { "startX": 0, "spanX": 48, @@ -166,7 +166,7 @@ ] }, { - "dashboardChart": "6e3026d2-bef9-41c0-8814-de77d0966ae0", + "dashboardChart": "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781", "chartLayout": { "startX": 48, "spanX": 48, @@ -183,7 +183,7 @@ ] }, { - "dashboardChart": "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", + "dashboardChart": "6331cd40-8dd5-4e90-b204-bb6034c7c19b", "chartLayout": { "startX": 0, "spanX": 48, @@ -200,7 +200,7 @@ ] }, { - "dashboardChart": "99de37d8-3b97-4dde-87df-9bb883ec28bd", + "dashboardChart": "6b8ed618-a4da-4995-b33a-c48dda296113", "chartLayout": { "startX": 48, "spanX": 48, @@ -217,7 +217,7 @@ ] }, { - "dashboardChart": "2252573e-1b2b-425c-b2d5-5fc9be17ff29", + "dashboardChart": "5b2bc67e-109b-4f82-8238-e4436fbed57b", "chartLayout": { "startX": 0, "spanX": 48, @@ -234,7 +234,7 @@ ] }, { - "dashboardChart": "496a7765-732c-4258-8c9b-0c76638fd048", + "dashboardChart": "a9ce5023-9637-4056-ab3f-51124ade1f7c", "chartLayout": { "startX": 48, "spanX": 48, @@ -251,7 +251,7 @@ ] }, { - "dashboardChart": "689d67ef-7ab2-43bf-8bba-54fc8956c42b", + "dashboardChart": "ba8d8144-322e-495f-a8f3-528f7553de21", "chartLayout": { "startX": 0, "spanX": 96, @@ -270,15 +270,15 @@ ] }, "type": "CUSTOM", - "etag": "f1ce31b9e327e91120005d0ceca3ab62c30a42af52cf99221a4325fd94b5d7c5", + "etag": "e1c60f0990359dd0234769c8de72f767c882b2bf51025a65836466b8c7d391a3", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "2252573e-1b2b-425c-b2d5-5fc9be17ff29", + "name": "5b2bc67e-109b-4f82-8238-e4436fbed57b", "displayName": "Top Outbound Data Flow by Originator (id_orig_h) Bytes", "chartDatasource": { - "dashboardQuery": "94f9c647-75a9-4f6f-b258-7394b553cdb6", + "dashboardQuery": "71c3f189-1d94-4e04-9c6a-140381611202", "dataSources": [ "UDM" ] @@ -328,13 +328,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "aaf258c5c0fd5ef65a5fbe9b55e98e8a0b91a7bbd5e76159b627c940428dc6ee" + "etag": "3d0d48a498fa088b0248e39a4e4aed2c452fb5ec2ac606f3adc5b41b7bf885a3", + "drillDownConfig": {} }, { - "name": "689d67ef-7ab2-43bf-8bba-54fc8956c42b", + "name": "ba8d8144-322e-495f-a8f3-528f7553de21", "displayName": "Open/Active Long Lived Connections (requires Long Connections Pkg)", "chartDatasource": { - "dashboardQuery": "8d5eb403-a6c2-4572-8ef4-8ae9a73f7e2e", + "dashboardQuery": "3c53d951-1bf2-4268-8978-f9167cf61d47", "dataSources": [ "UDM" ] @@ -380,7 +381,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "39b9da852f66d64d422e52b449ea7952b111127e7d621ad441979b95c035d85d", + "etag": "78f029c4e1fec65271d2e9ec751afa53ffe630b596a3c13383e8b3c011352711", "drillDownConfig": { "leftDrillDowns": [ { @@ -394,10 +395,10 @@ } }, { - "name": "d3b5b746-6be9-40ab-a5ec-31fbe7e1dbf5", + "name": "6331cd40-8dd5-4e90-b204-bb6034c7c19b", "displayName": "Top Originators by (sources) by # of connections", "chartDatasource": { - "dashboardQuery": "afbe82f0-140d-43de-8d7f-620a4ee5f54e", + "dashboardQuery": "a7e16f57-7856-4a42-8805-b4830dd4c4bd", "dataSources": [ "UDM" ] @@ -410,119 +411,23 @@ "value": "count", "itemName": "principal.ip" }, - "dataLabel": {}, + "dataLabel": { + "show": true + }, "radius": [ "0%", "70%" ], "itemStyle": { - "color": "undefined" + "color": "b=>{const {map:c}=LJf(this.theme);b=GLf(b,kKf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" }, "itemColors": { "colors": [ { - "key": "96.35.155.226", - "value": { - "color": "#1a73e8", - "label": "96.35.155.226" - } - }, - { - "key": "192.168.12.10", - "value": { - "color": "#eb730a", - "label": "192.168.12.10" - } - }, - { - "key": "192.168.12.223", - "value": { - "color": "#10a3b7", - "label": "192.168.12.223" - } - }, - { - "key": "192.168.12.9", - "value": { - "color": "#d15f6b", - "label": "192.168.12.9" - } - }, - { - "key": "192.168.12.212", - "value": { - "color": "#e51f8f", - "label": "192.168.12.212" - } - }, - { - "key": "192.168.10.175", - "value": { - "color": "#923ef9", - "label": "192.168.10.175" - } - }, - { - "key": "192.168.12.220", - "value": { - "color": "#4aa207", - "label": "192.168.12.220" - } - }, - { - "key": "192.168.12.16", - "value": { - "color": "#5350fb", - "label": "192.168.12.16" - } - }, - { - "key": "192.168.12.170", - "value": { - "color": "#009886", - "label": "192.168.12.170" - } - }, - { - "key": "192.168.10.177", + "key": "1.1.1.1", "value": { "color": "#1a73e8", - "label": "192.168.10.177" - } - }, - { - "key": "10.0.2.243", - "value": { - "color": "#eb730a", - "label": "10.0.2.243" - } - }, - { - "key": "192.168.10.161", - "value": { - "color": "#10a3b7", - "label": "192.168.10.161" - } - }, - { - "key": "192.168.13.9", - "value": { - "color": "#d15f6b", - "label": "192.168.13.9" - } - }, - { - "key": "10.0.2.103", - "value": { - "color": "#e51f8f", - "label": "10.0.2.103" - } - }, - { - "key": "192.168.10.5", - "value": { - "color": "#923ef9", - "label": "192.168.10.5" + "label": "1.1.1.1" } } ] @@ -547,13 +452,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "98dec6e4fdc1023eabce0ceb202d174059ccaf28eb6ba04db6293eac8f7b266b" + "etag": "b5a6c6e4d51af4643c8e96c17b206b4f24c603a055e05967d29de70004c93cb0", + "drillDownConfig": {} }, { - "name": "5c7a4b72-e2bc-49b4-b141-f9241007cc1a", + "name": "49ec5d17-5d8e-418c-bcc8-2668cc4107e9", "displayName": "Top Services", "chartDatasource": { - "dashboardQuery": "3b2824a5-b6c1-4bbb-a61c-172f4acb3da1", + "dashboardQuery": "590fd057-2241-4bc1-8366-221512fab8b2", "dataSources": [ "UDM" ] @@ -566,119 +472,51 @@ "value": "count", "itemName": "service" }, - "dataLabel": {}, + "dataLabel": { + "show": true + }, "radius": [ "0%", "70%" ], "itemStyle": { - "color": "undefined" + "color": "b=>{const {map:c}=iIf(this.theme);b=pJf(b,IIf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" }, "itemColors": { "colors": [ { "key": "dns", "value": { - "color": "#1a73e8", + "color": "#10a3b7", "label": "dns" } }, - { - "key": "ssl", - "value": { - "color": "#eb730a", - "label": "ssl" - } - }, { "key": "ntp", - "value": { - "color": "#10a3b7", - "label": "ntp" - } - }, - { - "key": "http", - "value": { - "color": "#d15f6b", - "label": "http" - } - }, - { - "key": "quic", - "value": { - "color": "#e51f8f", - "label": "quic" - } - }, - { - "key": "mysql", - "value": { - "color": "#923ef9", - "label": "mysql" - } - }, - { - "key": "xmpp,ssl", - "value": { - "color": "#4aa207", - "label": "xmpp,ssl" - } - }, - { - "key": "vxlan", - "value": { - "color": "#5350fb", - "label": "vxlan" - } - }, - { - "key": "spicy_ssdp", - "value": { - "color": "#009886", - "label": "spicy_ssdp" - } - }, - { - "key": "ssl,xmpp", "value": { "color": "#1a73e8", - "label": "ssl,xmpp" + "label": "ntp" } }, { - "key": "quic,ssl", + "key": "ssl", "value": { "color": "#eb730a", - "label": "quic,ssl" - } - }, - { - "key": "ssl,quic", - "value": { - "color": "#10a3b7", - "label": "ssl,quic" + "label": "ssl" } }, { - "key": "dce_rpc", + "key": "spicy_stun", "value": { - "color": "#d15f6b", - "label": "dce_rpc" + "color": "#ec453b", + "label": "spicy_stun" } }, { - "key": "krb_tcp", + "key": "http", "value": { "color": "#e51f8f", - "label": "krb_tcp" - } - }, - { - "key": "dnp3_tcp", - "value": { - "color": "#923ef9", - "label": "dnp3_tcp" + "label": "http" } } ] @@ -703,13 +541,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fee76058d3bbbe0ef0d35c4fe988e33040bab00fa1df2900387b3e57c94f8b7a" + "etag": "a105910f058c28af64a6a47b131bcc1e95a4e0c1485e7bb9cd966f6c42384d53", + "drillDownConfig": {} }, { - "name": "6e3026d2-bef9-41c0-8814-de77d0966ae0", + "name": "2dfd31a2-2b4e-4aca-8c01-31f2a4ad1781", "displayName": "Top Responder Ports", "chartDatasource": { - "dashboardQuery": "908a8c2c-19c1-4b21-b0eb-b69b0b38d7c0", + "dashboardQuery": "2cea8d54-6726-4715-bb23-c15923ce3512", "dataSources": [ "UDM" ] @@ -743,13 +582,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "03063686252ef49b5e28c809558bc28c3d2664bb666ef7779ee4974db648c6d8" + "etag": "e92f28ac92666ef402d751bf88b7ad2b537c8eb15ac14dcf7cccd0732dbf7a2b", + "drillDownConfig": {} }, { - "name": "496a7765-732c-4258-8c9b-0c76638fd048", + "name": "a9ce5023-9637-4056-ab3f-51124ade1f7c", "displayName": "Top Inbound Data Flows by Originator (id_orig_h) Bytes", "chartDatasource": { - "dashboardQuery": "fe9532ba-f544-4689-b72f-b4c85a53b21f", + "dashboardQuery": "aeb20ca2-2e9a-4f9c-9e47-865d0c625fad", "dataSources": [ "UDM" ] @@ -799,13 +639,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0aa99bdc877d161214608e63f93d4c806aafbc7893460f8a91cf9f2741138490" + "etag": "3547b393581b5e7acb971880f3dac90c05dd0c0bb096b6370dcdd9f2dbb933c3", + "drillDownConfig": {} }, { - "name": "99de37d8-3b97-4dde-87df-9bb883ec28bd", + "name": "6b8ed618-a4da-4995-b33a-c48dda296113", "displayName": "Top Responders (destinations) by # of connections", "chartDatasource": { - "dashboardQuery": "6cad8fd5-9ec3-417e-8cf6-e988c2b4da19", + "dashboardQuery": "a85f9904-88f2-4544-b2c2-365c5f5aa843", "dataSources": [ "UDM" ] @@ -818,119 +659,23 @@ "value": "count", "itemName": "target.ip" }, - "dataLabel": {}, + "dataLabel": { + "show": true + }, "radius": [ "0%", "70%" ], "itemStyle": { - "color": "undefined" + "color": "b=>{const {map:c}=LJf(this.theme);b=GLf(b,kKf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" }, "itemColors": { "colors": [ { - "key": "192.168.12.9", + "key": "2.2.2.2", "value": { "color": "#1a73e8", - "label": "192.168.12.9" - } - }, - { - "key": "192.168.12.10", - "value": { - "color": "#eb730a", - "label": "192.168.12.10" - } - }, - { - "key": "8.8.8.8", - "value": { - "color": "#10a3b7", - "label": "8.8.8.8" - } - }, - { - "key": "192.168.10.1", - "value": { - "color": "#d15f6b", - "label": "192.168.10.1" - } - }, - { - "key": "52.21.18.219", - "value": { - "color": "#e51f8f", - "label": "52.21.18.219" - } - }, - { - "key": "52.21.3.59", - "value": { - "color": "#923ef9", - "label": "52.21.3.59" - } - }, - { - "key": "34.193.168.81", - "value": { - "color": "#4aa207", - "label": "34.193.168.81" - } - }, - { - "key": "71.10.216.1", - "value": { - "color": "#5350fb", - "label": "71.10.216.1" - } - }, - { - "key": "1.1.1.1", - "value": { - "color": "#009886", - "label": "1.1.1.1" - } - }, - { - "key": "10.4.0.56", - "value": { - "color": "#1a73e8", - "label": "10.4.0.56" - } - }, - { - "key": "216.239.34.10", - "value": { - "color": "#eb730a", - "label": "216.239.34.10" - } - }, - { - "key": "10.0.0.2", - "value": { - "color": "#10a3b7", - "label": "10.0.0.2" - } - }, - { - "key": "172.28.0.18", - "value": { - "color": "#d15f6b", - "label": "172.28.0.18" - } - }, - { - "key": "172.28.0.19", - "value": { - "color": "#e51f8f", - "label": "172.28.0.19" - } - }, - { - "key": "172.28.0.20", - "value": { - "color": "#923ef9", - "label": "172.28.0.20" + "label": "2.2.2.2" } } ] @@ -955,78 +700,79 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "4eb534697ca8690bba4905ef766fddc7786fa4c9bc17f547803dd26dd4013b19" + "etag": "22eed4dc4a566abe0fc2bfd2ed9e33cb9de3cd90f88bc843eb99ef2d8c00a239", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "afbe82f0-140d-43de-8d7f-620a4ee5f54e", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$is_broadcast!=\"true\"\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", + "name": "a7e16f57-7856-4a42-8805-b4830dd4c4bd", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$service!=\"\"\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "059364c027cf251c59e0d751e8a1848149d1a1ce1804153100578b9a329426b7" + "etag": "5b83fedd6a299ba103bce61f055ecb3243650d49b2e5f0eaa1a5b023f3c0da02" }, { - "name": "3b2824a5-b6c1-4bbb-a61c-172f4acb3da1", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$is_broadcast!=\"true\"\r\nmatch:\r\n $service\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", + "name": "590fd057-2241-4bc1-8366-221512fab8b2", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$service!=\"\"\r\nmatch:\r\n $service\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "eebaf80bced72e523bdc8efee363dbb87f2fa52d8664838a9b21229b884bfb47" + "etag": "43c185d86a840d2de1cb53a280dbc0a3ffa80125ed67a6ab1b4b6cd7174a7e44" }, { - "name": "908a8c2c-19c1-4b21-b0eb-b69b0b38d7c0", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$is_broadcast!=\"true\"\r\nmatch:\r\n target.port\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", + "name": "2cea8d54-6726-4715-bb23-c15923ce3512", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$service!=\"\"\r\nmatch:\r\n target.port\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "db5b59c1f08cbd6bc21501ffcbcd6aa48c380b0a5daa9a71f827523a4ba1b722" + "etag": "e4a4d1f64c1b9675d2f7fdaa1cd36f29531f9b0f11d5aa28eb4775c29b02349f" }, { - "name": "fe9532ba-f544-4689-b72f-b4c85a53b21f", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$country_len=strings.length(principal.ip_geo_artifact.location.country_or_region)\r\n$host_len=strings.length(principal.ip_geo_artifact.network.dns_domain)\r\n($host_len=0 AND $country_len=0) OR $host_len > 0\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$is_broadcast!=\"true\"\r\n$direction=if(about.labels[\"local_orig\"]=\"true\" AND about.labels[\"local_resp\"]=\"true\", \"internal\", \r\n if(about.labels[\"local_orig\"]=\"true\" and about.labels[\"local_resp\"]=\"false\", \"outbound\",\r\n if(about.labels[\"local_orig\"]=\"false\" and about.labels[\"local_resp\"]=\"false\", \"external\", \r\n if(about.labels[\"local_orig\"]=\"false\" and about.labels[\"local_resp\"]=\"true\", \"inbound\", \"unknown\"\r\n ))))\r\n$direction=\"inbound\"\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\n$hostname=if(principal.ip_geo_artifact.network.dns_domain!=\"\", principal.ip_geo_artifact.network.dns_domain, \"Unknown\")\r\nmatch:\r\n principal.ip, target.ip, $hostname,principal.ip_geo_artifact.location.country_or_region\r\noutcome:\r\n $proto=array_distinct($protocol_string)\r\n $orig_byte_sum=sum(network.sent_bytes)\r\norder:\r\n $orig_byte_sum desc \r\nlimit:\r\n 10", + "name": "aeb20ca2-2e9a-4f9c-9e47-865d0c625fad", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$country_len=strings.length(principal.ip_geo_artifact.location.country_or_region)\r\n$host_len=strings.length(principal.ip_geo_artifact.network.dns_domain)\r\n($host_len=0 AND $country_len=0) OR $host_len > 0\r\n$service=about.labels[\"service\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$service!=\"\"\r\nabout.labels[\"local_orig\"]=\"false\" AND about.labels[\"local_resp\"]=\"true\"\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\n$hostname=if(principal.ip_geo_artifact.network.dns_domain!=\"\", principal.ip_geo_artifact.network.dns_domain, \"Unknown\")\r\nmatch:\r\n principal.ip, target.ip, $hostname,principal.ip_geo_artifact.location.country_or_region\r\noutcome:\r\n $proto=array_distinct($protocol_string)\r\n $orig_byte_sum=sum(network.sent_bytes)\r\norder:\r\n $orig_byte_sum desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "ecfaa6965fd38dcc0f696ff64151ba7235569872dec7cdcafb04afaf0244ce46" + "etag": "186333092000879298c86aa26dd605b3727d9a5802281115aa2e5f1538a8ce66" }, { - "name": "6cad8fd5-9ec3-417e-8cf6-e988c2b4da19", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$is_broadcast!=\"true\"\r\nmatch:\r\n target.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", + "name": "a85f9904-88f2-4544-b2c2-365c5f5aa843", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$service!=\"\"\r\nmatch:\r\n target.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "c142fa124bc5d54f112a79ff899b3ab3802dd4de2154c4c731f1a94b02b126a7" + "etag": "5ae116126c518dc72e720ad39ae4b7743e60066f6f06a1d1355edd384c78b278" }, { - "name": "94f9c647-75a9-4f6f-b258-7394b553cdb6", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$country_len=strings.length(target.ip_geo_artifact.location.country_or_region)\r\n$host_len=strings.length(target.ip_geo_artifact.network.dns_domain)\r\n($host_len=0 AND $country_len=0) OR $host_len > 0\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$is_broadcast!=\"true\"\r\n$direction=if(about.labels[\"local_orig\"]=\"true\" AND about.labels[\"local_resp\"]=\"true\", \"internal\", \r\n if(about.labels[\"local_orig\"]=\"true\" and about.labels[\"local_resp\"]=\"false\", \"outbound\",\r\n if(about.labels[\"local_orig\"]=\"false\" and about.labels[\"local_resp\"]=\"false\", \"external\", \r\n if(about.labels[\"local_orig\"]=\"false\" and about.labels[\"local_resp\"]=\"true\", \"inbound\", \"unknown\"\r\n ))))\r\n$direction=\"outbound\"\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\n$hostname=if(target.ip_geo_artifact.network.dns_domain!=\"\", target.ip_geo_artifact.network.dns_domain, \"Unknown\")\r\nmatch:\r\n principal.ip, target.ip, $hostname,target.ip_geo_artifact.location.country_or_region\r\noutcome:\r\n $proto=array_distinct($protocol_string)\r\n $orig_byte_sum=sum(network.sent_bytes)\r\norder:\r\n $orig_byte_sum desc \r\nlimit:\r\n 10", + "name": "71c3f189-1d94-4e04-9c6a-140381611202", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$country_len=strings.length(target.ip_geo_artifact.location.country_or_region)\r\n$host_len=strings.length(target.ip_geo_artifact.network.dns_domain)\r\n($host_len=0 AND $country_len=0) OR $host_len > 0\r\n$service=about.labels[\"service\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$service!=\"\"\r\nabout.labels[\"local_orig\"]=\"true\" and about.labels[\"local_resp\"]=\"false\"\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\n$hostname=if(target.ip_geo_artifact.network.dns_domain!=\"\", target.ip_geo_artifact.network.dns_domain, \"Unknown\")\r\nmatch:\r\n principal.ip, target.ip, $hostname,target.ip_geo_artifact.location.country_or_region\r\noutcome:\r\n $proto=array_distinct($protocol_string)\r\n $orig_byte_sum=sum(network.sent_bytes)\r\norder:\r\n $orig_byte_sum desc \r\nlimit:\r\n 10", "input": { - "timeWindow": { - "startTime": "2025-03-28T00:00:00Z", - "endTime": "2025-03-29T00:00:00Z" + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" } }, - "etag": "d1b5b799e7ab8a8e5a332d67e9922c873f97ec8c1e17dd8bc3d032d04c6f3541" + "etag": "74d7e32ea88593ee38d4cb5c56d43c7c261c522c8ac681d0cbf68b02ac51b268" }, { - "name": "8d5eb403-a6c2-4572-8ef4-8ae9a73f7e2e", + "name": "3c53d951-1bf2-4268-8978-f9167cf61d47", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"\"\r\ntarget.ip!=\"\"\r\n$service=about.labels[\"service\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$service!=\"\"\r\n$uid=network.session_id\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\n\r\nmatch:\r\n $uid\r\noutcome:\r\n $duration=math.round(window.avg(network.session_duration.seconds), 3)\r\n $principal_ip=array_distinct(principal.ip)\r\n $target_ip=array_distinct(target.ip)\r\n $proto=array_distinct($protocol_string)\r\norder:\r\n $duration desc \r\nlimit:\r\n 10", "input": { "timeWindow": { @@ -1034,7 +780,7 @@ "endTime": "2025-03-29T00:00:00Z" } }, - "etag": "ec475613fd46d0079096d6b79f00ede8912ea26cdf84348f476764263d010619" + "etag": "156886a8e23004450b4627f49d399a92f1ae189059f686dbc37eaf5b1bc664c4" } ] } diff --git a/dashboards/Data Explorer/DNS.json b/dashboards/Data Explorer/DNS.json index e78f5e4..d393a08 100644 --- a/dashboards/Data Explorer/DNS.json +++ b/dashboards/Data Explorer/DNS.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "b955a94e-8c0d-492f-a46b-2b1f50f17419", + "name": "73423d1e-0c82-423b-92be-39642c786092", "displayName": "Corelight → Data Explorer → DNS", "definition": { "filters": [ @@ -20,12 +20,12 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "01432b3f-13a7-4a4a-bd04-598ccd6e509e", - "b1d52ea5-9ede-4650-8fa4-eafd8f557645", - "b9114188-a022-4b25-8ea0-370b9c127435", - "bbf6cd6d-1c69-4da1-859b-398b7de0a8b5", - "d4d81140-1fda-4ab6-9808-14eedf94c343", - "fe52a756-673b-4f8c-a2c5-43bf990ee34e" + "64cbbd72-6a04-48eb-8ec7-89e2b76dd07f", + "59096583-dfa8-4b8c-bf26-9bc5d5a16c3c", + "9e8a4246-0ee6-453b-8fc8-b5374a2c6974", + "6bcd4a82-dfce-4105-a9b9-5bf1fd01f886", + "d6552a81-7de9-442a-ba56-8d3ac30fa31e", + "6d4dae20-9273-4d1a-bf74-005aaf0e43f2" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -44,12 +44,12 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "01432b3f-13a7-4a4a-bd04-598ccd6e509e", - "b1d52ea5-9ede-4650-8fa4-eafd8f557645", - "b9114188-a022-4b25-8ea0-370b9c127435", - "bbf6cd6d-1c69-4da1-859b-398b7de0a8b5", - "d4d81140-1fda-4ab6-9808-14eedf94c343", - "fe52a756-673b-4f8c-a2c5-43bf990ee34e" + "64cbbd72-6a04-48eb-8ec7-89e2b76dd07f", + "59096583-dfa8-4b8c-bf26-9bc5d5a16c3c", + "9e8a4246-0ee6-453b-8fc8-b5374a2c6974", + "6bcd4a82-dfce-4105-a9b9-5bf1fd01f886", + "d6552a81-7de9-442a-ba56-8d3ac30fa31e", + "6d4dae20-9273-4d1a-bf74-005aaf0e43f2" ] }, { @@ -66,18 +66,18 @@ ], "displayName": "Responder Port", "chartIds": [ - "01432b3f-13a7-4a4a-bd04-598ccd6e509e", - "b9114188-a022-4b25-8ea0-370b9c127435", - "b1d52ea5-9ede-4650-8fa4-eafd8f557645", - "bbf6cd6d-1c69-4da1-859b-398b7de0a8b5", - "d4d81140-1fda-4ab6-9808-14eedf94c343", - "fe52a756-673b-4f8c-a2c5-43bf990ee34e" + "64cbbd72-6a04-48eb-8ec7-89e2b76dd07f", + "9e8a4246-0ee6-453b-8fc8-b5374a2c6974", + "59096583-dfa8-4b8c-bf26-9bc5d5a16c3c", + "6bcd4a82-dfce-4105-a9b9-5bf1fd01f886", + "d6552a81-7de9-442a-ba56-8d3ac30fa31e", + "6d4dae20-9273-4d1a-bf74-005aaf0e43f2" ] } ], "charts": [ { - "dashboardChart": "d4d81140-1fda-4ab6-9808-14eedf94c343", + "dashboardChart": "d6552a81-7de9-442a-ba56-8d3ac30fa31e", "chartLayout": { "startX": 0, "spanX": 32, @@ -91,7 +91,7 @@ ] }, { - "dashboardChart": "b1d52ea5-9ede-4650-8fa4-eafd8f557645", + "dashboardChart": "59096583-dfa8-4b8c-bf26-9bc5d5a16c3c", "chartLayout": { "startX": 32, "spanX": 32, @@ -105,7 +105,7 @@ ] }, { - "dashboardChart": "b9114188-a022-4b25-8ea0-370b9c127435", + "dashboardChart": "9e8a4246-0ee6-453b-8fc8-b5374a2c6974", "chartLayout": { "startX": 64, "spanX": 32, @@ -119,7 +119,7 @@ ] }, { - "dashboardChart": "bbf6cd6d-1c69-4da1-859b-398b7de0a8b5", + "dashboardChart": "6bcd4a82-dfce-4105-a9b9-5bf1fd01f886", "chartLayout": { "startX": 0, "spanX": 32, @@ -133,7 +133,7 @@ ] }, { - "dashboardChart": "01432b3f-13a7-4a4a-bd04-598ccd6e509e", + "dashboardChart": "64cbbd72-6a04-48eb-8ec7-89e2b76dd07f", "chartLayout": { "startX": 32, "spanX": 32, @@ -147,7 +147,7 @@ ] }, { - "dashboardChart": "fe52a756-673b-4f8c-a2c5-43bf990ee34e", + "dashboardChart": "6d4dae20-9273-4d1a-bf74-005aaf0e43f2", "chartLayout": { "startX": 64, "spanX": 32, @@ -163,15 +163,15 @@ ] }, "type": "CUSTOM", - "etag": "86d05e70872aec51dea25e01495619a053593f8805effd604acf9a9d4644180e", + "etag": "17fbf6f3e457022a1473d8ec3b26705ebc137d744902518e470e43290e234191", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "fe52a756-673b-4f8c-a2c5-43bf990ee34e", + "name": "6d4dae20-9273-4d1a-bf74-005aaf0e43f2", "displayName": "Top Reverse Queries by Count to Non-Existent Domains", "chartDatasource": { - "dashboardQuery": "def15655-16fb-493e-9fff-0659f3918b34", + "dashboardQuery": "c90f0ad9-4348-44e5-a025-360dec22f802", "dataSources": [ "UDM" ] @@ -205,13 +205,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "55ec0136f3c2c361738f186f7ecd7ebc4844fbe3f1d02eff60309962b8fc8dd3" + "etag": "2bab6403c05447a8948c3ac899f634e457aefaeed5a9d71b3b8df1a8f0c2746f", + "drillDownConfig": {} }, { - "name": "01432b3f-13a7-4a4a-bd04-598ccd6e509e", + "name": "64cbbd72-6a04-48eb-8ec7-89e2b76dd07f", "displayName": "Top Successful Reverse Queries by Count", "chartDatasource": { - "dashboardQuery": "782591f3-9c0a-45e2-a34a-e2433bba087d", + "dashboardQuery": "24454959-e349-4067-9dc7-e96310083984", "dataSources": [ "UDM" ] @@ -245,13 +246,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "4268007d67e5cd7d4bf58e5294ee98fe2002daf985c480522ae1456ff328b4c2" + "etag": "067f479ffc3d14ec9c27dda903d5b8ce5a602f32c2bf0addfd35339472a82a71", + "drillDownConfig": {} }, { - "name": "d4d81140-1fda-4ab6-9808-14eedf94c343", + "name": "d6552a81-7de9-442a-ba56-8d3ac30fa31e", "displayName": "Top Query Types", "chartDatasource": { - "dashboardQuery": "b634eee1-1dc3-4d12-a911-5590775fc8db", + "dashboardQuery": "9d49ae7e-85c2-446a-9a07-ed306200961c", "dataSources": [ "UDM" ] @@ -264,11 +266,76 @@ "value": "count", "itemName": "record_type" }, - "dataLabel": {}, + "dataLabel": { + "show": true + }, "radius": [ "0%", "70%" - ] + ], + "itemStyle": { + "color": "b=>{const {map:c}=RIf(this.theme);b=YJf(b,qJf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "A", + "value": { + "color": "#0c67df", + "label": "A" + } + }, + { + "key": "PTR", + "value": { + "color": "#eb730a", + "label": "PTR" + } + }, + { + "key": "AAAA", + "value": { + "color": "#10a3b7", + "label": "AAAA" + } + }, + { + "key": "AXFR", + "value": { + "color": "#d93025", + "label": "AXFR" + } + }, + { + "key": "ANY", + "value": { + "color": "#e51f8f", + "label": "ANY" + } + }, + { + "key": "TXT", + "value": { + "color": "#923ef9", + "label": "TXT" + } + }, + { + "key": "IXFR", + "value": { + "color": "#4aa207", + "label": "IXFR" + } + }, + { + "key": "HTTPS", + "value": { + "color": "#5350fb", + "label": "HTTPS" + } + } + ] + } } ], "xAxes": [ @@ -290,13 +357,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d13e050ad2e0c99eacb8d280415bae77627ae9952cc35d995474117b064ee349" + "etag": "5a3bf8cdec9ef1e4a6cbddf40a31566892c4991123decf6f15c11cbf6b851068", + "drillDownConfig": {} }, { - "name": "b9114188-a022-4b25-8ea0-370b9c127435", + "name": "9e8a4246-0ee6-453b-8fc8-b5374a2c6974", "displayName": "Top 10 Queries by Count to Non-Existent Domains", "chartDatasource": { - "dashboardQuery": "d270e6c1-3325-4871-850a-2106da060361", + "dashboardQuery": "427704ef-8850-4949-825f-b5d2ace84ba3", "dataSources": [ "UDM" ] @@ -330,13 +398,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "c6030d265505d0b26fd52001b56037502886132b225558977bc85a1a66902be9" + "etag": "340c8a4a13a3bcc0daaa472a79f9bf286784823b6b5f9cbcc2d4ea870ae06893", + "drillDownConfig": {} }, { - "name": "bbf6cd6d-1c69-4da1-859b-398b7de0a8b5", + "name": "6bcd4a82-dfce-4105-a9b9-5bf1fd01f886", "displayName": "Top Originators by Count", "chartDatasource": { - "dashboardQuery": "a4855199-06ba-4dae-9ec4-6ebe85d8d9aa", + "dashboardQuery": "bcdafcde-f83f-48d1-91a3-ceb3f56e4e9d", "dataSources": [ "UDM" ] @@ -370,13 +439,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f11800108004d55baf3ac789106f95a7c421946f44108b31011042ae5605a398" + "etag": "e41f3386a2277b14313bcb932388791a9549e18d946c7edcc4c5974b1c7999dc", + "drillDownConfig": {} }, { - "name": "b1d52ea5-9ede-4650-8fa4-eafd8f557645", + "name": "59096583-dfa8-4b8c-bf26-9bc5d5a16c3c", "displayName": "Top 10 Queries by Count", "chartDatasource": { - "dashboardQuery": "d3da393d-75a8-4650-baf8-4b461666b609", + "dashboardQuery": "06faa3a6-d75c-4d9e-abfe-6c28f8ade76d", "dataSources": [ "UDM" ] @@ -410,75 +480,76 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6e01e8498cc123284ded64f451a976d12e1e2ee3def9b6cc315ddeff9abc6dde" + "etag": "96d6096d29867ad2c62015cbd7bcd9fe57738e5688a8dbd971a03808e16f9ae8", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "d270e6c1-3325-4871-850a-2106da060361", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$record_type!=\"\" OR $record_type!=\"PTR\"\r\n$is_broadcast!=\"true\"\r\nabout.labels[\"rcode_name\"]=\"NXDOMAIN\"\r\n$query=if(network.dns.questions.name!=\"\", network.dns.questions.name, \"Unknown\")\r\n$combined_fields=strings.concat(about.labels[\"qtype_name\"], principal.ip, about.labels[\"rcode_name\"])\r\nmatch:\r\n $query\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "427704ef-8850-4949-825f-b5d2ace84ba3", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$record_type!=\"\" OR $record_type!=\"PTR\"\r\nabout.labels[\"rcode_name\"]=\"NXDOMAIN\"\r\n$query=if(network.dns.questions.name!=\"\", network.dns.questions.name, \"Unknown\")\r\n$combined_fields=strings.concat(about.labels[\"qtype_name\"], principal.ip, about.labels[\"rcode_name\"])\r\nmatch:\r\n $query\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "4fdbe9cbc0742dde2731d7b974c70287e1bf73fa1d83f736899f884637d29f70" + "etag": "169fa76e073b467d3cb3f357376ee55e7730c50a6665de473d8960ec4f8fff0e" }, { - "name": "a4855199-06ba-4dae-9ec4-6ebe85d8d9aa", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$record_type!=\"\"\r\n$is_broadcast!=\"true\"\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "bcdafcde-f83f-48d1-91a3-ceb3f56e4e9d", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$record_type!=\"\"\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "be040bb6ad3533fb398f5267804b1277ab2ccdb5cfc140c7433bb4c19186da0a" + "etag": "8919026523346c49749b6f5ee7deb7acd7e996c2212786285fe5fb296dfdb942" }, { - "name": "d3da393d-75a8-4650-baf8-4b461666b609", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$record_type!=\"\" OR $record_type!=\"PTR\"\r\n$is_broadcast!=\"true\"\r\n$query=if(network.dns.questions.name!=\"\", network.dns.questions.name, \"Unknown\")\r\n$combined_fields=strings.concat(about.labels[\"qtype_name\"], principal.ip, network.dns.questions.name, about.labels[\"rcode_name\"])\r\nmatch:\r\n $query\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "06faa3a6-d75c-4d9e-abfe-6c28f8ade76d", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$record_type!=\"\" OR $record_type!=\"PTR\"\r\n$query=if(network.dns.questions.name!=\"\", network.dns.questions.name, \"Unknown\")\r\n$combined_fields=strings.concat(about.labels[\"qtype_name\"], principal.ip, network.dns.questions.name, about.labels[\"rcode_name\"])\r\nmatch:\r\n $query\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "76d67a542c765cf3e99d1a917f39d97622cde13cb96512f38ad35a15b7942071" + "etag": "58dc147eb489c292c18bc43ff34b3fc6e5969cb5245fa6df16896d061b1b9f8b" }, { - "name": "def15655-16fb-493e-9fff-0659f3918b34", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\nabout.labels[\"qtype_name\"]=\"PTR\"\r\nabout.labels[\"rcode_name\"]=\"NXDOMAIN\"\r\nnetwork.dns.questions.name!=\"\"\r\nmatch:\r\n network.dns.questions.name\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "c90f0ad9-4348-44e5-a025-360dec22f802", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\nabout.labels[\"qtype_name\"]=\"PTR\"\r\nabout.labels[\"rcode_name\"]=\"NXDOMAIN\"\r\nnetwork.dns.questions.name!=\"\"\r\nmatch:\r\n network.dns.questions.name\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "5192d3d8a1f4292a80674e0dfc10c320417958f6024a7d625e63f29b42b75f85" + "etag": "256cf1980eb8a5de9e567604e38adc2ec8ddb6416a6105c984ca63cb9d3c7ac0" }, { - "name": "782591f3-9c0a-45e2-a34a-e2433bba087d", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\nabout.labels[\"qtype_name\"]=\"PTR\"\r\nabout.labels[\"rcode_name\"]=\"NOERROR\"\r\nnetwork.dns.questions.name!=\"\"\r\nmatch:\r\n network.dns.questions.name\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "24454959-e349-4067-9dc7-e96310083984", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\nabout.labels[\"qtype_name\"]=\"PTR\"\r\nabout.labels[\"rcode_name\"]=\"NOERROR\"\r\nnetwork.dns.questions.name!=\"\"\r\nmatch:\r\n network.dns.questions.name\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "4d77e920b98740a951d4b9bd022067fdac8818d10a20dde0f8f22c949b4c7794" + "etag": "bf55c20e15502a5655550fe01d527edf02e3b1b40edd4563cc80a44ee6377970" }, { - "name": "b634eee1-1dc3-4d12-a911-5590775fc8db", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$record_type!=\"\"\r\n$is_broadcast!=\"true\"\r\nmatch:\r\n $record_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "9d49ae7e-85c2-446a-9a07-ed306200961c", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"dns\" \r\nobserver.hostname!=\"\"\r\n$record_type=about.labels[\"qtype_name\"]\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$record_type!=\"\"\r\nmatch:\r\n $record_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "aeca93f0606616ae0a85629435e29ca47eb0b2f14db9febd1aaad743a8c40d99" + "etag": "6f6303db1cfdf14e79485e42891a3f411c46ac563fd43a292673438a6ec02838" } ] } diff --git a/dashboards/Data Explorer/Files.json b/dashboards/Data Explorer/Files.json index 76f4ad1..634caf8 100644 --- a/dashboards/Data Explorer/Files.json +++ b/dashboards/Data Explorer/Files.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "c726cb96-3728-483c-9a5d-5fe877d2632d", + "name": "a14c4066-7213-405c-904d-5ba975e69ed7", "displayName": "Corelight → Data Explorer → Files", "definition": { "filters": [ @@ -20,15 +20,15 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "5d4ba2d7-9234-4b92-803b-65460793d105", - "9a37b12f-c2ac-4d6f-9d65-fcf7e30887dc", - "9a5844d0-c225-4461-8fbb-62c99760c02e", - "c0aa7dba-1bda-4771-9dc8-2df86709d85c", - "4fb1fab8-deaf-4bcb-b47b-98148993a672", - "756e5325-c457-4fbb-b5f0-7561961d8226", - "ed5fb26f-891a-4e08-b639-36e57f52998d", - "5644c1ef-ed47-4f4d-8b15-fa0499baaa6f", - "08b7a2bc-568a-4b4b-ad6c-16b74ef0e312" + "a690f00b-1b38-44bc-8268-f25c6a94231a", + "baf5800f-755c-47f8-a5da-ad0615e82400", + "aa040953-5e8c-4ca4-a457-1d121b20355d", + "7a6746b7-ecf5-4343-83f3-910356920514", + "86b72b78-5b4e-4b30-9d65-0796612df0e1", + "2fadcee9-18f5-4711-a0a9-fc4201794389", + "9a6b8d8c-40c2-44e8-a8e6-f5fa3815b3d0", + "8e08d356-1322-4848-ae58-0c2d9efaf4a0", + "2cfae3d7-c468-479c-b69a-da5e83587b41" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -47,21 +47,21 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "c0aa7dba-1bda-4771-9dc8-2df86709d85c", - "4fb1fab8-deaf-4bcb-b47b-98148993a672", - "5d4ba2d7-9234-4b92-803b-65460793d105", - "9a37b12f-c2ac-4d6f-9d65-fcf7e30887dc", - "756e5325-c457-4fbb-b5f0-7561961d8226", - "5644c1ef-ed47-4f4d-8b15-fa0499baaa6f", - "ed5fb26f-891a-4e08-b639-36e57f52998d", - "08b7a2bc-568a-4b4b-ad6c-16b74ef0e312", - "9a5844d0-c225-4461-8fbb-62c99760c02e" + "7a6746b7-ecf5-4343-83f3-910356920514", + "86b72b78-5b4e-4b30-9d65-0796612df0e1", + "a690f00b-1b38-44bc-8268-f25c6a94231a", + "baf5800f-755c-47f8-a5da-ad0615e82400", + "2fadcee9-18f5-4711-a0a9-fc4201794389", + "8e08d356-1322-4848-ae58-0c2d9efaf4a0", + "9a6b8d8c-40c2-44e8-a8e6-f5fa3815b3d0", + "2cfae3d7-c468-479c-b69a-da5e83587b41", + "aa040953-5e8c-4ca4-a457-1d121b20355d" ] } ], "charts": [ { - "dashboardChart": "5d4ba2d7-9234-4b92-803b-65460793d105", + "dashboardChart": "a690f00b-1b38-44bc-8268-f25c6a94231a", "chartLayout": { "startX": 0, "spanX": 48, @@ -74,7 +74,7 @@ ] }, { - "dashboardChart": "9a5844d0-c225-4461-8fbb-62c99760c02e", + "dashboardChart": "aa040953-5e8c-4ca4-a457-1d121b20355d", "chartLayout": { "startX": 48, "spanX": 48, @@ -87,7 +87,7 @@ ] }, { - "dashboardChart": "9a37b12f-c2ac-4d6f-9d65-fcf7e30887dc", + "dashboardChart": "baf5800f-755c-47f8-a5da-ad0615e82400", "chartLayout": { "startX": 0, "spanX": 48, @@ -100,7 +100,7 @@ ] }, { - "dashboardChart": "756e5325-c457-4fbb-b5f0-7561961d8226", + "dashboardChart": "2fadcee9-18f5-4711-a0a9-fc4201794389", "chartLayout": { "startX": 48, "spanX": 48, @@ -113,7 +113,7 @@ ] }, { - "dashboardChart": "5644c1ef-ed47-4f4d-8b15-fa0499baaa6f", + "dashboardChart": "8e08d356-1322-4848-ae58-0c2d9efaf4a0", "chartLayout": { "startX": 0, "spanX": 96, @@ -126,7 +126,7 @@ ] }, { - "dashboardChart": "4fb1fab8-deaf-4bcb-b47b-98148993a672", + "dashboardChart": "86b72b78-5b4e-4b30-9d65-0796612df0e1", "chartLayout": { "startX": 0, "spanX": 48, @@ -139,7 +139,7 @@ ] }, { - "dashboardChart": "c0aa7dba-1bda-4771-9dc8-2df86709d85c", + "dashboardChart": "7a6746b7-ecf5-4343-83f3-910356920514", "chartLayout": { "startX": 48, "spanX": 48, @@ -152,7 +152,7 @@ ] }, { - "dashboardChart": "08b7a2bc-568a-4b4b-ad6c-16b74ef0e312", + "dashboardChart": "2cfae3d7-c468-479c-b69a-da5e83587b41", "chartLayout": { "startX": 48, "spanX": 48, @@ -165,7 +165,7 @@ ] }, { - "dashboardChart": "ed5fb26f-891a-4e08-b639-36e57f52998d", + "dashboardChart": "9a6b8d8c-40c2-44e8-a8e6-f5fa3815b3d0", "chartLayout": { "startX": 0, "spanX": 48, @@ -180,15 +180,15 @@ ] }, "type": "CUSTOM", - "etag": "5cfe5ce36fd46bec4845078ea10817d1a4213cc74a8016201ca38c031b24b715", + "etag": "1b44451ae20a45f01410a4f615b9086f397983e30c21b553d7929959fdb0d900", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "ed5fb26f-891a-4e08-b639-36e57f52998d", + "name": "9a6b8d8c-40c2-44e8-a8e6-f5fa3815b3d0", "displayName": "Top Receiving (rx_host) Hosts - # Files", "chartDatasource": { - "dashboardQuery": "bfaed226-1e11-402f-adc0-3aeec7919405", + "dashboardQuery": "b5ec5d95-315c-4752-b020-1d05581249be", "dataSources": [ "UDM" ] @@ -222,13 +222,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "61d501365a3766da6088553d9fcfc75d18d480afc5c1cd7e4e7732bc3db003c0" + "etag": "cd14a3819bd217bfda20e605326bf2bbeb90939fd8fb6223dfdba64e0bf8a7f8", + "drillDownConfig": {} }, { - "name": "5d4ba2d7-9234-4b92-803b-65460793d105", + "name": "a690f00b-1b38-44bc-8268-f25c6a94231a", "displayName": "Top 20 Mime Types by File Count", "chartDatasource": { - "dashboardQuery": "45b06a2f-55eb-4304-bcd6-2aa33b4275f8", + "dashboardQuery": "e9a5238e-75a1-4ddd-87c9-a5c167fb16c6", "dataSources": [ "UDM" ] @@ -236,12 +237,17 @@ "visualization": { "series": [ { + "seriesName": "none", "seriesType": "BAR", "encode": { "x": "mime_type", "y": "count" }, - "dataLabel": {} + "dataLabel": {}, + "itemStyle": { + "color": "undefined" + }, + "seriesUniqueValue": "none" } ], "xAxes": [ @@ -264,13 +270,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d15cc47b87339c3f65168b951abbff10ae908bbef77a24c897e4d55a77cf7e20" + "etag": "035f6f6b6fce060fe0e452eccd9a53d202170f242e105d4f68cea5ffaca85941", + "drillDownConfig": {} }, { - "name": "756e5325-c457-4fbb-b5f0-7561961d8226", + "name": "2fadcee9-18f5-4711-a0a9-fc4201794389", "displayName": "File Flow - Bytes", "chartDatasource": { - "dashboardQuery": "47905af3-f51a-47e9-9a73-d76012711574", + "dashboardQuery": "19a99a36-1950-4e5e-8d4d-8719b4744261", "dataSources": [ "UDM" ] @@ -286,9 +293,48 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#1a73e8" + "color": "#ec453b" }, "seriesUniqueValue": "internal" + }, + { + "seriesName": "sent", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "actual_file_size" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "sent" + }, + { + "seriesName": "unknown", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "actual_file_size" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "unknown" + }, + { + "seriesName": "received", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "actual_file_size" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "received" } ], "xAxes": [ @@ -315,13 +361,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "17abc6202c530a10edb7763a59555ec39a9d63f03f6bb87c77f895d977f90ad4" + "etag": "00f4fda32fe64574dcc0e5b3ff2a94a48e352d8cbf437b615e8955227d7a6183", + "drillDownConfig": {} }, { - "name": "08b7a2bc-568a-4b4b-ad6c-16b74ef0e312", + "name": "2cfae3d7-c468-479c-b69a-da5e83587b41", "displayName": "Top Receiving (rx_host) Hosts - Bytes", "chartDatasource": { - "dashboardQuery": "d715f960-395e-4e47-9c3d-b1e6dd078bdb", + "dashboardQuery": "06f87bfb-ee98-452c-b820-478b2b3f65a4", "dataSources": [ "UDM" ] @@ -355,13 +402,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "4a719faaadb49fe4c5e3d3f25a4230da66f2cecb2e0b2104f87614329da437e2" + "etag": "1069cf9c2bdd903458329e5e576f6aa78ddc00702497f971e6bb5d1adcb88d3a", + "drillDownConfig": {} }, { - "name": "c0aa7dba-1bda-4771-9dc8-2df86709d85c", + "name": "7a6746b7-ecf5-4343-83f3-910356920514", "displayName": "Top Transmitting (tx_host) Hosts - Bytes", "chartDatasource": { - "dashboardQuery": "52443456-d28b-4450-acb7-7760d5e8c006", + "dashboardQuery": "830d834e-d588-49b2-962f-8a5e644b13f0", "dataSources": [ "UDM" ] @@ -395,13 +443,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d73cea8bf179f2d47244bd4b797a5f99ce8596336e831cd80f21096e3789d44d" + "etag": "c8fe7542cfc20c166fff0f5c5cc58dd44b056fdbb034d49eaa2df58ec5c14c20", + "drillDownConfig": {} }, { - "name": "9a37b12f-c2ac-4d6f-9d65-fcf7e30887dc", + "name": "baf5800f-755c-47f8-a5da-ad0615e82400", "displayName": "File Flow - # of Files", "chartDatasource": { - "dashboardQuery": "126474b6-5dae-4c59-92b9-ea9e2fb6473e", + "dashboardQuery": "86a4eb74-24f4-49c4-b04d-06c59bb0a28d", "dataSources": [ "UDM" ] @@ -417,9 +466,48 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#10a3b7" + "color": "#ec453b" }, "seriesUniqueValue": "internal" + }, + { + "seriesName": "sent", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "sent" + }, + { + "seriesName": "unknown", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "unknown" + }, + { + "seriesName": "received", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "received" } ], "xAxes": [ @@ -446,13 +534,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "836eaa1ae7c22da2b48ece3a83b33676e8aede6eecba0211c9004d52e68f663b" + "etag": "eba6799b3784784960b7ed42fb96988d4df077082598fcefdd345be8d277dba7", + "drillDownConfig": {} }, { - "name": "4fb1fab8-deaf-4bcb-b47b-98148993a672", + "name": "86b72b78-5b4e-4b30-9d65-0796612df0e1", "displayName": "Top Transmitting (tx_host) Hosts - # Files", "chartDatasource": { - "dashboardQuery": "b6cb07a6-faef-4028-aac2-2da02f342fbe", + "dashboardQuery": "bd92cf86-8d7c-4b96-8ad6-b0a5c5ebf9aa", "dataSources": [ "UDM" ] @@ -486,13 +575,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "5b5e8eecfd8e9ec3f32e964859bebea45a0a65f57ad609f18741541e4d2b8f0c" + "etag": "29f71ce3ca3e0e5e233b3af31f975596a98d6be64b33e44e005dd47e8c246bf7", + "drillDownConfig": {} }, { - "name": "9a5844d0-c225-4461-8fbb-62c99760c02e", + "name": "aa040953-5e8c-4ca4-a457-1d121b20355d", "displayName": "Corelight Mime Type to Filename Check", "chartDatasource": { - "dashboardQuery": "1eb853a6-f581-4431-b4a1-4f435f35ff12", + "dashboardQuery": "b799c71f-460a-43ab-ad87-f12f4305852c", "dataSources": [ "UDM" ] @@ -530,13 +620,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a9c53b3a09d5551e5f50f970f25a19c250c55ee8e6da1e67edee8ec567175571" + "etag": "c2a2db24029e5572f97996a3f2d1a14d8673b0be9e4145b2bfb5c970a47c7390" }, { - "name": "5644c1ef-ed47-4f4d-8b15-fa0499baaa6f", + "name": "8e08d356-1322-4848-ae58-0c2d9efaf4a0", "displayName": "Top File Protocols by File Count", "chartDatasource": { - "dashboardQuery": "daf168cd-43bc-4f55-8dce-32ee6fac6322", + "dashboardQuery": "f34f88f3-dad6-43ce-a1c6-5d7576bdd140", "dataSources": [ "UDM" ] @@ -549,11 +639,34 @@ "value": "count", "itemName": "app" }, - "dataLabel": {}, + "dataLabel": { + "show": true + }, "radius": [ "0%", "70%" - ] + ], + "itemStyle": { + "color": "b=>{const {map:c}=RIf(this.theme);b=YJf(b,qJf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "HTTP", + "value": { + "color": "#1a73e8", + "label": "HTTP" + } + }, + { + "key": "SSL", + "value": { + "color": "#eb730a", + "label": "SSL" + } + } + ] + } } ], "xAxes": [ @@ -575,56 +688,57 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "033477f32db2d2e652983d664715459b78bd85aaf0f8bae307496e839d8e4799" + "etag": "9205c5328149cb218a039911a452e99d2ea3fba6a1e84f50937be68fbcb93f3c", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "52443456-d28b-4450-acb7-7760d5e8c006", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n principal.ip\r\noutcome:\r\n $src_bytes = (cast.as_float(strings.concat(sum(about.file.size), \"\")) * count_distinct(metadata.id)) / count(metadata.id)\r\norder:\r\n $src_bytes desc \r\nlimit:\r\n 10", + "name": "830d834e-d588-49b2-962f-8a5e644b13f0", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n principal.ip\r\noutcome:\r\n $src_bytes = (cast.as_float(strings.concat(sum(about.file.size), \"\")) * count_distinct(metadata.id)) / count(metadata.id)\r\norder:\r\n $src_bytes desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "f5bd32801fa801306d84f1a6b8dec1161410d4ce612d272ddc1d593595b8da97" + "etag": "01f097482b20ffe19841fdc19e65c9235b228b95a36c6b4d8586eecd76ce3c17" }, { - "name": "126474b6-5dae-4c59-92b9-ea9e2fb6473e", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\"\r\n$is_src_internal=if(principal.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$is_dest_internal=if(target.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $is_src_internal, $is_dest_internal\r\noutcome:\r\n $directional=array_distinct(if($is_src_internal=\"true\" AND $is_dest_internal=\"false\", \"sent\", \r\n if($is_src_internal=\"false\" AND $is_dest_internal=\"true\",\"received\", \r\n if($is_src_internal=\"true\" AND $is_dest_internal=\"true\", \"internal\", \"unknown\"\r\n ))))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", + "name": "86a4eb74-24f4-49c4-b04d-06c59bb0a28d", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\"\r\n$is_src_internal=if(principal.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$is_dest_internal=if(target.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $is_src_internal, $is_dest_internal\r\noutcome:\r\n $directional=array_distinct(if($is_src_internal=\"true\" AND $is_dest_internal=\"false\", \"sent\", \r\n if($is_src_internal=\"false\" AND $is_dest_internal=\"true\",\"received\", \r\n if($is_src_internal=\"true\" AND $is_dest_internal=\"true\", \"internal\", \"unknown\"\r\n ))))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "a907bc4422d3587bbfec164286e18c45b63348776e1c6ddf950db0c2a39944b3" + "etag": "e7f1746a21570e48484c3ccda3a9402f0d4519fe641f688d7c4d3e1084bb1f45" }, { - "name": "45b06a2f-55eb-4304-bcd6-2aa33b4275f8", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nobserver.hostname!=\"\"\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" AND $mime_type!=\"application/pkix-cert\"\r\nmatch:\r\n $mime_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 20", + "name": "e9a5238e-75a1-4ddd-87c9-a5c167fb16c6", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nobserver.hostname!=\"\"\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" AND $mime_type!=\"application/pkix-cert\"\r\nmatch:\r\n $mime_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 20", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "9e13a796fa4231623c889f6102a1b81f08548b6c2397074bb6a1e26762ce30dd" + "etag": "10a6b56c972b395fe6a55ff7c10ed5a1ea0fee17cbc1b66e890417af850294d0" }, { - "name": "47905af3-f51a-47e9-9a73-d76012711574", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\"\r\n$is_src_internal=if(principal.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$is_dest_internal=if(target.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $is_src_internal, $is_dest_internal\r\noutcome:\r\n $directional=array_distinct(if($is_src_internal=\"true\" AND $is_dest_internal=\"false\", \"sent\", \r\n if($is_src_internal=\"false\" AND $is_dest_internal=\"true\",\"received\", \r\n if($is_src_internal=\"true\" AND $is_dest_internal=\"true\", \"internal\", \"unknown\"\r\n ))))\r\n $event_ratio = (count(metadata.id) / count_distinct(metadata.id))\r\n $file_size_sum=sum(about.file.size)\r\n $actual_file_size = $file_size_sum / $event_ratio\r\norder:\r\n $date_hour asc", + "name": "19a99a36-1950-4e5e-8d4d-8719b4744261", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\"\r\n$is_src_internal=if(principal.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$is_dest_internal=if(target.ip in cidr %internal_cidr_list , \"true\", \"false\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $is_src_internal, $is_dest_internal\r\noutcome:\r\n $directional=array_distinct(if($is_src_internal=\"true\" AND $is_dest_internal=\"false\", \"sent\", \r\n if($is_src_internal=\"false\" AND $is_dest_internal=\"true\",\"received\", \r\n if($is_src_internal=\"true\" AND $is_dest_internal=\"true\", \"internal\", \"unknown\"\r\n ))))\r\n $event_ratio = (count(metadata.id) / count_distinct(metadata.id))\r\n $file_size_sum=sum(about.file.size)\r\n $actual_file_size = $file_size_sum / $event_ratio\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "663fcbc5a24b8e2eab7b971be14e5952d344d90ef8bbbc866e4f450a9e920194" + "etag": "ce4bd32e01f340524156bb2191305fc04dc756c351d6cf55444c97d1e2afb803" }, { - "name": "1eb853a6-f581-4431-b4a1-4f435f35ff12", + "name": "b799c71f-460a-43ab-ad87-f12f4305852c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$mime_type=about.file.mime_type\r\n$mime_type=\"application/x-dosexec\"\r\n$file_name=about.file.names\r\n$file_name!=/.*exe.*/\r\nmatch:\r\n $mime_type, $file_name\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 15", "input": { "relativeTime": { @@ -632,51 +746,51 @@ "startTimeVal": "1" } }, - "etag": "e08f667d0612e154683bb946e343dc9af6f9dd6491ec281b64ebcac6470b0dab" + "etag": "b7c40f7b83ecadd102dd18bb760a26bc67f4a15f3ef7ef4e50937417e170dbb7" }, { - "name": "d715f960-395e-4e47-9c3d-b1e6dd078bdb", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n target.ip\r\noutcome:\r\n $dest_bytes= (cast.as_float(strings.concat(sum(about.file.size), \"\")) * count_distinct(metadata.id)) / count(metadata.id)\r\norder:\r\n $dest_bytes desc \r\nlimit:\r\n 10", + "name": "06f87bfb-ee98-452c-b820-478b2b3f65a4", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n target.ip\r\noutcome:\r\n $dest_bytes= (cast.as_float(strings.concat(sum(about.file.size), \"\")) * count_distinct(metadata.id)) / count(metadata.id)\r\norder:\r\n $dest_bytes desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "6079e1b28982485bdf95ccadde985b932926c9ca8f72624af314ede3592d55ea" + "etag": "ab337075e6e841363d9fc9b11b712b99649e9f1c96e1f6f77bb70b973ad68a75" }, { - "name": "bfaed226-1e11-402f-adc0-3aeec7919405", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n target.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "b5ec5d95-315c-4752-b020-1d05581249be", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n target.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "ebd2c54ea1fd537f9676ed44b063bd56c8d7d21026a823e1a72ef2b3fb8ac104" + "etag": "6b4d82744095de8268816336bf6ecb6265272f0cb7ca93cd51ca9b58b852e697" }, { - "name": "b6cb07a6-faef-4028-aac2-2da02f342fbe", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "bd92cf86-8d7c-4b96-8ad6-b0a5c5ebf9aa", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" \r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "b6e8826113d125aff2a88753c38ef71771a09b42087e71e4e0070d1e933abfef" + "etag": "dfc0337b2d4a94533556eccd324259748f1b0ce202aeccbe3d50f271fde1939e" }, { - "name": "daf168cd-43bc-4f55-8dce-32ee6fac6322", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast!=\"true\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" OR $mime_type!=\"application/pkix-cert\"\r\n$app=about.labels[\"source\"]\r\nmatch:\r\n $app\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "f34f88f3-dad6-43ce-a1c6-5d7576bdd140", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"files\" \r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$mime_type=about.file.mime_type\r\n$mime_type!=\"\" OR $mime_type!=\"application/pkix-cert\"\r\n$app=about.labels[\"source\"]\r\nmatch:\r\n $app\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "829fe0d9297b896a6fe386ae664e60c9b6a2c04acd2419b6b51448d2f5f473d7" + "etag": "3dcede70bfcd8427b0e83f4419a45dcd4040d26d942f7390a3d13a3e616d85b4" } ] } diff --git a/dashboards/Data Explorer/HTTP.json b/dashboards/Data Explorer/HTTP.json index 22bf014..9f8ed13 100644 --- a/dashboards/Data Explorer/HTTP.json +++ b/dashboards/Data Explorer/HTTP.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "4da25174-be4c-47b9-94b3-3b916e54266c", + "name": "a0fbb4f5-ec01-4cb7-bd5e-05c899f6eb96", "displayName": "Corelight → Data Explorer → HTTP", "definition": { "filters": [ @@ -20,23 +20,23 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "c7e27f79-cb90-4c77-be8f-e5e14c3a37e4", - "23665473-d8d3-4791-9924-4f9b68a6726f", - "a30e42ff-ee8d-4761-aac8-514a3964646a", - "ef229110-d571-4aa6-93ac-ad7414ed5a00", - "24ff8491-9222-4f99-b5a6-db3ad9671373", - "b978f16b-7793-416b-b174-0e258e1056fe", - "2ccac1cf-4323-4f86-86cb-c82ec07dd517", - "ab9ab5ae-a0de-4786-a2c2-6dfdf1ba0cea", - "d696f956-0c65-4e7c-af8c-7f2aa81e8d06", - "fbfb1d23-16e7-4467-a171-de7d5f6462bf", - "5daafbf5-957e-4e37-82c7-436a32651c82", - "c6248b92-b67d-4665-994f-b3d5a6704a71", - "05b11ee1-855d-4f31-85d3-b9a063b0c6b4", - "a1fe6c57-d4b7-4635-b44a-25f2b302dc1e", - "6d1e879f-4cf9-4c11-8d0c-24bef63c23da", - "c8018a82-d65d-413d-8b22-99dedb1eecc4", - "2915c1b4-8e2e-4837-ad0d-e980da65c967" + "e9ee5925-650b-462d-81e6-72d45578c1fa", + "818dfd23-fc63-4380-a1c7-504804829e20", + "5fb15fff-d533-4bdc-8e5c-8d24d4cb3234", + "7ce31b06-1d6c-452b-8fce-ab07deef8ce4", + "80646e47-1eda-4b41-ad29-2c971b728048", + "7415f929-bd56-446d-bc71-7f52ee7066e0", + "eca48731-30a7-447d-be92-776d2d9c683b", + "4d2ba005-3e92-451b-9a97-b2c2b5e1c60f", + "459e8bf6-54e2-4177-92d6-70fcc988637b", + "77f90940-53fe-4284-ba3f-610f0bbf8f70", + "64eea644-a95b-40f4-9ca2-bdcc86e271cd", + "ad6957cb-63ca-479d-bf99-a50063f4ef4d", + "066ed24e-c466-4024-991e-7a64b68ac3ed", + "33fe2aa1-f2f8-4673-9ed4-4a3c6c67ea8a", + "86ef92b5-da06-4757-bcc6-986bd121dd34", + "4a6cee1a-0b29-4b04-a1cd-1c2ed699afca", + "17b19825-a742-4e4e-ba11-73ca5b2818ac" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -55,29 +55,29 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "d696f956-0c65-4e7c-af8c-7f2aa81e8d06", - "ab9ab5ae-a0de-4786-a2c2-6dfdf1ba0cea", - "2ccac1cf-4323-4f86-86cb-c82ec07dd517", - "b978f16b-7793-416b-b174-0e258e1056fe", - "24ff8491-9222-4f99-b5a6-db3ad9671373", - "ef229110-d571-4aa6-93ac-ad7414ed5a00", - "23665473-d8d3-4791-9924-4f9b68a6726f", - "a30e42ff-ee8d-4761-aac8-514a3964646a", - "c7e27f79-cb90-4c77-be8f-e5e14c3a37e4", - "fbfb1d23-16e7-4467-a171-de7d5f6462bf", - "c6248b92-b67d-4665-994f-b3d5a6704a71", - "5daafbf5-957e-4e37-82c7-436a32651c82", - "05b11ee1-855d-4f31-85d3-b9a063b0c6b4", - "a1fe6c57-d4b7-4635-b44a-25f2b302dc1e", - "6d1e879f-4cf9-4c11-8d0c-24bef63c23da", - "c8018a82-d65d-413d-8b22-99dedb1eecc4", - "2915c1b4-8e2e-4837-ad0d-e980da65c967" + "459e8bf6-54e2-4177-92d6-70fcc988637b", + "4d2ba005-3e92-451b-9a97-b2c2b5e1c60f", + "eca48731-30a7-447d-be92-776d2d9c683b", + "7415f929-bd56-446d-bc71-7f52ee7066e0", + "80646e47-1eda-4b41-ad29-2c971b728048", + "7ce31b06-1d6c-452b-8fce-ab07deef8ce4", + "818dfd23-fc63-4380-a1c7-504804829e20", + "5fb15fff-d533-4bdc-8e5c-8d24d4cb3234", + "e9ee5925-650b-462d-81e6-72d45578c1fa", + "77f90940-53fe-4284-ba3f-610f0bbf8f70", + "ad6957cb-63ca-479d-bf99-a50063f4ef4d", + "64eea644-a95b-40f4-9ca2-bdcc86e271cd", + "066ed24e-c466-4024-991e-7a64b68ac3ed", + "33fe2aa1-f2f8-4673-9ed4-4a3c6c67ea8a", + "86ef92b5-da06-4757-bcc6-986bd121dd34", + "4a6cee1a-0b29-4b04-a1cd-1c2ed699afca", + "17b19825-a742-4e4e-ba11-73ca5b2818ac" ] } ], "charts": [ { - "dashboardChart": "d696f956-0c65-4e7c-af8c-7f2aa81e8d06", + "dashboardChart": "459e8bf6-54e2-4177-92d6-70fcc988637b", "chartLayout": { "startX": 0, "spanX": 24, @@ -90,7 +90,7 @@ ] }, { - "dashboardChart": "c8018a82-d65d-413d-8b22-99dedb1eecc4", + "dashboardChart": "4a6cee1a-0b29-4b04-a1cd-1c2ed699afca", "chartLayout": { "startX": 48, "spanX": 24, @@ -103,7 +103,7 @@ ] }, { - "dashboardChart": "b978f16b-7793-416b-b174-0e258e1056fe", + "dashboardChart": "7415f929-bd56-446d-bc71-7f52ee7066e0", "chartLayout": { "startX": 24, "spanX": 24, @@ -116,7 +116,7 @@ ] }, { - "dashboardChart": "05b11ee1-855d-4f31-85d3-b9a063b0c6b4", + "dashboardChart": "066ed24e-c466-4024-991e-7a64b68ac3ed", "chartLayout": { "startX": 72, "spanX": 24, @@ -129,7 +129,7 @@ ] }, { - "dashboardChart": "2915c1b4-8e2e-4837-ad0d-e980da65c967", + "dashboardChart": "17b19825-a742-4e4e-ba11-73ca5b2818ac", "chartLayout": { "startX": 64, "spanX": 32, @@ -142,7 +142,7 @@ ] }, { - "dashboardChart": "fbfb1d23-16e7-4467-a171-de7d5f6462bf", + "dashboardChart": "77f90940-53fe-4284-ba3f-610f0bbf8f70", "chartLayout": { "startX": 0, "spanX": 32, @@ -155,7 +155,7 @@ ] }, { - "dashboardChart": "c7e27f79-cb90-4c77-be8f-e5e14c3a37e4", + "dashboardChart": "e9ee5925-650b-462d-81e6-72d45578c1fa", "chartLayout": { "startX": 32, "spanX": 32, @@ -168,7 +168,7 @@ ] }, { - "dashboardChart": "2ccac1cf-4323-4f86-86cb-c82ec07dd517", + "dashboardChart": "eca48731-30a7-447d-be92-776d2d9c683b", "chartLayout": { "startX": 0, "spanX": 48, @@ -181,7 +181,7 @@ ] }, { - "dashboardChart": "a30e42ff-ee8d-4761-aac8-514a3964646a", + "dashboardChart": "5fb15fff-d533-4bdc-8e5c-8d24d4cb3234", "chartLayout": { "startX": 48, "spanX": 48, @@ -194,7 +194,7 @@ ] }, { - "dashboardChart": "23665473-d8d3-4791-9924-4f9b68a6726f", + "dashboardChart": "818dfd23-fc63-4380-a1c7-504804829e20", "chartLayout": { "startX": 0, "spanX": 48, @@ -207,7 +207,7 @@ ] }, { - "dashboardChart": "5daafbf5-957e-4e37-82c7-436a32651c82", + "dashboardChart": "64eea644-a95b-40f4-9ca2-bdcc86e271cd", "chartLayout": { "startX": 48, "spanX": 48, @@ -220,7 +220,7 @@ ] }, { - "dashboardChart": "24ff8491-9222-4f99-b5a6-db3ad9671373", + "dashboardChart": "80646e47-1eda-4b41-ad29-2c971b728048", "chartLayout": { "startX": 0, "spanX": 48, @@ -233,7 +233,7 @@ ] }, { - "dashboardChart": "c6248b92-b67d-4665-994f-b3d5a6704a71", + "dashboardChart": "ad6957cb-63ca-479d-bf99-a50063f4ef4d", "chartLayout": { "startX": 48, "spanX": 48, @@ -246,7 +246,7 @@ ] }, { - "dashboardChart": "a1fe6c57-d4b7-4635-b44a-25f2b302dc1e", + "dashboardChart": "33fe2aa1-f2f8-4673-9ed4-4a3c6c67ea8a", "chartLayout": { "startX": 0, "spanX": 48, @@ -259,7 +259,7 @@ ] }, { - "dashboardChart": "ef229110-d571-4aa6-93ac-ad7414ed5a00", + "dashboardChart": "7ce31b06-1d6c-452b-8fce-ab07deef8ce4", "chartLayout": { "startX": 0, "spanX": 48, @@ -272,7 +272,7 @@ ] }, { - "dashboardChart": "6d1e879f-4cf9-4c11-8d0c-24bef63c23da", + "dashboardChart": "86ef92b5-da06-4757-bcc6-986bd121dd34", "chartLayout": { "startX": 48, "spanX": 48, @@ -285,7 +285,7 @@ ] }, { - "dashboardChart": "ab9ab5ae-a0de-4786-a2c2-6dfdf1ba0cea", + "dashboardChart": "4d2ba005-3e92-451b-9a97-b2c2b5e1c60f", "chartLayout": { "startX": 48, "spanX": 48, @@ -300,15 +300,15 @@ ] }, "type": "CUSTOM", - "etag": "66316741f6f2c0523d03510c5c676aeb6c266b6282cdf50599806ad42cbcbe2a", + "etag": "a6b9e251354143edb04a03686cdf98c04e1a43ebc8583216387c60c30ba312a9", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "ab9ab5ae-a0de-4786-a2c2-6dfdf1ba0cea", + "name": "4d2ba005-3e92-451b-9a97-b2c2b5e1c60f", "displayName": "Local User Agents - Outbound", "chartDatasource": { - "dashboardQuery": "efd1a548-4b52-498d-b311-85346fa9a710", + "dashboardQuery": "2c907248-756f-4773-b5af-41dd919101fa", "dataSources": [ "UDM" ] @@ -342,25 +342,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "cd4e4b5090e2a9550400e3d3aef28ae176dd35260dd1730f0756525fb8c4553b", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "user_agent", - "displayName": "Run Search on User Agent", - "defaultSettings": { - "enabled": true - } - } - ] - } + "etag": "6201cfe6aea9d4249c4009ca957976e167014982f468631a7a3f1102dcfc0b31", + "drillDownConfig": {} }, { - "name": "05b11ee1-855d-4f31-85d3-b9a063b0c6b4", + "name": "066ed24e-c466-4024-991e-7a64b68ac3ed", "displayName": "Distinct Connections", "description": "Distinct Connections", "chartDatasource": { - "dashboardQuery": "60feaea8-77d5-43ac-b309-1369a1b511b1", + "dashboardQuery": "a6b12ba8-9db7-4b70-b124-b691d9680660", "dataSources": [ "UDM" ] @@ -396,14 +386,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "734d8d1fff9e9aa8b94ae5d63058f457af765bc3533754dc1ab71a29ef5d8688", + "etag": "358639dacbaed5d16841ebb1e027306a0ba1f79278c3ada6b21128e29ecef781", "drillDownConfig": {} }, { - "name": "c7e27f79-cb90-4c77-be8f-e5e14c3a37e4", + "name": "e9ee5925-650b-462d-81e6-72d45578c1fa", "displayName": "HTTP Status Code Breakdown", "chartDatasource": { - "dashboardQuery": "f0db2ea1-9d4f-4c2d-a15d-1cfaaa656306", + "dashboardQuery": "da1ed9c3-ebe7-4d13-8428-d5c2756d66ea", "dataSources": [ "UDM" ] @@ -472,14 +462,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0a5d9b9d9d377c1fd5ddb6c5f3b3947c25bb30da5b4bbd36b43a990fa9349b6b", + "etag": "ad0d671932429687fb05361088d1965817be95653104eca6ef055cf040babf90", "drillDownConfig": {} }, { - "name": "5daafbf5-957e-4e37-82c7-436a32651c82", + "name": "64eea644-a95b-40f4-9ca2-bdcc86e271cd", "displayName": "Host Breakdown By HTTP Status", "chartDatasource": { - "dashboardQuery": "df60790b-2707-4b5c-be55-f9f5057c2d72", + "dashboardQuery": "60aaa7a7-6035-4d44-9c5b-462ed394e711", "dataSources": [ "UDM" ] @@ -521,7 +511,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2341c106378fcc79469a0c3188ce8a40c9e556e3b2cc693338e50f47a4bc6e00", + "etag": "62f95577dbc672927656b0b9fe3be0eab2bcd0fc148638df6809e09a64368b12", "drillDownConfig": { "leftDrillDowns": [ { @@ -542,10 +532,10 @@ } }, { - "name": "a1fe6c57-d4b7-4635-b44a-25f2b302dc1e", + "name": "33fe2aa1-f2f8-4673-9ed4-4a3c6c67ea8a", "displayName": "Local Hosts - Outbound", "chartDatasource": { - "dashboardQuery": "7ffef937-b8e4-4543-be7c-bd527f5f15dc", + "dashboardQuery": "f837e0b6-b2b0-479b-930d-3c5e12d0419e", "dataSources": [ "UDM" ] @@ -579,24 +569,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a4abc907266fe4078d001ebbdcf9ccec21c856cdfb57199d1b579371b813eaf2", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "target_hostname", - "displayName": "Run Search on Host Header", - "defaultSettings": { - "enabled": true - } - } - ] - } + "etag": "66fb1837a8205c7eb5b00e375a7fd10551f81cb00793c5f86818e01e08289679", + "drillDownConfig": {} }, { - "name": "6d1e879f-4cf9-4c11-8d0c-24bef63c23da", + "name": "86ef92b5-da06-4757-bcc6-986bd121dd34", "displayName": "Local User Agents - Inbound", "chartDatasource": { - "dashboardQuery": "2ff9a546-a79c-4ed3-ac48-c6e2de7e4a86", + "dashboardQuery": "d88a42bb-66d2-4450-8ce1-5e9f442ea353", "dataSources": [ "UDM" ] @@ -630,24 +610,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "acfc4c23e1a2e4b6fd126ed9a9870aa0711c0f0c69a23e11b81f8936d1414d59", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "user_agent", - "displayName": "Run Search on User Agent", - "defaultSettings": { - "enabled": true - } - } - ] - } + "etag": "d4dd7c793a6da736966b58a2ed56baf007dcc36ba1e9c09f434c626134267adf", + "drillDownConfig": {} }, { - "name": "24ff8491-9222-4f99-b5a6-db3ad9671373", + "name": "80646e47-1eda-4b41-ad29-2c971b728048", "displayName": "Distinct Host Headers - Inbound", "chartDatasource": { - "dashboardQuery": "ca16591c-0542-42da-a9c7-2f8256a72b25", + "dashboardQuery": "60d3946e-8910-4035-80f9-6d2b34b2f129", "dataSources": [ "UDM" ] @@ -683,14 +653,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "9d064ff29ba6a570e398dce1f7191ba46b27ff27721fd747deafa35b7a08d8d4" + "etag": "2dcf18bfecf2a1f7a3a06e2d84504e00f766a7b762054661ee5d7b6f1f17ba6c", + "drillDownConfig": {} }, { - "name": "b978f16b-7793-416b-b174-0e258e1056fe", + "name": "7415f929-bd56-446d-bc71-7f52ee7066e0", "displayName": "Distinct User Agents", "description": "Distinct User Agents", "chartDatasource": { - "dashboardQuery": "01340035-6f4f-4270-b4ca-13e88ea0b8ea", + "dashboardQuery": "91649f72-5459-4d15-a352-b4cbf3d8f3b4", "dataSources": [ "UDM" ] @@ -726,13 +697,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0c55371b2a336fda5627f0b174448a182456f13cefe05839f36e71b9153a512a" + "etag": "b65050de99e0bdb8fc51c5418acdd85f0b90bb040d22720235a30d0df90aca70" }, { - "name": "fbfb1d23-16e7-4467-a171-de7d5f6462bf", + "name": "77f90940-53fe-4284-ba3f-610f0bbf8f70", "displayName": "Top Host Headers by Count", "chartDatasource": { - "dashboardQuery": "62b9b743-99c0-4a92-8c63-5f156c6a9c06", + "dashboardQuery": "c79bfbbf-9cb5-4f39-a03a-24c0949418ed", "dataSources": [ "UDM" ] @@ -766,7 +737,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "7a90308b1d7f00f387b48a1a44a58bf63e0ba0aa5fd8a16525b328de81069396", + "etag": "8317bd769a46c3f48ceba6761ebcd315a4289763e71a5a3142adb16ecb36f14c", "drillDownConfig": { "leftDrillDowns": [ { @@ -780,10 +751,10 @@ } }, { - "name": "2915c1b4-8e2e-4837-ad0d-e980da65c967", + "name": "17b19825-a742-4e4e-ba11-73ca5b2818ac", "displayName": "Top Originators", "chartDatasource": { - "dashboardQuery": "0da4b34e-9273-496f-a752-7766b0461de7", + "dashboardQuery": "d188023e-8d50-4acc-8b27-7c986d76d905", "dataSources": [ "UDM" ] @@ -817,13 +788,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "5956ad0f6b494a7b8c6af0b32ab4a30833a19b7759318b075c63eb37b6eeb36b" + "etag": "b4711adacfee057229f76eb09b81ae850a1ca8c8c73e5adb30fdb77fb4f8073b" }, { - "name": "a30e42ff-ee8d-4761-aac8-514a3964646a", + "name": "5fb15fff-d533-4bdc-8e5c-8d24d4cb3234", "displayName": "Rare Host Headers", "chartDatasource": { - "dashboardQuery": "9a479479-ac11-4b3b-a275-1e9a52961cd2", + "dashboardQuery": "e40cecd8-6bd1-4472-807d-d5e2cf513be4", "dataSources": [ "UDM" ] @@ -857,7 +828,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "dfe386ec361b91ea3e94ab3952ea023d2d8a412f65868d0f664b8111e4e8030e", + "etag": "4b3f1009530f3e25b02c654fd0d5c99fdf5652a29b99ac58c59bcf492e17f621", "drillDownConfig": { "leftDrillDowns": [ { @@ -871,11 +842,11 @@ } }, { - "name": "c8018a82-d65d-413d-8b22-99dedb1eecc4", + "name": "4a6cee1a-0b29-4b04-a1cd-1c2ed699afca", "displayName": "Distinct Hosts", "description": "Distinct Hosts", "chartDatasource": { - "dashboardQuery": "7c7c7df5-701c-4d99-95a7-0bb4ae5b937b", + "dashboardQuery": "cf637d56-d47b-41b7-bd6b-4d048b7a46d2", "dataSources": [ "UDM" ] @@ -911,14 +882,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a980c37d3e89e361899e5f20eb12297117996d872d1326b27beb7fec6a8eccb1" + "etag": "e2be100b171c38b3f21d1097a1db5560be0c6919267453373f5395a3d31077d2" }, { - "name": "d696f956-0c65-4e7c-af8c-7f2aa81e8d06", + "name": "459e8bf6-54e2-4177-92d6-70fcc988637b", "displayName": "Distinct Referrers", "description": "Distinct Referrers", "chartDatasource": { - "dashboardQuery": "e799876d-3903-400d-b02a-9ad5423ab716", + "dashboardQuery": "9e4a867c-5264-4eb4-a77d-4744af2fe1c1", "dataSources": [ "UDM" ] @@ -954,13 +925,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0d9dac7da4bfd5702f9d00ee209a73bca14b0fc5e0c92bfa3eb8b7670dcc2305" + "etag": "4505ed9ddf52d06a540274e8debf5a8a1588b5d92205f77377e8e871ba0645af" }, { - "name": "23665473-d8d3-4791-9924-4f9b68a6726f", + "name": "818dfd23-fc63-4380-a1c7-504804829e20", "displayName": "Host Breakdown By HTTP Method", "chartDatasource": { - "dashboardQuery": "953073b3-ca28-4190-aaa0-0a40c0d16b31", + "dashboardQuery": "7eae5dac-ad99-4bb4-acab-a055988a7684", "dataSources": [ "UDM" ] @@ -994,7 +965,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ff0dad2dd8fe8fb07af711de845b8e779b8c56dd3b0a28caa070f991cef55e40", + "etag": "58160d54a8fa104977c1b28f251652a6c6d1ecccefbb94ac54807b06814c6ee4", "drillDownConfig": { "leftDrillDowns": [ { @@ -1008,10 +979,10 @@ } }, { - "name": "ef229110-d571-4aa6-93ac-ad7414ed5a00", + "name": "7ce31b06-1d6c-452b-8fce-ab07deef8ce4", "displayName": "Local Hosts - Inbound", "chartDatasource": { - "dashboardQuery": "4b47c51b-eeb2-43db-9f53-64ac527ce7c6", + "dashboardQuery": "4b74e507-aa47-487b-a25b-743bc307c1d9", "dataSources": [ "UDM" ] @@ -1045,24 +1016,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "aa3d9f104bfce2c9c1a6897a63486cd3137be60610cc01ce2385ef85ff249a65", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "target_hostname", - "displayName": "Run Search on Host Header", - "defaultSettings": { - "enabled": true - } - } - ] - } + "etag": "12c67c174528f5eac36c34caf775fad9aaeee40498c92af941adc7c13bd0f097", + "drillDownConfig": {} }, { - "name": "2ccac1cf-4323-4f86-86cb-c82ec07dd517", + "name": "eca48731-30a7-447d-be92-776d2d9c683b", "displayName": "Rare User Agents", "chartDatasource": { - "dashboardQuery": "ca634718-f2a6-40f5-9b4b-190b94252d12", + "dashboardQuery": "bb76bbbc-5606-4a35-b8f3-91f69b0afd7e", "dataSources": [ "UDM" ] @@ -1096,7 +1057,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "9e4ab6eaa98cef05bc0498b6d2196d962d75886d921b14f2305e50cd5b010482", + "etag": "d0fa502abb46ed7c9ea1f62b19cb298c88da926a8e5ca8ba7ebb2371ca19f09c", "drillDownConfig": { "leftDrillDowns": [ { @@ -1110,10 +1071,10 @@ } }, { - "name": "c6248b92-b67d-4665-994f-b3d5a6704a71", + "name": "ad6957cb-63ca-479d-bf99-a50063f4ef4d", "displayName": "Distinct Host Headers - Outbound", "chartDatasource": { - "dashboardQuery": "932d9b5c-0b93-44fa-9728-596272ae5e67", + "dashboardQuery": "5c40e631-9026-4115-a995-ca85d8414bdc", "dataSources": [ "UDM" ] @@ -1149,12 +1110,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "20874ecd3237400f41133752df05d6892af96268e69df4e6b7eb9be2cb09de91" + "etag": "1b25d11671f720266644d4ebcc73268476e548b90c3bb3573685a6b977ed20dd", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "9a479479-ac11-4b3b-a275-1e9a52961cd2", + "name": "e40cecd8-6bd1-4472-807d-d5e2cf513be4", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $host_header\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count asc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -1162,32 +1124,32 @@ "startTimeVal": "1" } }, - "etag": "1e7c8c35188469aa86b45d260588c1dac360b32500e2e7bb78402ca8d01e0b76" + "etag": "f87d941044c4309c06ab1fcae4e0b4f99762a46e0fc712b8638e069c087206b6" }, { - "name": "2ff9a546-a79c-4ed3-ac48-c6e2de7e4a86", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"true\") OR ($local_orig=\"false\" AND $local_resp=\"true\")\r\n$user_agent=network.http.user_agent\r\n$user_agent!=\"\"\r\n$combined_fields=strings.concat(network.session_id target.ip, principal.ip)\r\nmatch:\r\n $user_agent\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", + "name": "d88a42bb-66d2-4450-8ce1-5e9f442ea353", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n((principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list)) OR (not(principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list))\r\n$user_agent=network.http.user_agent\r\n$user_agent!=\"\"\r\n$combined_fields=strings.concat(network.session_id target.ip, principal.ip)\r\nmatch:\r\n $user_agent\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "1d8e0f9d8f4810d7958fc2d575712efe9c49f690c4ad78a99a20a2ab3719d59f" + "etag": "14eade506fbe23ef6f511a0d947e111db0a5a6959538ade00010fffcd38e3acb" }, { - "name": "932d9b5c-0b93-44fa-9728-596272ae5e67", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"false\") OR ($local_orig=\"false\" AND $local_resp=\"false\")\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\noutcome:\r\n $count=count_distinct($host_header)\r\n", + "name": "60d3946e-8910-4035-80f9-6d2b34b2f129", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n((principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list)) OR ( not(principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list))\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\noutcome:\r\n $count=count_distinct($host_header)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "a17a512cb91ce56698b42e496e34c41a8eff73f70cc8772d5f769cc02494f195" + "etag": "fc90f5eb84ef4db51b3f05b0e7dbe526ccc4ae04a26465d9fd49fa7cfc629ed0" }, { - "name": "01340035-6f4f-4270-b4ca-13e88ea0b8ea", + "name": "91649f72-5459-4d15-a352-b4cbf3d8f3b4", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"http\" \r\noutcome:\r\n $user_agent=count_distinct(network.http.user_agent)", "input": { "relativeTime": { @@ -1195,32 +1157,32 @@ "startTimeVal": "1" } }, - "etag": "4929d43a460c6594031f727f065b27510daf0c877b190f7e7d380f7d34ffb6e4" + "etag": "d8647380a78fa542f6bfb1d9f817ff061140b4bc391fad4f0d1e3a1b8af3d877" }, { - "name": "4b47c51b-eeb2-43db-9f53-64ac527ce7c6", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"true\") OR ($local_orig=\"false\" AND $local_resp=\"true\")\r\n$target_hostname=target.hostname\r\n$target_hostname!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $target_hostname\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", + "name": "f837e0b6-b2b0-479b-930d-3c5e12d0419e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n((principal.ip in cidr %internal_cidr_list) AND not(target.ip in cidr %internal_cidr_list)) OR (not(principal.ip in cidr %internal_cidr_list) AND not(target.ip in cidr %internal_cidr_list))\r\n$target_hostname=target.hostname\r\n$target_hostname!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $target_hostname\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "ba5c024670ef34f301040929676ecf8191c7b9659d9ef8a959af52e48e8d4f89" + "etag": "164eac62e738a716213c8fc91588c41d18c6e3b511d63714d8e20f3b1b40848a" }, { - "name": "efd1a548-4b52-498d-b311-85346fa9a710", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"false\") OR ($local_orig=\"false\" AND $local_resp=\"false\")\r\n$user_agent=network.http.user_agent\r\n$user_agent!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $user_agent\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc", + "name": "2c907248-756f-4773-b5af-41dd919101fa", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n((principal.ip in cidr %internal_cidr_list) AND not(target.ip in cidr %internal_cidr_list)) OR (not(principal.ip in cidr %internal_cidr_list) AND not(target.ip in cidr %internal_cidr_list))\r\n$user_agent=network.http.user_agent\r\n$user_agent!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $user_agent\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "cce78b31e1079e954d9c205760bba6d4f9e5cc9803fb2eb06fbf68b0c67a37f6" + "etag": "b01e8d30ed3039636b81bab775a687edb946a63ffa99792dbf9d92f35b67a874" }, { - "name": "0da4b34e-9273-496f-a752-7766b0461de7", + "name": "d188023e-8d50-4acc-8b27-7c986d76d905", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"conn\"\r\nnetwork.application_protocol=\"HTTP\"\r\n$principal_ip=principal.ip\r\n$principal_ip!=\"\"\r\nmatch:\r\n $principal_ip\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -1228,21 +1190,21 @@ "startTimeVal": "1" } }, - "etag": "02bf77fec545a453b0bfe19060fa1553ba311964a1c66c9d9d23cf5d31f95a71" + "etag": "c736a6609e9220793b4ae4d5e89f78ea97ebe46c5a4c98aea318988e11bc816f" }, { - "name": "ca16591c-0542-42da-a9c7-2f8256a72b25", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"true\") OR ($local_orig=\"false\" AND $local_resp=\"true\")\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\noutcome:\r\n $count=count_distinct($host_header)\r\n", + "name": "5c40e631-9026-4115-a995-ca85d8414bdc", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n((principal.ip in cidr %internal_cidr_list) AND not(target.ip in cidr %internal_cidr_list)) OR (not(principal.ip in cidr %internal_cidr_list) AND not(target.ip in cidr %internal_cidr_list))\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\noutcome:\r\n $count=count_distinct($host_header)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "289bf532084582a425b51f36288c5903000d5ceebd223b044b8c7482d7a5b9a5" + "etag": "1b9dae119f83d2357f607845a79113aeae886d52c7bcca2fdc2a4d8a5b3ae87e" }, { - "name": "e799876d-3903-400d-b02a-9ad5423ab716", + "name": "9e4a867c-5264-4eb4-a77d-4744af2fe1c1", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"http\" \r\nnetwork.http.referral_url != \"\"\r\noutcome:\r\n $http_referrer=count_distinct(network.http.referral_url)", "input": { "relativeTime": { @@ -1250,10 +1212,10 @@ "startTimeVal": "1" } }, - "etag": "ab788439fd95a242a491a903b9bea3d4f4fb385b2b5a9c66b5ae00e5c2c2041c" + "etag": "7d290e7a49804a7dfbd71763f74f7780cdf572048b1f7be4ab0d449a7c80bc8d" }, { - "name": "60feaea8-77d5-43ac-b309-1369a1b511b1", + "name": "a6b12ba8-9db7-4b70-b124-b691d9680660", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"http\" \r\noutcome:\r\n $http_referrer=count_distinct(network.session_id)", "input": { "relativeTime": { @@ -1261,21 +1223,21 @@ "startTimeVal": "1" } }, - "etag": "0d4cc86e346c0f4ee7b7dbbb0271f68712cc65c5e2ba1b3065910513e1af95bc" + "etag": "fa349bdf647e093641eea10cf67b7f3fe8d555540c88fec71cebae777bfb169f" }, { - "name": "7ffef937-b8e4-4543-be7c-bd527f5f15dc", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"false\") OR ($local_orig=\"false\" AND $local_resp=\"false\")\r\n$target_hostname=target.hostname\r\n$target_hostname!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $target_hostname\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", + "name": "4b74e507-aa47-487b-a25b-743bc307c1d9", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n((principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list)) OR (not(principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list))\r\n$target_hostname=target.hostname\r\n$target_hostname!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $target_hostname\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "9fd6f19b35461013e93b32075db9da6d2b1ae5f012f91cd1b3479ce4857f268e" + "etag": "37ac6d858ab3bba693c23c8e934f8bb993b58998c358fe60a50b68f3fa72a3d8" }, { - "name": "953073b3-ca28-4190-aaa0-0a40c0d16b31", + "name": "7eae5dac-ad99-4bb4-acab-a055988a7684", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $host_header\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", "input": { "relativeTime": { @@ -1283,10 +1245,10 @@ "startTimeVal": "1" } }, - "etag": "13a0be3fe9281c937f7c3bab3bf3718e8d5f6d75550d555daffb6a58faddb833" + "etag": "4956933dba5cf81844ae1a7ab62227de6498a3ca7281559f090c006e91f419cd" }, { - "name": "ca634718-f2a6-40f5-9b4b-190b94252d12", + "name": "bb76bbbc-5606-4a35-b8f3-91f69b0afd7e", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$user_agent=network.http.user_agent\r\n$user_agent!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $user_agent\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count asc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -1294,10 +1256,10 @@ "startTimeVal": "1" } }, - "etag": "ef50c7988c4d370d77fb27b87d802f41167ccb52cf504198b64784ea8421d5fd" + "etag": "7df2b04195bcd46ef02902779b9f769d321093720ac21ef31d7b3fdbc33c7fd9" }, { - "name": "62b9b743-99c0-4a92-8c63-5f156c6a9c06", + "name": "c79bfbbf-9cb5-4f39-a03a-24c0949418ed", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$target_hostname=target.hostname\r\n$target_hostname!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $target_hostname\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -1305,10 +1267,10 @@ "startTimeVal": "1" } }, - "etag": "85d3da4821ad557a655555b4ac7cd6bb3aff6fd65d2a60c7516ba3ffabb58cdf" + "etag": "b8919e0fc5fe9dfb4d897fcb59d91de1d9faf2db6949591804a8274b8ec89012" }, { - "name": "f0db2ea1-9d4f-4c2d-a15d-1cfaaa656306", + "name": "da1ed9c3-ebe7-4d13-8428-d5c2756d66ea", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\n$status_msg=about.labels[\"status_msg\"]\r\n$status_msg!=\"\"\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $status_msg\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -1316,10 +1278,10 @@ "startTimeVal": "1" } }, - "etag": "0e9c2801b4c98167cb449ce2caa8222a102a237777b56d477fe0e7e8daa6fb66" + "etag": "e60215b876029b5b6cf33e80dfbcd7304c0d2777495021482b51b7f82c0f70b4" }, { - "name": "7c7c7df5-701c-4d99-95a7-0bb4ae5b937b", + "name": "cf637d56-d47b-41b7-bd6b-4d048b7a46d2", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"http\" \r\noutcome:\r\n $host_header=count_distinct(target.hostname)", "input": { "relativeTime": { @@ -1327,10 +1289,10 @@ "startTimeVal": "1" } }, - "etag": "bc88d44a79162891f67f155cef25fe28d5ee3eae5ed1e69893ff5bdadb2fe004" + "etag": "ff0c0d2449ea40a41c789020cbb6e739ed211b5a7061ea10eef8d72c1fdeb2ac" }, { - "name": "df60790b-2707-4b5c-be55-f9f5057c2d72", + "name": "60aaa7a7-6035-4d44-9c5b-462ed394e711", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"http\"\r\nnetwork.http.method!=\"\"\r\n$host_header=target.hostname\r\n$host_header!=\"\"\r\n$status_code=strings.concat(network.http.response_code, \"\")\r\n$status_code!=\"\"\r\n$status_msg=about.labels[\"status_msg\"]\r\n$combined_fields=strings.concat(network.session_id, target.ip, principal.ip)\r\nmatch:\r\n $host_header, $status_code, $status_msg\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc ", "input": { "relativeTime": { @@ -1338,7 +1300,7 @@ "startTimeVal": "1" } }, - "etag": "84238fa34df03f8696dde6602a1b07f11b3d1561a04249a7221d4012d614ae2e" + "etag": "1449a233e065bae885ffdfdcd097b42d5a22138b3ce4911d2de9dd1a049d86b2" } ] } diff --git a/dashboards/Data Explorer/SSL.json b/dashboards/Data Explorer/SSL.json index 205208f..b562cbb 100644 --- a/dashboards/Data Explorer/SSL.json +++ b/dashboards/Data Explorer/SSL.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "1610311b-37d2-458f-98d5-b45b9b3d4e45", + "name": "09b2b3c4-0ace-449f-92a8-5a348c312715", "displayName": "Corelight → Data Explorer → SSL", "definition": { "filters": [ @@ -20,9 +20,9 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "ca8da243-8a64-47c8-b281-45a7cfbf36ba", - "10edc301-015c-4107-a798-5724ab26224b", - "af4da1d3-eb70-4858-8841-5d5885bc0599" + "34e47bbe-f925-4f1f-84f8-9b4f0f274201", + "29788b50-d3e8-461d-9467-abb11caa4e6e", + "4230f1bf-cc19-4484-880c-a2c48bb4dff6" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -41,15 +41,15 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "10edc301-015c-4107-a798-5724ab26224b", - "ca8da243-8a64-47c8-b281-45a7cfbf36ba", - "af4da1d3-eb70-4858-8841-5d5885bc0599" + "29788b50-d3e8-461d-9467-abb11caa4e6e", + "34e47bbe-f925-4f1f-84f8-9b4f0f274201", + "4230f1bf-cc19-4484-880c-a2c48bb4dff6" ] } ], "charts": [ { - "dashboardChart": "10edc301-015c-4107-a798-5724ab26224b", + "dashboardChart": "29788b50-d3e8-461d-9467-abb11caa4e6e", "chartLayout": { "startX": 0, "spanX": 96, @@ -62,7 +62,7 @@ ] }, { - "dashboardChart": "ca8da243-8a64-47c8-b281-45a7cfbf36ba", + "dashboardChart": "34e47bbe-f925-4f1f-84f8-9b4f0f274201", "chartLayout": { "startX": 0, "spanX": 48, @@ -75,7 +75,7 @@ ] }, { - "dashboardChart": "af4da1d3-eb70-4858-8841-5d5885bc0599", + "dashboardChart": "4230f1bf-cc19-4484-880c-a2c48bb4dff6", "chartLayout": { "startX": 48, "spanX": 48, @@ -90,15 +90,15 @@ ] }, "type": "CUSTOM", - "etag": "6f3ee367cfc9080206cb173f9ee55765d03796d9b30aa746a8f0637dd7471057", + "etag": "706030355e52f52a67a9d6f78f3471ac7ed7cd4fb6129d315301c07978c88c0b", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "10edc301-015c-4107-a798-5724ab26224b", + "name": "29788b50-d3e8-461d-9467-abb11caa4e6e", "displayName": "Top Ciphers", "chartDatasource": { - "dashboardQuery": "87f0902c-d06d-4d8d-8aa4-466e883486e7", + "dashboardQuery": "0a2026e9-0f41-41ee-bc14-202da7c9e9fb", "dataSources": [ "UDM" ] @@ -137,13 +137,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6f03304bc2f879762eefb9d7f36e7cc30596c35cc1ea8f423843534966959207" + "etag": "f815fc71500c9d7e6fba8d8e5616b2c56c59a1b96b1690989a7edd2a7acb252d" }, { - "name": "ca8da243-8a64-47c8-b281-45a7cfbf36ba", + "name": "34e47bbe-f925-4f1f-84f8-9b4f0f274201", "displayName": "Top Certificate Subjects", "chartDatasource": { - "dashboardQuery": "45760ea9-ea20-4b10-a6e0-42d58eb845d3", + "dashboardQuery": "e341cfa8-2908-4757-975f-ae59c2e55739", "dataSources": [ "UDM" ] @@ -177,7 +177,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "de4a39461b5fe26fce18b60b038ab0f1cc1daacf7a4ecbb36fdee0af6a8d972a", + "etag": "73e28d1a5bdb3191288ada95b96ebd0f05c856ce58e83ada69be889d962e2bb7", "drillDownConfig": { "leftDrillDowns": [ { @@ -191,10 +191,10 @@ } }, { - "name": "af4da1d3-eb70-4858-8841-5d5885bc0599", + "name": "4230f1bf-cc19-4484-880c-a2c48bb4dff6", "displayName": "Top Local Responders - Validation Status", "chartDatasource": { - "dashboardQuery": "9bfc0d96-1d37-4f26-b0e2-9d2ccd1a7183", + "dashboardQuery": "cc6a3ab6-cfd4-4a5d-b5d1-f715c4ef91dc", "dataSources": [ "UDM" ] @@ -228,34 +228,24 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "03b7b8fdcd3e54ed0a5f15337034275058fa0ec0ec19a9298d02be4b4af95787", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "validation_status", - "displayName": "Run Search on Validation Status", - "defaultSettings": { - "enabled": true - } - } - ] - } + "etag": "cdc00ee9c241f7c3f647bb4e835470190ca884b17017fa6a4d1c4e251fdc6dfc", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "9bfc0d96-1d37-4f26-b0e2-9d2ccd1a7183", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"ssl\"\r\n$validation_status=security_result.description\r\n$validation_status!=\"\"\r\n$local_orig=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$local_resp=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\") \r\n($local_orig=\"true\" AND $local_resp=\"true\") OR ($local_orig=\"false\" AND $local_resp=\"true\")\r\nmatch:\r\n $validation_status\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", + "name": "cc6a3ab6-cfd4-4a5d-b5d1-f715c4ef91dc", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"ssl\"\r\n$validation_status=security_result.description\r\n$validation_status!=\"\"\r\n((principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list)) OR (not(principal.ip in cidr %internal_cidr_list) AND (target.ip in cidr %internal_cidr_list))\r\nmatch:\r\n $validation_status\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "2794e30c732e5abef1835d6a6da85aeaf9f7a39edbbfd13d22ab4e6ac9de9d1b" + "etag": "35117e58b59078f2506ebe2f5b9262dacddbbdd86b2688e01c9ba5466984aa73" }, { - "name": "87f0902c-d06d-4d8d-8aa4-466e883486e7", + "name": "0a2026e9-0f41-41ee-bc14-202da7c9e9fb", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"ssl\"\r\n$cipher=network.tls.cipher\r\n$cipher!=\"\"\r\nmatch:\r\n $cipher\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -263,10 +253,10 @@ "startTimeVal": "1" } }, - "etag": "e12f5534e07a14a47e663f1b12ecc94c33da306b9e5f39c0d769c94a48753a6d" + "etag": "f060c45ea99b65456b389288494c81d8381d3617978421a4187466e42033590e" }, { - "name": "45760ea9-ea20-4b10-a6e0-42d58eb845d3", + "name": "e341cfa8-2908-4757-975f-ae59c2e55739", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"ssl\"\r\n$server_name=network.tls.client.server_name\r\n$server_name!=\"\"\r\nmatch:\r\n $server_name\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -274,7 +264,7 @@ "startTimeVal": "1" } }, - "etag": "740c03b0242f08b27dfa95e264996aed6f7ed2c5d2410cd49ed2c4a950e0c783" + "etag": "086b64bec914f909e4ecb1469e72a14c39c0394d452936c6b452048e9efe80a8" } ] } diff --git a/dashboards/Data Explorer/x509.json b/dashboards/Data Explorer/x509.json index ab2061f..7d07410 100644 --- a/dashboards/Data Explorer/x509.json +++ b/dashboards/Data Explorer/x509.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "ffa1fb58-6762-492a-9b67-4d9361ac76b7", + "name": "e0e00777-708c-4f28-b91c-354cb36d7801", "displayName": "Corelight → Data Explorer → x509", "definition": { "filters": [ @@ -20,9 +20,9 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "c981a126-162f-415a-8f8b-efa7817aa591", - "799438d8-0cd7-4497-950d-c55ae1801f4e", - "04b95d7d-1f95-4f6d-b27a-b5377c342b75" + "3ed38560-aea7-4f9e-a57c-4ec003bb7870", + "c5eef646-dbff-4a69-8198-3862a7fe52a1", + "c314c523-c9b2-4313-9212-71f073a27d8c" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -41,15 +41,15 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "c981a126-162f-415a-8f8b-efa7817aa591", - "799438d8-0cd7-4497-950d-c55ae1801f4e", - "04b95d7d-1f95-4f6d-b27a-b5377c342b75" + "3ed38560-aea7-4f9e-a57c-4ec003bb7870", + "c5eef646-dbff-4a69-8198-3862a7fe52a1", + "c314c523-c9b2-4313-9212-71f073a27d8c" ] } ], "charts": [ { - "dashboardChart": "799438d8-0cd7-4497-950d-c55ae1801f4e", + "dashboardChart": "c5eef646-dbff-4a69-8198-3862a7fe52a1", "chartLayout": { "startX": 0, "spanX": 48, @@ -62,7 +62,7 @@ ] }, { - "dashboardChart": "04b95d7d-1f95-4f6d-b27a-b5377c342b75", + "dashboardChart": "c314c523-c9b2-4313-9212-71f073a27d8c", "chartLayout": { "startX": 48, "spanX": 48, @@ -75,7 +75,7 @@ ] }, { - "dashboardChart": "c981a126-162f-415a-8f8b-efa7817aa591", + "dashboardChart": "3ed38560-aea7-4f9e-a57c-4ec003bb7870", "chartLayout": { "startX": 0, "spanX": 96, @@ -90,15 +90,15 @@ ] }, "type": "CUSTOM", - "etag": "82af039dc116b41cd574a1f936c09460b45688a54dfc4f620c9857b4f65d932f", + "etag": "262ea13e13a8b2f39849f9e6ea72340161a974b24d888314a60ed48ce8f8bc86", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "04b95d7d-1f95-4f6d-b27a-b5377c342b75", + "name": "c314c523-c9b2-4313-9212-71f073a27d8c", "displayName": "x509 Rare Subjects", "chartDatasource": { - "dashboardQuery": "f1ff5ba1-24ac-4377-9f19-3c132e9baf31", + "dashboardQuery": "fa2df226-5427-4e43-9099-ec9f4a9fe3d2", "dataSources": [ "UDM" ] @@ -132,7 +132,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e8952a56701ca683c694d52ed869b7972572c2f98f7328bc052ab7a0a501c999", + "etag": "1e3c0180156f01dd1498969683c174854e8fecd549e786609424a389a80f5dee", "drillDownConfig": { "leftDrillDowns": [ { @@ -146,10 +146,10 @@ } }, { - "name": "799438d8-0cd7-4497-950d-c55ae1801f4e", + "name": "c5eef646-dbff-4a69-8198-3862a7fe52a1", "displayName": "x509 Top Subjects", "chartDatasource": { - "dashboardQuery": "bf673c4a-5f77-46aa-b748-d2dc4d29688c", + "dashboardQuery": "baf43451-39e0-40ef-b1e7-ce7649144ae9", "dataSources": [ "UDM" ] @@ -183,7 +183,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "eec62d657f8f84df7963fd76a76416d246616e9c14f36d68bb20dd2113852ebf", + "etag": "ad338df1de0046f79ad294ca84ae2dbf089702a7abb2730727602c3e16da47ea", "drillDownConfig": { "leftDrillDowns": [ { @@ -197,10 +197,10 @@ } }, { - "name": "c981a126-162f-415a-8f8b-efa7817aa591", + "name": "3ed38560-aea7-4f9e-a57c-4ec003bb7870", "displayName": "x509 Expired Certificates", "chartDatasource": { - "dashboardQuery": "a9c4b939-05a3-4733-b6f7-1064ad966069", + "dashboardQuery": "7f0a7b48-1aeb-45bb-bc78-8743a95a578c", "dataSources": [ "UDM" ] @@ -234,13 +234,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ec5013e2cca04d0e9da70a69cc4f387a9a9d414b1fbaab94d60287beecc88236", + "etag": "e79ae6d2c32e2977ef405dafbf44cf849992e9423a2d00aaca762c93ae453622", "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "f1ff5ba1-24ac-4377-9f19-3c132e9baf31", + "name": "fa2df226-5427-4e43-9099-ec9f4a9fe3d2", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"x509\"\r\n$ssl_subject=about.domain.last_https_certificate.subject.common_name\r\n$ssl_subject!=\"\"\r\nmatch:\r\n $ssl_subject\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count asc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -248,10 +248,10 @@ "startTimeVal": "1" } }, - "etag": "db916f92dab0e0ba7b7adcaacde9aa749b17bfa9b6bba0ad7a6df776693ed167" + "etag": "9430ed6fa539ae4be029af8b2442b933037f30412907536c5dc0f621fa022148" }, { - "name": "bf673c4a-5f77-46aa-b748-d2dc4d29688c", + "name": "baf43451-39e0-40ef-b1e7-ce7649144ae9", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"x509\"\r\n$ssl_subject=about.domain.last_https_certificate.subject.common_name\r\n$ssl_subject!=\"\"\r\nmatch:\r\n $ssl_subject\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -259,18 +259,18 @@ "startTimeVal": "1" } }, - "etag": "db167422d9aa45138ce80fc69aa3e61af72b9305d4a31ca3c8da0311e2a6ecfc" + "etag": "4e415bd2c6e696a5ca58d63c534947e81528b89ae0023c31b67048a01ae2b8f0" }, { - "name": "a9c4b939-05a3-4733-b6f7-1064ad966069", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"x509\" \r\n$certificate_expired = if(timestamp.current_seconds() > network.tls.server.certificate.not_after.seconds, \"Expired\", \"Not Expired\")\r\n$certificate_expired=\"Expired\"\r\n$not_after=timestamp.get_timestamp(network.tls.server.certificate.not_after.seconds)\r\nmatch:\r\n $not_after, about.domain.last_https_certificate.subject.common_name", + "name": "7f0a7b48-1aeb-45bb-bc78-8743a95a578c", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"x509\"\r\ntimestamp.current_seconds() > network.tls.server.certificate.not_after.seconds\r\n$not_after=timestamp.get_timestamp(network.tls.server.certificate.not_after.seconds)\r\nmatch:\r\n $not_after, about.domain.last_https_certificate.subject.common_name", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "24e701b555182eabcd92aa0a694dac9361d0253b92af9257a9b7f1c7fe29e77c" + "etag": "da4ac55506ab43137b32913d4bb594ee8b0bad259978f26ee5e7474a5b1b8bf3" } ] } diff --git a/dashboards/README.md b/dashboards/README.md index 66aaf40..bb0268e 100644 --- a/dashboards/README.md +++ b/dashboards/README.md @@ -1,94 +1,94 @@ -# Google SecOps Native Dashboards for Corelight - -## Overview - -This guide provides step-by-step instructions for setting up and utilizing **Google SecOps Native Dashboards** to monitor and analyze network traffic data. By leveraging the capabilities of Chronicle Backstory, these dashboards deliver scalable, real-time insights across your organization's infrastructure, enhancing your security operations and visibility. - -## Pre-requisites - -Before you begin, ensure the following prerequisites are met: - -- **Google SecOps Platform Access:** You must have an active account with access to the Google SecOps platform. -- **Google SecOps Native Dashboards Access:** Ensure you have the necessary permissions to access and create custom dashboards in the native dashboards section. -- **GitHub Repository Access:** Ensure you have access to the [CorelightForSecOps](https://github.com/corelight/CorelightForSecOps/tree/main) GitHub repository, which includes the necessary dashboard configuration files. Also, verify that the required parsers are enabled and logs are sent to Google Security Operations using Corelight Sensor which is stated [here](https://github.com/corelight/CorelightForSecOps/blob/main/README.md). - -## Installation & Configuration - -### Create a reference list (For identifying Internal/External IPs) - -1. Head over to the **Google SecOps** Platform - -![image](https://github.com/user-attachments/assets/874b4098-aba6-4725-8b90-710cdf26c7d7) - -2. From the left side menu go to **Detections -> Lists** Section - -![image](https://github.com/user-attachments/assets/c52a8abe-918e-4248-9e04-c6673d9a0572) - -3. Now a List manager popup will appear. Click on **Create** button for creating a new List. - -![image](https://github.com/user-attachments/assets/184a9b83-357f-48f2-b643-0ed9889ed6ee) - -4. In the popup, select the **Syntax type** of the list as **CIDR** and name the title of the list as **internal_cidr_list**. Also, add the **IP CIDR range** (as per your requirement) in the last section. - -![image](https://github.com/user-attachments/assets/461f3d11-c773-4560-b54f-6087e3994024) - -5. Finally, Click on **Save Edits** from the bottom right corner and your CIDR list will be created. - -![image](https://github.com/user-attachments/assets/4af98b59-a14b-4604-be6f-87571c066235) - -### Deploy Dashboards from GitHub Repository - -To set up the SecOps Native Dashboards, you'll need to deploy them from the [CorelightForSecOps](https://github.com/corelight/CorelightForSecOps/tree/main) GitHub repository. Follow these steps to do so: - -### Step 1: Download Dashboard Configuration Files from GitHub - -- Navigate to the [CorelightForSecOps](https://github.com/corelight/CorelightForSecOps/tree/main) GitHub repository and head over to the [dashboards](https://github.com/corelight/CorelightForSecOps/tree/develop/dashboards) folder. -- Download the JSON configuration files for the dashboards to your local machine. - -![image](https://github.com/user-attachments/assets/f0af3868-c901-4e82-80dc-69983e1139f3) - -### Step 2: Open Google SecOps and Navigate to Native Dashboards - -- Launch the Google SecOps platform in your preferred browser. -- Navigate to the Native Dashboards section in the interface. -- In the Native Dashboards section you will see a list of curated and custom dashboards. - -![image](https://github.com/user-attachments/assets/2cec139a-6db1-4380-9c79-07583e9b2755) - -![image](https://github.com/user-attachments/assets/c0505d91-f985-43c5-8b54-0d1d566ca36c) - -### Step 3: Import the downloaded dashboards - -- In the top-right corner, click the downward arrow next to the New Dashboard button. -- Select Import from JSON from the dropdown menu. - -![image](https://github.com/user-attachments/assets/0e7f73ab-cdd3-4ba3-9770-f5b24f2895d8) - -### Step 4: Upload the Desired Dashboard JSON File - -- A dialog will prompt you to upload a file. Click on **Upload dashboard files**. -- Browse your local system and select the desired JSON file from the downloaded configurations. -- Click **Import** to complete the upload. - -![image](https://github.com/user-attachments/assets/432124a1-e712-4467-adf2-821393c003be) - -### Step 5: Rename the Imported Dashboard (Optional) - -- When importing a dashboard from your local machine, after selecting the file in the pop-up window, click the **Edit** button next to the selected dashboard file and rename it according to your preference and click on **Save** button. -- Also, you can change the access of your dashboard to public or private based on your preferences. -- Lastly, click on **Import** after editing the name. - -![image](https://github.com/user-attachments/assets/1e8ae580-9851-4618-a13a-85b494f65a11) - -![image](https://github.com/user-attachments/assets/e1b33f21-461c-4a8c-8eb8-ae37e1683b44) - -### Step 6: Access and View Your Imported Dashboard - -- Use the search bar to locate the newly imported dashboard by name. -- Click on the dashboard to view its contents, including charts, graphs, and real-time data visualizations. - -![image](https://github.com/user-attachments/assets/7caf9f95-21a7-4de2-9063-934902280bd3) - -![image](https://github.com/user-attachments/assets/41a43024-4004-4f21-a84b-2a0c5f7dcb18) - -After clicking on the dashboard you imported, you will be able to view your dashboard based on your instance data. +# Google SecOps Native Dashboards for Corelight + +## Overview + +This guide provides step-by-step instructions for setting up and utilizing **Google SecOps Native Dashboards** to monitor and analyze network traffic data. By leveraging the capabilities of Chronicle Backstory, these dashboards deliver scalable, real-time insights across your organization's infrastructure, enhancing your security operations and visibility. + +## Pre-requisites + +Before you begin, ensure the following prerequisites are met: + +- **Google SecOps Platform Access:** You must have an active account with access to the Google SecOps platform. +- **Google SecOps Native Dashboards Access:** Ensure you have the necessary permissions to access and create custom dashboards in the native dashboards section. +- **GitHub Repository Access:** Ensure you have access to the [CorelightForSecOps](https://github.com/corelight/CorelightForSecOps/tree/main) GitHub repository, which includes the necessary dashboard configuration files. Also, verify that the required parsers are enabled and logs are sent to Google Security Operations using Corelight Sensor which is stated [here](https://github.com/corelight/CorelightForSecOps/blob/main/README.md). + +## Installation & Configuration + +### Create a reference list (For identifying Internal/External IPs) + +1. Head over to the **Google SecOps** Platform + +![image](https://github.com/user-attachments/assets/874b4098-aba6-4725-8b90-710cdf26c7d7) + +2. From the left side menu go to **Detections -> Lists** Section + +![image](https://github.com/user-attachments/assets/c52a8abe-918e-4248-9e04-c6673d9a0572) + +3. Now a List manager popup will appear. Click on **Create** button for creating a new List. + +![image](https://github.com/user-attachments/assets/184a9b83-357f-48f2-b643-0ed9889ed6ee) + +4. In the popup, select the **Syntax type** of the list as **CIDR** and name the title of the list as **internal_cidr_list**. Also, add the **IP CIDR range** (as per your requirement) in the last section. + +![image](https://github.com/user-attachments/assets/461f3d11-c773-4560-b54f-6087e3994024) + +5. Finally, Click on **Save Edits** from the bottom right corner and your CIDR list will be created. + +![image](https://github.com/user-attachments/assets/4af98b59-a14b-4604-be6f-87571c066235) + +### Deploy Dashboards from GitHub Repository + +To set up the SecOps Native Dashboards, you'll need to deploy them from the [CorelightForSecOps](https://github.com/corelight/CorelightForSecOps/tree/main) GitHub repository. Follow these steps to do so: + +### Step 1: Download Dashboard Configuration Files from GitHub + +- Navigate to the [CorelightForSecOps](https://github.com/corelight/CorelightForSecOps/tree/main) GitHub repository and head over to the [dashboards](https://github.com/corelight/CorelightForSecOps/tree/develop/dashboards) folder. +- Download the JSON configuration files for the dashboards to your local machine. + +![image](https://github.com/user-attachments/assets/f0af3868-c901-4e82-80dc-69983e1139f3) + +### Step 2: Open Google SecOps and Navigate to Native Dashboards + +- Launch the Google SecOps platform in your preferred browser. +- Navigate to the Native Dashboards section in the interface. +- In the Native Dashboards section you will see a list of curated and custom dashboards. + +![image](https://github.com/user-attachments/assets/2cec139a-6db1-4380-9c79-07583e9b2755) + +![image](https://github.com/user-attachments/assets/c0505d91-f985-43c5-8b54-0d1d566ca36c) + +### Step 3: Import the downloaded dashboards + +- In the top-right corner, click the downward arrow next to the New Dashboard button. +- Select Import from JSON from the dropdown menu. + +![image](https://github.com/user-attachments/assets/0e7f73ab-cdd3-4ba3-9770-f5b24f2895d8) + +### Step 4: Upload the Desired Dashboard JSON File + +- A dialog will prompt you to upload a file. Click on **Upload dashboard files**. +- Browse your local system and select the desired JSON file from the downloaded configurations. +- Click **Import** to complete the upload. + +![image](https://github.com/user-attachments/assets/432124a1-e712-4467-adf2-821393c003be) + +### Step 5: Rename the Imported Dashboard (Optional) + +- When importing a dashboard from your local machine, after selecting the file in the pop-up window, click the **Edit** button next to the selected dashboard file and rename it according to your preference and click on **Save** button. +- Also, you can change the access of your dashboard to public or private based on your preferences. +- Lastly, click on **Import** after editing the name. + +![image](https://github.com/user-attachments/assets/1e8ae580-9851-4618-a13a-85b494f65a11) + +![image](https://github.com/user-attachments/assets/e1b33f21-461c-4a8c-8eb8-ae37e1683b44) + +### Step 6: Access and View Your Imported Dashboard + +- Use the search bar to locate the newly imported dashboard by name. +- Click on the dashboard to view its contents, including charts, graphs, and real-time data visualizations. + +![image](https://github.com/user-attachments/assets/7caf9f95-21a7-4de2-9063-934902280bd3) + +![image](https://github.com/user-attachments/assets/41a43024-4004-4f21-a84b-2a0c5f7dcb18) + +After clicking on the dashboard you imported, you will be able to view your dashboard based on your instance data. diff --git a/dashboards/Security Posture/Remote Activity Insights.json b/dashboards/Security Posture/Remote Activity Insights.json index 7e11f10..d7eedc5 100644 --- a/dashboards/Security Posture/Remote Activity Insights.json +++ b/dashboards/Security Posture/Remote Activity Insights.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "3b9b300b-8e8c-4dc8-969b-bc3b31b43d02", + "name": "f74564e2-3c67-477b-b70c-9ca43363d5a9", "displayName": "Corelight → Data Insights → Remote Activity Insights", "definition": { "filters": [ @@ -20,16 +20,16 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "daa13044-a597-467a-bba2-b4001e7b0e78", - "39b3b71e-ebc9-43e9-b85b-639b93f05c70", - "34a20195-d66d-4314-ac32-1a806a1ab16c", - "8267b3be-f494-4cc1-9bf9-ee8c75c87ea0", - "95154f0e-cdd7-40d6-bf2b-aa1023a5302b", - "c9007d71-3d38-44f8-a795-fcfb5846f822", - "2c6cf935-57fa-4141-927f-862c6049a07a", - "95f092ee-152a-4439-824d-ed974aed2a5c", - "6fe85796-0749-4d7e-917f-576f3a90400a", - "53b538fa-48ec-43c4-b93d-637eaf2fe233" + "327a4e0e-f7f0-49dd-9865-0000cc683590", + "6dda1711-4996-4b5e-b68a-c3763c9e155a", + "3920e495-fed7-4b34-bd70-963923ab0f5c", + "a13dfc9a-645f-4288-b578-d7aac7f1f253", + "c8f148bb-5ce0-4b69-9adf-dfcc2a350a35", + "20431623-cf1a-42fa-a541-4adcc48c59c7", + "b2e69944-1d71-47ff-a1a8-5b5fb70930cc", + "a2ee2145-c4b8-4b37-a60c-e11964fb5ee0", + "28f1398d-27f4-467f-98e7-b783ab5ae1b9", + "8f6f5a6f-f339-4744-9f19-87f401931319" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -37,7 +37,7 @@ ], "charts": [ { - "dashboardChart": "c9007d71-3d38-44f8-a795-fcfb5846f822", + "dashboardChart": "20431623-cf1a-42fa-a541-4adcc48c59c7", "chartLayout": { "startX": 0, "spanX": 48, @@ -49,7 +49,7 @@ ] }, { - "dashboardChart": "6fe85796-0749-4d7e-917f-576f3a90400a", + "dashboardChart": "28f1398d-27f4-467f-98e7-b783ab5ae1b9", "chartLayout": { "startX": 48, "spanX": 48, @@ -61,7 +61,7 @@ ] }, { - "dashboardChart": "2c6cf935-57fa-4141-927f-862c6049a07a", + "dashboardChart": "b2e69944-1d71-47ff-a1a8-5b5fb70930cc", "chartLayout": { "startX": 0, "spanX": 48, @@ -73,7 +73,7 @@ ] }, { - "dashboardChart": "39b3b71e-ebc9-43e9-b85b-639b93f05c70", + "dashboardChart": "6dda1711-4996-4b5e-b68a-c3763c9e155a", "chartLayout": { "startX": 48, "spanX": 48, @@ -85,7 +85,7 @@ ] }, { - "dashboardChart": "8267b3be-f494-4cc1-9bf9-ee8c75c87ea0", + "dashboardChart": "a13dfc9a-645f-4288-b578-d7aac7f1f253", "chartLayout": { "startX": 0, "spanX": 48, @@ -97,7 +97,7 @@ ] }, { - "dashboardChart": "daa13044-a597-467a-bba2-b4001e7b0e78", + "dashboardChart": "327a4e0e-f7f0-49dd-9865-0000cc683590", "chartLayout": { "startX": 0, "spanX": 48, @@ -109,7 +109,7 @@ ] }, { - "dashboardChart": "34a20195-d66d-4314-ac32-1a806a1ab16c", + "dashboardChart": "3920e495-fed7-4b34-bd70-963923ab0f5c", "chartLayout": { "startX": 48, "spanX": 48, @@ -121,7 +121,7 @@ ] }, { - "dashboardChart": "95f092ee-152a-4439-824d-ed974aed2a5c", + "dashboardChart": "a2ee2145-c4b8-4b37-a60c-e11964fb5ee0", "chartLayout": { "startX": 48, "spanX": 48, @@ -133,7 +133,7 @@ ] }, { - "dashboardChart": "95154f0e-cdd7-40d6-bf2b-aa1023a5302b", + "dashboardChart": "c8f148bb-5ce0-4b69-9adf-dfcc2a350a35", "chartLayout": { "startX": 0, "spanX": 48, @@ -145,7 +145,7 @@ ] }, { - "dashboardChart": "53b538fa-48ec-43c4-b93d-637eaf2fe233", + "dashboardChart": "8f6f5a6f-f339-4744-9f19-87f401931319", "chartLayout": { "startX": 0, "spanX": 48, @@ -159,16 +159,16 @@ ] }, "type": "CUSTOM", - "etag": "e0524fd50402499b7e6dcfb3e5b4c2f0e61911fd5f5329b8ba36f4bfa0b87565", + "etag": "4054e4582c92804c89d897606d9f26686de9ee0aa1f247b610cd166d7978018f", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "6fe85796-0749-4d7e-917f-576f3a90400a", + "name": "28f1398d-27f4-467f-98e7-b783ab5ae1b9", "displayName": " Identifying Failed RDP Logins", "description": "Monitoring failed RDP logins is essential for detecting unauthorized access attempts. Security teams should analyze patterns of failed entries against user and IP data to identify potential breaches. This focus helps in quickly addressing vulnerabilities in RDP security. Effective monitoring of these incidents is crucial for maintaining system integrity.", "chartDatasource": { - "dashboardQuery": "532512d2-1725-4101-bfd2-75e16a6a1d43", + "dashboardQuery": "57680d35-b65f-40c6-b019-cfd044a1f66e", "dataSources": [ "UDM" ] @@ -204,14 +204,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "465e9839255998e2000c1c423457de1b401d3af29b2a4ef5650a7ea20a353c6c", + "etag": "f64f0620603dfd214cb2ac723225e9886e6c856613e222c135c0665ab520dc65", "drillDownConfig": {} }, { - "name": "39b3b71e-ebc9-43e9-b85b-639b93f05c70", + "name": "6dda1711-4996-4b5e-b68a-c3763c9e155a", "displayName": " ", "chartDatasource": { - "dashboardQuery": "63e77b08-451b-4054-87df-ffcb34aca26d", + "dashboardQuery": "c2ee4cbc-b6c0-4c74-9e12-80d39fa2df2b", "dataSources": [ "UDM" ] @@ -261,15 +261,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e40030065fb2ec67e85b1e4e62b3c8d28e7f48a1124f70c0c5e5c6c8264f1eae", + "etag": "d96c24222d9ca279929b555bdd94a537c77ebd2940168823da7088521064a3fa", "drillDownConfig": {} }, { - "name": "95154f0e-cdd7-40d6-bf2b-aa1023a5302b", + "name": "c8f148bb-5ce0-4b69-9adf-dfcc2a350a35", "displayName": " Possible Unauthorized Remote Access Attempts", "description": "Monitoring for \"RW\" (Road Warrior) and \"FW\" (Firewall subversion) inferences is crucial for detecting potential unauthorized access, as these patterns may indicate attempts to bypass security controls. Security teams should prioritize correlating these inferences with internal IP ranges and device logs to identify suspicious activities.", "chartDatasource": { - "dashboardQuery": "45c70baf-7154-414e-804c-d0a5e09207a5", + "dashboardQuery": "4817b565-362f-4328-8615-cf74b215ee84", "dataSources": [ "UDM" ] @@ -305,15 +305,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "25e55683048e4c4052ec3914523fc554231105e0a21387e95c6c06a4b0eacb9f", + "etag": "3731c5a4407e166c0dae870e63f5f6993546f0ebf0af3ae7243be5eb52471606", "drillDownConfig": {} }, { - "name": "c9007d71-3d38-44f8-a795-fcfb5846f822", + "name": "20431623-cf1a-42fa-a541-4adcc48c59c7", "displayName": " RDP Authentication Attempts", "description": "Monitoring RDP authentications is crucial for identifying unauthorized access and distinguishing between successful and failed login attempts. Security teams should analyze trends and cross-reference user activity for rapid response and mitigation.", "chartDatasource": { - "dashboardQuery": "8654f6da-c0c0-4a62-9012-9ea9a91c394c", + "dashboardQuery": "38ef71a0-e41e-4fd6-941f-7fa65fa6ee81", "dataSources": [ "UDM" ] @@ -349,14 +349,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fdb8d00d6beb5efc3ae7336bf0634d54fc262de34cf9567848c4d6b4ddd93f01", + "etag": "61e67c11f96eecc5e359dfac1a0310ca8617a31cb362b67ef2e7ff4d5ccdeba4", "drillDownConfig": {} }, { - "name": "daa13044-a597-467a-bba2-b4001e7b0e78", + "name": "327a4e0e-f7f0-49dd-9865-0000cc683590", "displayName": " ", "chartDatasource": { - "dashboardQuery": "8f87281b-2d8b-4783-8532-0804f893d315", + "dashboardQuery": "0749538b-08c0-4ecf-a7d7-77f93fa1db5e", "dataSources": [ "UDM" ] @@ -402,7 +402,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "466ac4da7a7d38e5c9261d014d8403b5a790394c060e45ca1ce5c4dc7986d230", + "etag": "b1ed6730a66ff96e889747c8c2f99a6d7b26e59cea85deb4f0fac923d27e14e1", "drillDownConfig": { "leftDrillDowns": [ { @@ -437,10 +437,10 @@ } }, { - "name": "53b538fa-48ec-43c4-b93d-637eaf2fe233", + "name": "8f6f5a6f-f339-4744-9f19-87f401931319", "displayName": " ", "chartDatasource": { - "dashboardQuery": "0d182617-15f0-4750-b6bf-02c0d28c6b56", + "dashboardQuery": "d3a022e0-44a7-47c1-bd4a-4d235c25f5b7", "dataSources": [ "UDM" ] @@ -498,7 +498,7 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "1250e3071096af811fdd3753ed1f939001de29c697de1f0cbb8e809484b808af", + "etag": "eec91e70ad3cd6d37bddb07f862641e178d6405a9e44612801201f0d7be70c3b", "drillDownConfig": { "leftDrillDowns": [ { @@ -512,11 +512,11 @@ } }, { - "name": "34a20195-d66d-4314-ac32-1a806a1ab16c", + "name": "3920e495-fed7-4b34-bd70-963923ab0f5c", "displayName": " Suspected Data Exfiltration", "description": "Unmonitored commercial VPNs with atypical traffic patterns or static keys could be used to bypass security controls for data theft. Investigate: Examine VPN sessions with large outgoing transfers, focusing on unusual destinations or protocols.", "chartDatasource": { - "dashboardQuery": "3d5ef21a-07ab-4223-bda3-295b98a0a8c8", + "dashboardQuery": "52dd4173-39aa-494b-8b7d-4df285fdff86", "dataSources": [ "UDM" ] @@ -552,14 +552,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ec5e82a566ffbd8ccc92d8c227b1b2fa12813f8c6627f920e48ee3b64900ff21", + "etag": "083e6c24bfbfac0aa81eaba550e34281824d6ee536f4fea42142ec15f5bde227", "drillDownConfig": {} }, { - "name": "95f092ee-152a-4439-824d-ed974aed2a5c", + "name": "a2ee2145-c4b8-4b37-a60c-e11964fb5ee0", "displayName": " ", "chartDatasource": { - "dashboardQuery": "9cf0196a-47f4-4a7a-876f-b95fa89618c6", + "dashboardQuery": "ef0d0817-b729-4e4b-8a96-4ba51a8d78eb", "dataSources": [ "UDM" ] @@ -609,15 +609,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "3807723de561c76030b711d7e7203ba3544dbe972f0683d04397824434508d58", + "etag": "22ccd4bc425fd6c7e244464dc7cf991a7f7841b2b1408dd0deb197cf9dc4033f", "drillDownConfig": {} }, { - "name": "2c6cf935-57fa-4141-927f-862c6049a07a", + "name": "b2e69944-1d71-47ff-a1a8-5b5fb70930cc", "displayName": "Failed vs Successful Authentications", "description": "Total count of RDP success and failed actions within the specified time", "chartDatasource": { - "dashboardQuery": "1522525b-4fe2-4fb3-9eca-c304b9606d99", + "dashboardQuery": "080fa82b-6c14-40f5-9826-54c5c0153fbd", "dataSources": [ "UDM" ] @@ -625,12 +625,30 @@ "visualization": { "series": [ { + "seriesName": "success", "seriesType": "LINE", "encode": { "x": "date_hour", "y": "count" }, - "dataLabel": {} + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "success" + }, + { + "seriesName": "failure", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "failure" } ], "xAxes": [ @@ -641,7 +659,7 @@ ], "yAxes": [ { - "axisType": "CATEGORY", + "axisType": "VALUE", "displayName": "Count" } ], @@ -657,15 +675,15 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d142575ae55ce1e85c8a78a27c20bcb440d876f4fe828b06a92369e31393d560", + "etag": "5c246c20de734ab460a20b4ede0a7a9fb99e62645296fa084100e69e005ad9bb", "drillDownConfig": {} }, { - "name": "8267b3be-f494-4cc1-9bf9-ee8c75c87ea0", + "name": "a13dfc9a-645f-4288-b578-d7aac7f1f253", "displayName": " Unusual Remote Activity", "description": "The combination of the \"COM\", \"RW\", and \"NSP\" inferences in a single VPN connection raises questions: Policy Violation: Is the use of commercial VPNs allowed in your organization's security policy? If not, this could indicate a violation. Hidden Activity: Is the non-standard port usage an attempt to mask other activities happening over the VPN tunnel?", "chartDatasource": { - "dashboardQuery": "070d1396-e67b-4b95-a335-829db3a7bdba", + "dashboardQuery": "5f08f22b-62e7-4a0f-a0c8-839e8c92513b", "dataSources": [ "UDM" ] @@ -701,13 +719,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d88d78f3aff3de3bf4a0c78d38d1047548b18f49225e49e5e0375e9495c40872", + "etag": "077d6eaf8641419000fb9700fe4d88c9ebaf91b4e416530703ce45c07d376414", "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "45c70baf-7154-414e-804c-d0a5e09207a5", + "name": "4817b565-362f-4328-8615-cf74b215ee84", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value = \"RW\" OR about.labels.value = \"FW\"\r\n\r\noutcome:\r\n $count = count_distinct(network.session_id)", "input": { "relativeTime": { @@ -715,32 +733,32 @@ "startTimeVal": "1" } }, - "etag": "84dd75f9192230caaf1853b3d6da57ac11bd06d69d4b8253cc1089b4b66de4f1" + "etag": "59e6295114acce82d1b30e327e709a1337969a3f7b143d203a20f03a66e2a5ee" }, { - "name": "1522525b-4fe2-4fb3-9eca-c304b9606d99", - "query": "metadata.vendor_name = \"Corelight\" \r\nmetadata.product_event_type = \"rdp\"\r\n$action=if(about.labels[\"result\"] = \"Success\", \"success\", \r\n if(about.labels[\"result\"] = \"SSL_NOT_ALLOWED_BY_SERVER\", \"failure\",\r\n if(security_result.action = \"ALLOW\", \"success\",\r\n if(security_result.action = \"FAIL\", \"failure\", \"Unknown\"\r\n ))))\r\n$action!=\"Unknown\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $action\r\noutcome:\r\n $count = count(metadata.id)\r\n", + "name": "080fa82b-6c14-40f5-9826-54c5c0153fbd", + "query": "metadata.vendor_name = \"Corelight\" \r\nmetadata.product_event_type = \"rdp\"\r\n$action=if(about.labels[\"result\"] = \"Success\", \"success\", \r\n if(about.labels[\"result\"] = \"SSL_NOT_ALLOWED_BY_SERVER\", \"failure\",\r\n if(security_result.action = \"ALLOW\", \"success\",\r\n if(security_result.action = \"FAIL\", \"failure\", \"Unknown\"\r\n ))))\r\nabout.labels[\"result\"] = \"Success\" OR about.labels[\"result\"] = \"SSL_NOT_ALLOWED_BY_SERVER\" OR security_result.action = \"ALLOW\" OR security_result.action = \"FAIL\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $action\r\noutcome:\r\n $count = count(metadata.id)\r\norder:\r\n $date_hour", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "ecb1958e4cf34c3bff592d52450582ff23a752260036e2a29779a9f97ef58708" + "etag": "05b203688e9125a0130668e2577c9fbe307c1a4db2a89d44bb9987035a6cdfa5" }, { - "name": "8654f6da-c0c0-4a62-9012-9ea9a91c394c", - "query": "metadata.vendor_name = \"Corelight\" \r\nmetadata.product_event_type = \"rdp\"\r\n$action=if(about.labels[\"result\"] = \"Success\", \"success\", \r\n if(about.labels[\"result\"] = \"SSL_NOT_ALLOWED_BY_SERVER\", \"failure\",\r\n if(security_result.action = \"ALLOW\", \"Success\",\r\n if(security_result.action = \"FAIL\", \"failure\", \"Unknown\"\r\n ))))\r\n$action!=\"Unknown\"\r\noutcome:\r\n $count = count(metadata.id)", + "name": "38ef71a0-e41e-4fd6-941f-7fa65fa6ee81", + "query": "metadata.vendor_name = \"Corelight\" \r\nmetadata.product_event_type = \"rdp\"\r\n$action=if(about.labels[\"result\"] = \"Success\", \"success\", \r\n if(about.labels[\"result\"] = \"SSL_NOT_ALLOWED_BY_SERVER\", \"failure\",\r\n if(security_result.action = \"ALLOW\", \"Success\",\r\n if(security_result.action = \"FAIL\", \"failure\", \"Unknown\"\r\n ))))\r\nabout.labels[\"result\"] = \"Success\" OR about.labels[\"result\"] = \"SSL_NOT_ALLOWED_BY_SERVER\" OR security_result.action = \"ALLOW\" OR security_result.action = \"FAIL\"\r\noutcome:\r\n $count = count(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "1ea687608315e24679650d02a9786c3b51d3f9121999395cb6f9d636c31d389b" + "etag": "d2f5bcd5bce6dc1f8738d19707c1ce40505dda4a07db372dbf199a9ac9d24fb3" }, { - "name": "070d1396-e67b-4b95-a335-829db3a7bdba", + "name": "5f08f22b-62e7-4a0f-a0c8-839e8c92513b", "query": "metadata.vendor_name = \"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value = \"COM\" OR about.labels.value = \"NSP\" OR about.labels.value = \"RW\"\r\n$combine_count = strings.concat(principal.ip, target.ip, about.labels.value, about.labels[\"vpn_type\"])\r\n\r\noutcome:\r\n $count=count_distinct($combine_count)", "input": { "relativeTime": { @@ -748,10 +766,10 @@ "startTimeVal": "1" } }, - "etag": "820c6a11de3f7ed48a98a87a2ce659f4426d932f89b2d5f93204ef687a096b8b" + "etag": "240cb805228b1eaffc6597408248a986a37d02765ad8d57259b37f1e5cd6f1aa" }, { - "name": "532512d2-1725-4101-bfd2-75e16a6a1d43", + "name": "57680d35-b65f-40c6-b019-cfd044a1f66e", "query": "metadata.vendor_name = \"Corelight\" \r\nmetadata.product_event_type = \"rdp\"\r\nabout.labels[\"result\"]=\"SSL_NOT_ALLOWED_BY_SERVER\" OR security_result.action=\"FAIL\"\r\n$cookie=about.labels[\"cookie\"]\r\n$cookie!=\"\"\r\n\r\noutcome:\r\n $count=count_distinct($cookie)", "input": { "relativeTime": { @@ -759,10 +777,10 @@ "startTimeVal": "1" } }, - "etag": "d0ca1d753afba0e8683b8551e884c0a6252f16941a91ce52cf4e71e14f3a40ab" + "etag": "02dc5a9ae0deb61eb503561b93a0dd329e560ca36eb58e2d1bd74868ccc9762b" }, { - "name": "0d182617-15f0-4750-b6bf-02c0d28c6b56", + "name": "d3a022e0-44a7-47c1-bd4a-4d235c25f5b7", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value = \"RW\" OR about.labels.value = \"FW\"\r\n$uid=network.session_id\r\n$protocol_version=if(network.ip_protocol = 88, \"EIGRP\", \r\n if(network.ip_protocol = 50, \"ESP\",\r\n if(network.ip_protocol = 97, \"ETHERIP\",\r\n if(network.ip_protocol = 47, \"GRE\", \r\n if(network.ip_protocol = 1, \"ICMP\",\r\n if(network.ip_protocol = 58, \"ICMP6\",\r\n if(network.ip_protocol = 2, \"IGMP\",\r\n if(network.ip_protocol = 41, \"IP6IN4\",\r\n if(network.ip_protocol = 103, \"PIM\",\r\n if(network.ip_protocol = 132, \"SCTP\",\r\n if(network.ip_protocol = 6, \"TCP\",\r\n if(network.ip_protocol = 17, \"UDP\",\r\n if(network.ip_protocol = 0, \"UNKNOWN_IP_PROTOCOL\",\r\n if(network.ip_protocol = 112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"\r\n ))))))))))))))\r\n\r\nmatch:\r\n $uid\r\n\r\noutcome:\r\n $Source=array_distinct(principal.ip)\r\n $Destination=array_distinct(target.ip)\r\n $proto=array($protocol_version)\r\n $inferences=array_distinct(about.labels.value)\r\n $Dest_port=array_distinct(target.port)\r\n $Bytes=array_distinct(network.sent_bytes)\r\n $count = count_distinct(metadata.id)", "input": { "relativeTime": { @@ -770,10 +788,10 @@ "startTimeVal": "1" } }, - "etag": "067381b4caa6b76488d409f6510bcb69efa25453da0560765ae1ca4d9a18ca21" + "etag": "c88c4272bdfdcb806b68eae2c8c6e1b8ffbf9fc522d8248cf4cd5143229e7db5" }, { - "name": "9cf0196a-47f4-4a7a-876f-b95fa89618c6", + "name": "ef0d0817-b729-4e4b-8a96-4ba51a8d78eb", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value = \"COM\" OR about.labels.value = \"NSP\" OR about.labels.value = \"SK\"\r\n\r\nmatch:\r\n principal.ip, target.ip\r\n\r\noutcome:\r\n $inferences=array_distinct(about.labels.value)\r\n $Responder_Country=array_distinct(target.location.country_or_region)\r\n $vpn_type=array_distinct(about.labels[\"vpn_type\"])\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -781,10 +799,10 @@ "startTimeVal": "1" } }, - "etag": "d3ac42b3db6e48c0fe817d00fa168b828a8c89e0a8c8926ff3a0355875ec7f74" + "etag": "dc1d239d95a2f49f8ab31123282f9344d2db489e0f1580bef7eb966a307819c8" }, { - "name": "8f87281b-2d8b-4783-8532-0804f893d315", + "name": "0749538b-08c0-4ecf-a7d7-77f93fa1db5e", "query": "metadata.vendor_name = \"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value = \"COM\" OR about.labels.value = \"NSP\" OR about.labels.value = \"RW\"\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n\r\nmatch:\r\n principal.ip, target.ip, about.labels.value, $vpn_type\r\n\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -792,10 +810,10 @@ "startTimeVal": "1" } }, - "etag": "227071f2ff9aaba4d03586b9995673cc903a711c422098e9c83471bfef57e862" + "etag": "e36f8aa9e8aaed7384e1436d7db5aaa05ea07e6dcf3a2fe5cba492812c687ddc" }, { - "name": "3d5ef21a-07ab-4223-bda3-295b98a0a8c8", + "name": "52dd4173-39aa-494b-8b7d-4df285fdff86", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value = \"COM\" OR about.labels.value = \"NSP\" OR about.labels.value = \"SK\"\r\n$combine_count = strings.concat(principal.ip, target.ip)\r\n\r\noutcome:\r\n $count=count_distinct($combine_count)", "input": { "relativeTime": { @@ -803,18 +821,18 @@ "startTimeVal": "1" } }, - "etag": "a762fd470b4f0f8a525f8c6c422c2b21934e66ee680859a88be2512296e40870" + "etag": "b453f2ddd82fff0b820da45322721b9aa8320b18a1e764563e01457e93913a87" }, { - "name": "63e77b08-451b-4054-87df-ffcb34aca26d", - "query": "metadata.vendor_name = \"Corelight\" \r\nmetadata.product_event_type = \"rdp\"\r\n$result=about.labels[\"result\"]\r\n$auth_success=security_result.action\r\n$result=\"SSL_NOT_ALLOWED_BY_SERVER\" OR $auth_success=\"FAIL\"\r\n$User=about.labels[\"cookie\"]\r\n$User!=\"\"\r\n\r\nmatch:\r\n $User\r\n\r\noutcome:\r\n $Source=array_distinct(principal.ip)\r\n $Destination=array_distinct(target.ip)\r\n $Auth_Success=array_distinct($auth_success)\r\n $Result=array_distinct($result)\r\n $count=count(metadata.id)\r\norder:\r\n $count desc", + "name": "c2ee4cbc-b6c0-4c74-9e12-80d39fa2df2b", + "query": "metadata.vendor_name = \"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$result=about.labels[\"result\"]\r\n$auth_success=if(security_result.action = \"ALLOW\", \"ALLOW\", if(security_result.action = \"ALLOW_WITH_MODIFICATION\", \"ALLOW_WITH_MODIFICATION\", if(security_result.action = \"BLOCK\", \"BLOCK\", if(security_result.action = \"CHALLENGE\", \"CHALLENGE\", if(security_result.action = \"FAIL\", \"FAIL\", if(security_result.action = \"QUARANTINE\", \"QUARANTINE\", \"UNKNOWN_ACTION\"))))))\r\n$result=\"SSL_NOT_ALLOWED_BY_SERVER\" OR security_result.action = \"FAIL\"\r\n$User=about.labels[\"cookie\"]\r\n$User!=\"\"\r\n\r\nmatch:\r\n $User\r\n\r\noutcome:\r\n $Source=array_distinct(principal.ip)\r\n $Destination=array_distinct(target.ip)\r\n $Auth_Success=array_distinct($auth_success)\r\n $Result=array_distinct($result)\r\n $count=count(metadata.id)\r\norder:\r\n $count desc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "90ae42b6e5e65572a44b28a02336647f48a6991d16372515647a0dd4c1b7e3cc" + "etag": "2b0a6c18ecb1e95be634fb1f9367135278170431cc1c20e873c3f56e3cebf144" } ] } diff --git a/dashboards/Security Posture/Secure Channel Insights.json b/dashboards/Security Posture/Secure Channel Insights.json index 5da59ce..9a3f74d 100644 --- a/dashboards/Security Posture/Secure Channel Insights.json +++ b/dashboards/Security Posture/Secure Channel Insights.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "1895a37e-ceac-4bfe-aefd-dcafe4b743eb", + "name": "785816d6-0e4c-4a44-9a24-a1fccbca4d37", "displayName": "Corelight → Data Insights → Secure Channel Insights", "definition": { "filters": [ @@ -20,22 +20,22 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "92ee76d6-8edc-465b-a08b-2237974ddb88", - "06f20344-2738-4366-a487-7c16525e65ee", - "4395e245-241e-4362-b4b0-7573307c43a9", - "1ddf6400-acc0-48f5-be16-721e62a9205b", - "5e1fa47c-6d29-4df1-bdf3-6cb2e2b59f33", - "4865a31e-e139-4ae5-85e2-05e1bb3ad9f6", - "23e17464-d54c-4fa7-ac9f-967e3543f11a", - "cd8db9c4-efc0-4e9c-82e8-58a58f39cc5d", - "19dd3ac2-7a76-4722-8fa1-09e4abb7ff06", - "b9954ea9-d547-4a63-bd24-07d8a8569c62", - "6e97b9de-693e-4fef-b87e-8fb8c4fd6c3c", - "c655db62-5d1a-4894-a977-7f8f683e2290", - "542b164e-4b2a-4902-99e9-1e7b430cad20", - "27ea41b4-7cd6-4e25-8316-bcc073949121", - "f09ae8f1-e254-4e23-b9cd-60715d6fb2a5", - "8ee9bc04-5250-4302-980e-df61e8d7c62f" + "298947ee-acd9-49e1-a11d-dff5a5be20f5", + "28d91772-8131-4ffd-944b-9996a795840b", + "085a5aa9-5b05-4f33-b1ca-9625c9507f25", + "d187556a-d36c-4f79-a826-0427f5a0d2bf", + "385547af-42e3-48c4-b616-fdba91bff5eb", + "84c8fff4-525a-418e-b2f3-7c5997a0adb4", + "59989261-3cbe-4ff8-9e88-7e2e127daa4f", + "5ad8a74c-a1d1-4d4b-82b3-93579ac1270b", + "f0762b2d-b4a8-4215-ab25-357edcfc56e7", + "9eb226d8-ebfa-455e-b95b-ef0381068725", + "0996c902-d949-416c-97eb-bd91fbaa1d04", + "b22d8a1c-606c-48f1-bda0-e3c513fbc600", + "59a46760-ae4f-4cf7-925d-f5e7999e82b3", + "624bdca3-d58f-4c38-bf17-a99b55719455", + "f5bd0fcd-666b-4e66-880d-baec70d8c6fd", + "24779064-19b6-4d9b-b0b4-e26b8e1a775e" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -54,28 +54,28 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "cd8db9c4-efc0-4e9c-82e8-58a58f39cc5d", - "92ee76d6-8edc-465b-a08b-2237974ddb88", - "06f20344-2738-4366-a487-7c16525e65ee", - "4395e245-241e-4362-b4b0-7573307c43a9", - "1ddf6400-acc0-48f5-be16-721e62a9205b", - "5e1fa47c-6d29-4df1-bdf3-6cb2e2b59f33", - "4865a31e-e139-4ae5-85e2-05e1bb3ad9f6", - "23e17464-d54c-4fa7-ac9f-967e3543f11a", - "19dd3ac2-7a76-4722-8fa1-09e4abb7ff06", - "6e97b9de-693e-4fef-b87e-8fb8c4fd6c3c", - "b9954ea9-d547-4a63-bd24-07d8a8569c62", - "c655db62-5d1a-4894-a977-7f8f683e2290", - "542b164e-4b2a-4902-99e9-1e7b430cad20", - "27ea41b4-7cd6-4e25-8316-bcc073949121", - "f09ae8f1-e254-4e23-b9cd-60715d6fb2a5", - "8ee9bc04-5250-4302-980e-df61e8d7c62f" + "5ad8a74c-a1d1-4d4b-82b3-93579ac1270b", + "298947ee-acd9-49e1-a11d-dff5a5be20f5", + "28d91772-8131-4ffd-944b-9996a795840b", + "085a5aa9-5b05-4f33-b1ca-9625c9507f25", + "d187556a-d36c-4f79-a826-0427f5a0d2bf", + "385547af-42e3-48c4-b616-fdba91bff5eb", + "84c8fff4-525a-418e-b2f3-7c5997a0adb4", + "59989261-3cbe-4ff8-9e88-7e2e127daa4f", + "f0762b2d-b4a8-4215-ab25-357edcfc56e7", + "0996c902-d949-416c-97eb-bd91fbaa1d04", + "9eb226d8-ebfa-455e-b95b-ef0381068725", + "b22d8a1c-606c-48f1-bda0-e3c513fbc600", + "59a46760-ae4f-4cf7-925d-f5e7999e82b3", + "624bdca3-d58f-4c38-bf17-a99b55719455", + "f5bd0fcd-666b-4e66-880d-baec70d8c6fd", + "24779064-19b6-4d9b-b0b4-e26b8e1a775e" ] } ], "charts": [ { - "dashboardChart": "f09ae8f1-e254-4e23-b9cd-60715d6fb2a5", + "dashboardChart": "f5bd0fcd-666b-4e66-880d-baec70d8c6fd", "chartLayout": { "startX": 0, "spanX": 48, @@ -88,7 +88,7 @@ ] }, { - "dashboardChart": "542b164e-4b2a-4902-99e9-1e7b430cad20", + "dashboardChart": "59a46760-ae4f-4cf7-925d-f5e7999e82b3", "chartLayout": { "startX": 0, "spanX": 48, @@ -101,7 +101,7 @@ ] }, { - "dashboardChart": "06f20344-2738-4366-a487-7c16525e65ee", + "dashboardChart": "28d91772-8131-4ffd-944b-9996a795840b", "chartLayout": { "startX": 0, "spanX": 48, @@ -114,7 +114,7 @@ ] }, { - "dashboardChart": "8ee9bc04-5250-4302-980e-df61e8d7c62f", + "dashboardChart": "24779064-19b6-4d9b-b0b4-e26b8e1a775e", "chartLayout": { "startX": 48, "spanX": 48, @@ -127,7 +127,7 @@ ] }, { - "dashboardChart": "6e97b9de-693e-4fef-b87e-8fb8c4fd6c3c", + "dashboardChart": "0996c902-d949-416c-97eb-bd91fbaa1d04", "chartLayout": { "startX": 0, "spanX": 48, @@ -140,7 +140,7 @@ ] }, { - "dashboardChart": "4395e245-241e-4362-b4b0-7573307c43a9", + "dashboardChart": "085a5aa9-5b05-4f33-b1ca-9625c9507f25", "chartLayout": { "startX": 0, "spanX": 48, @@ -153,7 +153,7 @@ ] }, { - "dashboardChart": "c655db62-5d1a-4894-a977-7f8f683e2290", + "dashboardChart": "b22d8a1c-606c-48f1-bda0-e3c513fbc600", "chartLayout": { "startX": 48, "spanX": 48, @@ -166,7 +166,7 @@ ] }, { - "dashboardChart": "23e17464-d54c-4fa7-ac9f-967e3543f11a", + "dashboardChart": "59989261-3cbe-4ff8-9e88-7e2e127daa4f", "chartLayout": { "startX": 48, "spanX": 48, @@ -179,7 +179,7 @@ ] }, { - "dashboardChart": "b9954ea9-d547-4a63-bd24-07d8a8569c62", + "dashboardChart": "9eb226d8-ebfa-455e-b95b-ef0381068725", "chartLayout": { "startX": 0, "spanX": 48, @@ -192,7 +192,7 @@ ] }, { - "dashboardChart": "1ddf6400-acc0-48f5-be16-721e62a9205b", + "dashboardChart": "d187556a-d36c-4f79-a826-0427f5a0d2bf", "chartLayout": { "startX": 0, "spanX": 48, @@ -205,7 +205,7 @@ ] }, { - "dashboardChart": "19dd3ac2-7a76-4722-8fa1-09e4abb7ff06", + "dashboardChart": "f0762b2d-b4a8-4215-ab25-357edcfc56e7", "chartLayout": { "startX": 48, "spanX": 48, @@ -218,7 +218,7 @@ ] }, { - "dashboardChart": "92ee76d6-8edc-465b-a08b-2237974ddb88", + "dashboardChart": "298947ee-acd9-49e1-a11d-dff5a5be20f5", "chartLayout": { "startX": 48, "spanX": 48, @@ -231,7 +231,7 @@ ] }, { - "dashboardChart": "5e1fa47c-6d29-4df1-bdf3-6cb2e2b59f33", + "dashboardChart": "385547af-42e3-48c4-b616-fdba91bff5eb", "chartLayout": { "startX": 0, "spanX": 48, @@ -244,7 +244,7 @@ ] }, { - "dashboardChart": "4865a31e-e139-4ae5-85e2-05e1bb3ad9f6", + "dashboardChart": "84c8fff4-525a-418e-b2f3-7c5997a0adb4", "chartLayout": { "startX": 48, "spanX": 48, @@ -257,7 +257,7 @@ ] }, { - "dashboardChart": "cd8db9c4-efc0-4e9c-82e8-58a58f39cc5d", + "dashboardChart": "5ad8a74c-a1d1-4d4b-82b3-93579ac1270b", "chartLayout": { "startX": 48, "spanX": 48, @@ -270,7 +270,7 @@ ] }, { - "dashboardChart": "27ea41b4-7cd6-4e25-8316-bcc073949121", + "dashboardChart": "624bdca3-d58f-4c38-bf17-a99b55719455", "chartLayout": { "startX": 48, "spanX": 48, @@ -285,15 +285,15 @@ ] }, "type": "CUSTOM", - "etag": "a5163f10dab0822f9a1dc45fbf8c0d5f4c64caff1a753a201c1da1a3f2b79f09", + "etag": "bf44adf4127f961e131a1b0e23ae47737b2d4fd870feec3c3058a70a0b1d0320", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "23e17464-d54c-4fa7-ac9f-967e3543f11a", + "name": "59989261-3cbe-4ff8-9e88-7e2e127daa4f", "displayName": "SSH Inferences for Potential Security Risks", "chartDatasource": { - "dashboardQuery": "3e2ab657-2509-4427-a1ae-2f4a3adbc070", + "dashboardQuery": "8a9f1b93-5497-4782-be5e-63fcf5319740", "dataSources": [ "UDM" ] @@ -339,14 +339,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "8c19f92d249cb81f418e861981f6d7619c4ac411626901c45b100552f77afd66", + "etag": "7cd9fb4dc47404b5e3e195c16bb0e51efb7178924b74096115e87d69f63bb7ce", "drillDownConfig": {} }, { - "name": "92ee76d6-8edc-465b-a08b-2237974ddb88", + "name": "298947ee-acd9-49e1-a11d-dff5a5be20f5", "displayName": "SSH Advance Threat Inferences", "chartDatasource": { - "dashboardQuery": "69d932d4-e13e-4f2d-bacd-ff79051db49f", + "dashboardQuery": "78acb848-4bdc-48f4-a65b-dcd4dc69493d", "dataSources": [ "UDM" ] @@ -396,15 +396,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "14a4586475b732a26756c36d7ec9be45d53e7706cf934635974fb2c06391bd11", + "etag": "7eaa2821a59fac5332303f89e49f7db180ad0bc106cb0ebe4cc82cc6f72adb8d", "drillDownConfig": {} }, { - "name": "27ea41b4-7cd6-4e25-8316-bcc073949121", + "name": "624bdca3-d58f-4c38-bf17-a99b55719455", "displayName": "Connections using Less Secure TLS Versions (< TLS1.2)", "description": "Connections employing TLS versions older than 1.2 are recognized as less secure, presenting a higher risk of being compromised. These outdated protocols may indicate legacy systems with configurations that are not aligned with modern security standards.", "chartDatasource": { - "dashboardQuery": "161f65fa-cfae-47c2-83fb-94d9964b64f0", + "dashboardQuery": "10f44ff4-1eee-46ae-a492-09db83b52bb4", "dataSources": [ "UDM" ] @@ -440,15 +440,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "8bacce9ae82e27848adcc19d1ed6c3e4431ff1ead7d34910fd98766a7d97e3fd", + "etag": "73aa389076443eccc9fd4a1e64f0fb1fc998d30bdf5a73fadddfa4a94e5ac50e", "drillDownConfig": {} }, { - "name": "19dd3ac2-7a76-4722-8fa1-09e4abb7ff06", + "name": "f0762b2d-b4a8-4215-ab25-357edcfc56e7", "displayName": " Advance Threat Indicators", "description": "Helps to identify potential advanced threat indicators such as Client Authentication Bypass (ABP) and Reverse SSH tunneling activities (RSP, RSI, RSIA, RSL, RSK) for in-depth investigation.", "chartDatasource": { - "dashboardQuery": "81a3d28b-4b9c-4462-ac9b-01dc5a373845", + "dashboardQuery": "63db84ae-3968-48e1-b7dd-976b97065820", "dataSources": [ "UDM" ] @@ -484,14 +484,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ce05584210d74bf725c69a337ff0501c9e9266fd8951538639df8d0a23284b93", + "etag": "848873a5ed7ab9897afd95451d684cff8a4a81bba30ce8eac933310d2a32054a", "drillDownConfig": {} }, { - "name": "06f20344-2738-4366-a487-7c16525e65ee", + "name": "28d91772-8131-4ffd-944b-9996a795840b", "displayName": "Network Evidence for Interactive Sessions and Keystrokes - SSH Inferences ", "chartDatasource": { - "dashboardQuery": "516ec49f-1548-4384-9682-21c725eb51ac", + "dashboardQuery": "8208fe16-91b3-4624-a2a9-802aa89c25b8", "dataSources": [ "UDM" ] @@ -541,15 +541,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2c184cb9a6bd05019cd4f4d8cecd7b7c8009d79d9260c372f094c3e7792aa40d", + "etag": "feb1d8a0e40e8b83489943c967fdb1a585eb8e6e4d1afd5b4f949273d33324a7", "drillDownConfig": {} }, { - "name": "cd8db9c4-efc0-4e9c-82e8-58a58f39cc5d", + "name": "5ad8a74c-a1d1-4d4b-82b3-93579ac1270b", "displayName": "Network Evidence for All TLS versions seen", "description": "Classification Based on Industry Best Practices", "chartDatasource": { - "dashboardQuery": "5a7caf79-df3a-492b-b8e3-dc43f681f1bf", + "dashboardQuery": "26d7305e-f295-4d48-9014-bfd452f0edcc", "dataSources": [ "UDM" ] @@ -603,14 +603,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f528edf72f5e4027c50cb663c6a011c0d81194379a72aaca0e0c879cef316bde", + "etag": "1b8b31820594e92563964db3f78b852f007319de07dfac8e8de0d2a53adeb8b3", "drillDownConfig": {} }, { - "name": "5e1fa47c-6d29-4df1-bdf3-6cb2e2b59f33", + "name": "385547af-42e3-48c4-b616-fdba91bff5eb", "displayName": "Less Secure Ciphers seen in the Period", "chartDatasource": { - "dashboardQuery": "baf23a1a-1038-44f4-8b4e-ccddf2657e65", + "dashboardQuery": "c67815a4-672e-4eab-b9d4-cc8099ac25b6", "dataSources": [ "UDM" ] @@ -660,15 +660,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "efff41a2a7690dadf39df54e04922922bd5f20e947fb0cabaa473e1f0375a104", + "etag": "4e3446066aa8b81817946b75f9bc5c34bcdf86914b61470fc95ae8ceedcd126c", "drillDownConfig": {} }, { - "name": "6e97b9de-693e-4fef-b87e-8fb8c4fd6c3c", + "name": "0996c902-d949-416c-97eb-bd91fbaa1d04", "displayName": " Possible File Uploaded", "description": "This use case tracks SSH file transfer activity (inferences SFD, LFD, SFU, LFU). It uncovers potential data exfiltration by attackers or the introduction of malicious files. Focus on file names, sizes, unusual source IPs, and sensitive destination systems.", "chartDatasource": { - "dashboardQuery": "0720b11b-a738-439c-82f0-c77d96ea7d6c", + "dashboardQuery": "122a6abc-a2ee-4585-9271-77b0804ae222", "dataSources": [ "UDM" ] @@ -704,15 +704,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "b5763cd823be0be5903bbbbcb0881a005344c5ed593649583bdde44e466d68f0", + "etag": "c92b11615342333ed73e1e3657341bdf357e9412155d6c36809548d50b260b6c", "drillDownConfig": {} }, { - "name": "542b164e-4b2a-4902-99e9-1e7b430cad20", + "name": "59a46760-ae4f-4cf7-925d-f5e7999e82b3", "displayName": " Interactive Sessions and Keystrokes", "description": "Highlight interactive sessions (KS) and automated interactions (AUTO) to understand the nature of SSH traffic — manual vs. automated.", "chartDatasource": { - "dashboardQuery": "d7ff8ea0-2cc2-4430-950a-160c48c62f2c", + "dashboardQuery": "726bb593-bb6a-45c3-a78a-1186fa205020", "dataSources": [ "UDM" ] @@ -748,15 +748,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "dc5f753e5c16a31dbeaa548d579fe1c5246c26458a8895f1dddb35d0231e7f05", + "etag": "ee30eb07cb0e03543e24ef101afb3444d72e3028c79b08604d698170ef96b4fb", "drillDownConfig": {} }, { - "name": "f09ae8f1-e254-4e23-b9cd-60715d6fb2a5", + "name": "f5bd0fcd-666b-4e66-880d-baec70d8c6fd", "displayName": "Less Secure Ciphers", "description": "SSL/TLS sessions utilizing weak cipher suites (eg. RC4) are easily decrypted. This traffic may indicate the presence of old and/or unpatched resources on the network. It could also be the result of a successful downgrade attack.", "chartDatasource": { - "dashboardQuery": "455de0c3-3fb2-4cfc-9829-b27805432984", + "dashboardQuery": "1f81298a-3254-46a0-90a9-33776e217c4f", "dataSources": [ "UDM" ] @@ -792,13 +792,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "cd98b002ca347d67c1a9a848cc20a27190046099ef06d273267ae45b72bd3039" + "etag": "cf687d172511c10b0cb7c37797c5e1bc800942c6906e783a18077394e0ddf01f" }, { - "name": "4395e245-241e-4362-b4b0-7573307c43a9", + "name": "085a5aa9-5b05-4f33-b1ca-9625c9507f25", "displayName": "Possible File Transfer", "chartDatasource": { - "dashboardQuery": "aee5b3bc-f2b5-4733-b3cb-a41dd89a0a17", + "dashboardQuery": "9250acec-c01b-457c-b002-f043366dafc3", "dataSources": [ "UDM" ] @@ -848,15 +848,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "dbb8a2e8ed049693b887506bd5f9f7c2d82fea26f7530e9aecff713d373cbc35", + "etag": "76ede6be1afaa9d38eaa0342fe26d70bb7e11886f9570598fa93b4639a7b647e", "drillDownConfig": {} }, { - "name": "8ee9bc04-5250-4302-980e-df61e8d7c62f", + "name": "24779064-19b6-4d9b-b0b4-e26b8e1a775e", "displayName": "Self Signed Certs", "description": "This dashboard panel identifies self-signed certificates in use within internal networks, highlighting a key security concern due to their lack of third-party validation. Addressing this issue by transitioning to certificates from trusted authorities enhances network security and trustworthiness.", "chartDatasource": { - "dashboardQuery": "2be9f828-7d87-463e-abfc-2508b904eb06", + "dashboardQuery": "501eca80-4a69-4244-9705-7026ef2efc51", "dataSources": [ "UDM" ] @@ -892,15 +892,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e39692f83b133abfa521dcf2c18d4582b8c0a77e552ad69b6e7a85e0c15aced8", + "etag": "69498adf13aa7284332535a76c426b2d47518cc050b27d6e5e63a0a49f29213b", "drillDownConfig": {} }, { - "name": "b9954ea9-d547-4a63-bd24-07d8a8569c62", + "name": "9eb226d8-ebfa-455e-b95b-ef0381068725", "displayName": " Automated SSH Session Indicators", "description": "Tracks automated SSH sessions to enhance security and operational efficiency, highlighting potential risks and compliance issues. It identifies anomalies and unauthorized activities, ensuring that automation tools are used securely and efficiently. This tool is crucial for SOC analysts to monitor for security breaches and optimize system management.", "chartDatasource": { - "dashboardQuery": "63e786b5-1ca1-48c4-ba29-63337791309c", + "dashboardQuery": "57d98476-1b04-450a-9d01-636f7ec698cc", "dataSources": [ "UDM" ] @@ -936,15 +936,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "df9e2f14f84b29241a75d1d8e17aeaf9794fb124d26fe02da538558e49776213", + "etag": "bdfc570176daeb66df83a0e9ee5a5962ceef8d45d1a4fb27ad5e0bcea877acbd", "drillDownConfig": {} }, { - "name": "c655db62-5d1a-4894-a977-7f8f683e2290", + "name": "b22d8a1c-606c-48f1-bda0-e3c513fbc600", "displayName": " Potential Security Risks", "description": "Monitors for signs of scanning (SC, SP, SV, SA), banner messages (BAN), and agent forwarding (AFR) for compliance and security risk identification.", "chartDatasource": { - "dashboardQuery": "9f8c4997-29d6-4dd3-8a49-e42c31d6914c", + "dashboardQuery": "93d5499b-537d-460a-9d0a-b6325ec4e860", "dataSources": [ "UDM" ] @@ -980,14 +980,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "cd435312508388d8a6c26515e8119f94a9c4a4c2b7ef2bd66b96394359aa207f", + "etag": "13225f2d89b543d2b72fe774c32b5a786b03e346421324421798b5fc828e0adb", "drillDownConfig": {} }, { - "name": "1ddf6400-acc0-48f5-be16-721e62a9205b", + "name": "d187556a-d36c-4f79-a826-0427f5a0d2bf", "displayName": "SSH Session Inferences", "chartDatasource": { - "dashboardQuery": "e8b259e6-a2af-4900-9ba2-feafe45249f3", + "dashboardQuery": "4f0b4116-46b2-41b0-802d-7a258ef5693d", "dataSources": [ "UDM" ] @@ -1037,14 +1037,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "3b6493ced2d2b638f6c6fab44928934e65a7b813f1bc1bb380cf83277790df0d", + "etag": "4e19b2fbeada01b4ac50abe488701e89cbd5cac04b9ddf25570099d5f2256564", "drillDownConfig": {} }, { - "name": "4865a31e-e139-4ae5-85e2-05e1bb3ad9f6", + "name": "84c8fff4-525a-418e-b2f3-7c5997a0adb4", "displayName": "Network Evidence for Self Signed Internal Certificates", "chartDatasource": { - "dashboardQuery": "17afadd9-5d22-4e76-8cb3-3ffc18b504a3", + "dashboardQuery": "0d6b7fb8-a8ff-4391-9267-2dfdcfea7314", "dataSources": [ "UDM" ] @@ -1090,68 +1090,68 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "09e9d1d416c8acf91297acc955d61b813d9fabd34eeda1af5d824d7891e2fe00", + "etag": "c4dc22837c69bf1b404cd1368d07ed3cf9ab01ce760db18aa3ec4d9f7ad18024", "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "17afadd9-5d22-4e76-8cb3-3ffc18b504a3", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\n$is_self_signed=if(security_result.description=\"self signed certificate\", \"yes\", \"no\")\r\n$is_self_signed=\"yes\"\r\nnetwork.tls.client.server_name!=\"\"\r\n$src_host_type=if(principal.ip in cidr %internal_cidr_list , \"Internal\", \"External\")\r\n$dest_host_type=if(target.ip in cidr %internal_cidr_list , \"Internal\", \"External\")\r\n$dest_host_type=\"Internal\"\r\nmatch:\r\n network.tls.client.server_name, target.ip\r\noutcome:\r\n $validation_status=array_distinct(security_result.description)\r\n $dest_host_types=array_distinct($dest_host_type)\r\n $traffic_direction=array_distinct(if($src_host_type=\"Internal\" AND $dest_host_type=\"External\", \"Outbound\", \r\n if($src_host_type=\"External\" AND $dest_host_type=\"Internal\", \"Inbound\",\r\n if($src_host_type=\"Internal\" AND $dest_host_type=\"Internal\", \"East-West\",\r\n if($src_host_type=\"External\" AND $dest_host_type=\"External\", \"Ether\", \"Undefined\"\r\n )))))\r\n", + "name": "0d6b7fb8-a8ff-4391-9267-2dfdcfea7314", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nsecurity_result.description=\"self signed certificate\"\r\nnetwork.tls.client.server_name!=\"\"\r\n$src_host_type=if(principal.ip in cidr %internal_cidr_list , \"Internal\", \"External\")\r\n$dest_host_type=if(target.ip in cidr %internal_cidr_list , \"Internal\", \"External\")\r\ntarget.ip in cidr %internal_cidr_list\r\nmatch:\r\n network.tls.client.server_name, target.ip\r\noutcome:\r\n $validation_status=array_distinct(security_result.description)\r\n $dest_host_types=array_distinct($dest_host_type)\r\n $traffic_direction=array_distinct(if($src_host_type=\"Internal\" AND $dest_host_type=\"External\", \"Outbound\", \r\n if($src_host_type=\"External\" AND $dest_host_type=\"Internal\", \"Inbound\",\r\n if($src_host_type=\"Internal\" AND $dest_host_type=\"Internal\", \"East-West\",\r\n if($src_host_type=\"External\" AND $dest_host_type=\"External\", \"Ether\", \"Undefined\"\r\n )))))", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "77f816960f6536b8213f02c4fe3433c0e565dd9491de69cd6789118e98fdd60b" + "etag": "640b8a48fe7d0c3f40049731dc47cac810efad72ac9ed326e3dd12e735c476b3" }, { - "name": "3e2ab657-2509-4427-a1ae-2f4a3adbc070", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"SC\" OR $inference=\"SP\" OR $inference=\"SV\" OR $inference=\"SA\" OR $inference=\"AFR\" OR $inference=\"BAN\"\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip, $inference\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "name": "8a9f1b93-5497-4782-be5e-63fcf5319740", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Capabilities Scanning\") OR (security_result.summary = \"Other Scanning\") OR (security_result.summary = \"Version Scanning\") OR (security_result.summary = \"Authentication Scanning\") OR (security_result.summary = \"SSH Agent Forwarding Requested\") OR (security_result.summary = \"Server Banner\")\r\n$inference= if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\", if(security_result.summary = \"Server Banner\", \"BAN\", if(security_result.summary = \"Authentication Scanning\", \"SA\", if(security_result.summary = \"Capabilities Scanning\", \"SC\", if(security_result.summary = \"Other Scanning\", \"SP\", if(security_result.summary = \"Version Scanning\", \"SV\", \"Unknown\"))))))\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip, $inference\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "68a04868bf80ddf1df6e0437f425e45ebcf882a5280207fb2efe634e66790d40" + "etag": "025091b5c9ae1892765fc11ada9ef63308a7d38e95ef1f3cfe336066332e86b0" }, { - "name": "d7ff8ea0-2cc2-4430-950a-160c48c62f2c", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"KS\" OR $inference=\"AUTO\"\r\n$combined_fields=strings.concat(network.session_id, principal.ip, target.ip, security_result.summary, security_result.description)\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\n", + "name": "726bb593-bb6a-45c3-a78a-1186fa205020", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n((security_result.summary = \"Keystrokes\") OR (security_result.summary = \"Automated Interaction\"))\r\n$combined_fields=strings.concat(network.session_id, principal.ip, target.ip, security_result.summary, security_result.description)\r\noutcome:\r\n $count=count_distinct($combined_fields)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "e98cef133f4e4783aaf53cf31cda53f9180416d9f05f1a8f093993506b883cdc" + "etag": "ef271e980b5ace719fb4b5af6477d7580aff6258b3138075dcce69cd9f87e59d" }, { - "name": "63e786b5-1ca1-48c4-ba29-63337791309c", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"PKA\" OR $inference=\"AUTO\" OR $inference=\"KS\" OR $inference=\"CTS\"\r\noutcome:\r\n $count=count_distinct(network.session_id)\r\n", + "name": "57d98476-1b04-450a-9d01-636f7ec698cc", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Public Key Authentication\") OR (security_result.summary = \"Automated Interaction\") OR (security_result.summary = \"Keystrokes\") OR (security_result.summary = \"Client Trusted Server\")\r\noutcome:\r\n $count=count_distinct(network.session_id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "3ef56e57d07e183fc197d2d10a4e91c81c2b30da45612d18067bbd2c6a116b5b" + "etag": "be147ea84c10242fda63efc9ee9421b9d3ad2a5521fb9e57091d5060d785e464" }, { - "name": "516ec49f-1548-4384-9682-21c725eb51ac", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"KS\" OR $inference=\"AUTO\"\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct($inference)\r\n $description=array_distinct(security_result.description)\r\n $count=count_distinct(metadata.id)\r\n", + "name": "8208fe16-91b3-4624-a2a9-802aa89c25b8", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n((security_result.summary = \"Keystrokes\") OR (security_result.summary = \"Automated Interaction\"))\r\n$inference=if(security_result.summary = \"Automated Interaction\", \"AUTO\", if(security_result.summary = \"Keystrokes\", \"KS\", \"Unknown\"))\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct($inference)\r\n $description=array_distinct(security_result.description)\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "a7a048d89e50b983e2ffc91025d72370596019b8e41f43cecd64e9a50661b6ea" + "etag": "0b7c52f5aa2628751f529c6303b75b60416558cf78e0a3d50617829435795f41" }, { - "name": "455de0c3-3fb2-4cfc-9829-b27805432984", + "name": "1f81298a-3254-46a0-90a9-33776e217c4f", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\"\r\nre.regex(network.tls.cipher, `(RC4|DES|3DES|MD5|NULL|EXPORT)`)\r\noutcome:\r\n $count=count_distinct(network.tls.cipher)\r\n", "input": { "relativeTime": { @@ -1159,76 +1159,76 @@ "startTimeVal": "1" } }, - "etag": "a328ada64f4d7209caf4cae03d13657741125386b65c7026c85b78e553cc7e05" + "etag": "54d1b83b634adabbf6c02303cc3a23ddcdd5d8d784ce0627c61c17dffc483ae1" }, { - "name": "2be9f828-7d87-463e-abfc-2508b904eb06", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\n$is_self_signed=if(security_result.description=\"self signed certificate\", \"yes\", \"no\")\r\n$is_self_signed=\"yes\"\r\ntarget.ip in cidr %internal_cidr_list\r\nnetwork.tls.client.server_name!=\"\"\r\n$combined_field=strings.concat(network.tls.client.server_name, target.ip)\r\noutcome:\r\n $count=count_distinct($combined_field)", + "name": "501eca80-4a69-4244-9705-7026ef2efc51", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nsecurity_result.description=\"self signed certificate\"\r\ntarget.ip in cidr %internal_cidr_list\r\nnetwork.tls.client.server_name!=\"\"\r\n$combined_field=strings.concat(network.tls.client.server_name, target.ip)\r\noutcome:\r\n $count=count_distinct($combined_field)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "a7621609096044967f04ba3acc43856f07ce73bb42707bdc0b55f5fb07e5d171" + "etag": "61f62d218eafc50d7ce4b4e2f93e791566aa023eb24ea40fc57f5aad69fdb773" }, { - "name": "0720b11b-a738-439c-82f0-c77d96ea7d6c", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"SFD\" OR $inference=\"LFD\" OR $inference=\"SFU\" OR $inference=\"LFU\"\r\n$combined_fields=strings.concat(network.session_id, principal.ip, target.ip, security_result.summary, security_result.description)\r\noutcome:\r\n $count=count_distinct($combined_fields)", + "name": "122a6abc-a2ee-4585-9271-77b0804ae222", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Small Client File Download\") OR (security_result.summary = \"Large Client File Download\") OR (security_result.summary = \"Small Client File Upload\") OR (security_result.summary = \"Large Client File Upload\")\r\n$combined_fields=strings.concat(network.session_id, principal.ip, target.ip, security_result.summary, security_result.description)\r\noutcome:\r\n $count=count_distinct($combined_fields)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "d9c7b95e9b7c4c8949baa2e56bc96fba592500e4d1afc1102925d0710cbc6915" + "etag": "0a9a10b02dc590fb6f448a5a93b8e7deba9a2ec221a67816226f6de65e5bc67a" }, { - "name": "69d932d4-e13e-4f2d-bacd-ff79051db49f", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"ABP\" OR $inference=\"RSP\" OR $inference=\"RSI\" OR $inference=\"RSIA\" OR $inference=\"RSL\" OR $inference=\"RSK\"\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip, $inference, security_result.description\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "name": "78acb848-4bdc-48f4-a65b-dcd4dc69493d", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Client Authentication Bypass\") OR (security_result.summary = \"Reverse SSH Provisioned\") OR (security_result.summary = \"Reverse SSH Initiated\") OR (security_result.summary = \"Reverse SSH Initiated Automate\") OR (security_result.summary = \"Reverse SSH Logged In\") OR (security_result.summary = \"Reverse SSH Keystrokes\")\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\", if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\", if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\", if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\", if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\", if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\", \"Unknown\"))))))\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip, $inference, security_result.description\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "b5aa5beeb5afd59a958d23fe36b920b3453ba4a268f875176b5d15bce64d71db" + "etag": "8477b6e91b8fc5b957d06edfd4db9ac694a561194cf0fc3c19cb15e3d356fc4c" }, { - "name": "81a3d28b-4b9c-4462-ac9b-01dc5a373845", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"ABP\" OR $inference=\"RSP\" OR $inference=\"RSI\" OR $inference=\"RSIA\" OR $inference=\"RSL\" OR $inference=\"RSK\"\r\n$combined_fields=strings.concat(network.session_id, principal.ip, target.ip, security_result.summary)\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\n", + "name": "63db84ae-3968-48e1-b7dd-976b97065820", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Client Authentication Bypass\") OR (security_result.summary = \"Reverse SSH Provisioned\") OR (security_result.summary = \"Reverse SSH Initiated\") OR (security_result.summary = \"Reverse SSH Initiated Automate\") OR (security_result.summary = \"Reverse SSH Logged In\") OR (security_result.summary = \"Reverse SSH Keystrokes\")\r\n$combined_fields=strings.concat(network.session_id, principal.ip, target.ip, security_result.summary)\r\noutcome:\r\n $count=count_distinct($combined_fields)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "bc97ad001ff4731510b8e1de53ee20c0013f6f1d559c2b2370d381911a6ad569" + "etag": "3ab805f2d7040ef49494a16373fe93176e1ce8ee19798e4d6b62842f80606b8d" }, { - "name": "161f65fa-cfae-47c2-83fb-94d9964b64f0", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nprincipal.ip!=\"\"\r\nnetwork.tls.version!=\"\"\r\n$version_status=if(network.tls.version=\"TLSv13\", \"Most Secure\", \r\n if(network.tls.version=\"TLSv12\", \"Secure\",\r\n if(network.tls.version=\"DTLSv12\", \"Secure\",\r\n if(network.tls.version=\"unknown-64282\", \"Unknown\", \"Old Version\"\r\n ))))\r\n$version_status!=/.*Secure.*/\r\noutcome:\r\n $count=count_distinct(network.session_id)", + "name": "10f44ff4-1eee-46ae-a492-09db83b52bb4", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nprincipal.ip!=\"\"\r\nnetwork.tls.version!=\"\"\r\nnetwork.tls.version!=\"TLSv13\" AND network.tls.version!=\"TLSv12\" AND network.tls.version!=\"DTLSv12\"\r\n\r\noutcome:\r\n $count=count_distinct(network.session_id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "85570384c680fde05898e8dd7f0ecf2d61c65c9d241e4a3d744b1a99ff502372" + "etag": "51aee2600345e5eeee6f433078b9ce19f8c3072c06c010bbe0ce44746fd55c92" }, { - "name": "e8b259e6-a2af-4900-9ba2-feafe45249f3", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"PKA\" OR $inference=\"AUTO\" OR $inference=\"KS\" OR $inference=\"CTS\"\r\n$uid=network.session_id\r\nmatch:\r\n $uid\r\noutcome:\r\n $principal_ip=array_distinct(principal.ip)\r\n $target_ip=array_distinct(target.ip)\r\n $inferences=array_distinct($inference)\r\n $description=array_distinct(security_result.description)\r\n $count=count_distinct(metadata.id)", + "name": "4f0b4116-46b2-41b0-802d-7a258ef5693d", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Public Key Authentication\") OR (security_result.summary = \"Automated Interaction\") OR (security_result.summary = \"Keystrokes\") OR (security_result.summary = \"Client Trusted Server\")\r\n$inference= if(security_result.summary = \"Automated Interaction\", \"AUTO\", if(security_result.summary = \"Client Trusted Server\", \"CTS\", if(security_result.summary = \"Keystrokes\", \"KS\", if(security_result.summary = \"Public Key Authentication\", \"PKA\", \"Unknown\"))))\r\n$uid=network.session_id\r\nmatch:\r\n $uid\r\noutcome:\r\n $principal_ip=array_distinct(principal.ip)\r\n $target_ip=array_distinct(target.ip)\r\n $inferences=array_distinct($inference)\r\n $description=array_distinct(security_result.description)\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "727b697f04865a795cd53b282339b2c6623b52965d39aa37eb6ef7d520d4668f" + "etag": "4f0e267dba99171f772ac941487e3e119207a98cad0aa87ec4e3465e4907da59" }, { - "name": "baf23a1a-1038-44f4-8b4e-ccddf2657e65", + "name": "c67815a4-672e-4eab-b9d4-cc8099ac25b6", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\"\r\nre.regex(network.tls.cipher, `(RC4|DES|3DES|MD5|NULL|EXPORT)`)\r\n$is_src_internal=if(principal.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\n$is_dest_internal=if(target.ip in cidr %internal_cidr_list, \"true\", \"false\")\r\nmatch:\r\n network.tls.cipher\r\noutcome:\r\n $dest_ip=window.last(metadata.event_timestamp.seconds, target.ip)\r\n $unique_conn=count_distinct(network.session_id)\r\n $host_type=array_distinct(if($is_src_internal=\"true\", \"Internal\", \"External\"))\r\n $directions=array_distinct(if($is_src_internal=\"true\" AND $is_dest_internal=\"false\", \"Outbound\", \"Inbound\"))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $unique_conn desc, $count desc", "input": { "relativeTime": { @@ -1236,32 +1236,32 @@ "startTimeVal": "1" } }, - "etag": "8c94e4dc1416fb8faac19eaf4919d96b487155c5d41606886fc9ac0c7108c624" + "etag": "b87bb38545af1e7c8eef09915e9dbdb562adf79a3196a27ee2bf3bf38ffe0b23" }, { - "name": "9f8c4997-29d6-4dd3-8a49-e42c31d6914c", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"SC\" OR $inference=\"SP\" OR $inference=\"SV\" OR $inference=\"SA\" OR $inference=\"AFR\" OR $inference=\"BAN\"\r\n$combined_fields=strings.concat(network.session_id principal.ip, target.ip, security_result.summary)\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\n", + "name": "93d5499b-537d-460a-9d0a-b6325ec4e860", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Capabilities Scanning\") OR (security_result.summary = \"Other Scanning\") OR (security_result.summary = \"Version Scanning\") OR (security_result.summary = \"Authentication Scanning\") OR (security_result.summary = \"SSH Agent Forwarding Requested\") OR (security_result.summary = \"Server Banner\")\r\n$combined_fields=strings.concat(network.session_id principal.ip, target.ip, security_result.summary)\r\noutcome:\r\n $count=count_distinct($combined_fields)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "ae531acf1564b9abbd0c0c9615184f373fda0c0f4333228470a7e9269120d8a0" + "etag": "b1507995482bb941d41d87fd999739e5156f7208e12dc2b341ea9a34b0a33e50" }, { - "name": "aee5b3bc-f2b5-4733-b3cb-a41dd89a0a17", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inference= if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\n if(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\n if(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\n if(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\n if(security_result.summary = \"Server Banner\", \"BAN\",\r\n if(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\n if(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\n if(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\n if(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\n if(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\n if(security_result.summary = \"Keystrokes\", \"KS\",\r\n if(security_result.summary = \"Large Client File Download\", \"LFD\",\r\n if(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\n if(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\n if(security_result.summary = \"None Authentication\", \"NA\",\r\n if(security_result.summary = \"No Remote Command\", \"NRC\",\r\n if(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\n if(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\n if(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\n if(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\n if(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\n if(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\n if(security_result.summary = \"Authentication Scanning\", \"SA\",\r\n if(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\n if(security_result.summary = \"Small Client File Download\", \"SFD\",\r\n if(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\n if(security_result.summary = \"Other Scanning\", \"SP\",\r\n if(security_result.summary = \"Version Scanning\", \"SV\",\r\n if(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n )))))))))))))))))))))))))))))\r\n$inference=\"SFD\" OR $inference=\"LFD\" OR $inference=\"SFU\" OR $inference=\"LFU\"\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip, $inference, security_result.description\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "name": "9250acec-c01b-457c-b002-f043366dafc3", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n(security_result.summary = \"Small Client File Download\") OR (security_result.summary = \"Large Client File Download\") OR (security_result.summary = \"Small Client File Upload\") OR (security_result.summary = \"Large Client File Upload\")\r\n$inference= if(security_result.summary = \"Large Client File Download\", \"LFD\", if(security_result.summary = \"Large Client File Upload\", \"LFU\", if(security_result.summary = \"Small Client File Download\", \"SFD\", if(security_result.summary = \"Small Client File Upload\", \"SFU\", \"Unknown\"))))\r\n$uid=network.session_id\r\nmatch:\r\n $uid, principal.ip, target.ip, $inference, security_result.description\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "4483756dfdffcff91de639b47f4be3c2aa95f12dbc72033408fcf1c7a9f2079b" + "etag": "7966d42b325c6ac0f2901a0fceac996178a79ada9c3dbf9614373ed22974b4c8" }, { - "name": "5a7caf79-df3a-492b-b8e3-dc43f681f1bf", + "name": "26d7305e-f295-4d48-9014-bfd452f0edcc", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nprincipal.ip!=\"\"\r\nnetwork.tls.version!=\"\"\r\n$src_host_type=if(principal.ip in cidr %internal_cidr_list, \"Internal\", \"External\")\r\n$dest_host_type=if(target.ip in cidr %internal_cidr_list, \"Internal\", \"External\")\r\n$version_status=if(network.tls.version=\"TLSv13\", \"Most Secure (v1.3)\", \r\n if(network.tls.version=\"TLSv12\", \"Secure (v1.2)\",\r\n if(network.tls.version=\"DTLSv12\", \"Secure (v1.2)\",\r\n if(network.tls.version=\"unknown-64282\", \"Unknown\", \"Old Version < (v1.2)\"\r\n ))))\r\nmatch:\r\n network.tls.version, $version_status, $src_host_type, $dest_host_type\r\noutcome:\r\n $connection_type=array_distinct(if($src_host_type=\"Internal\" AND $dest_host_type=\"External\", \"Outbound\", \r\n if($src_host_type=\"External\" AND $dest_host_type=\"Internal\", \"Inbound\",\r\n if($src_host_type=\"Internal\" AND $dest_host_type=\"Internal\", \"Internal\",\r\n if($src_host_type=\"External\" AND $dest_host_type=\"External\", \"EEther\", \"Undefined\"\r\n )))))\r\n $ip_class=array_distinct($dest_host_type)\r\n $count=count_distinct(network.session_id)\r\norder:\r\n $count desc\r\n", "input": { "relativeTime": { @@ -1269,7 +1269,7 @@ "startTimeVal": "1" } }, - "etag": "ef0634f50608f1d651bf854172e3411c33a9ddbbd22cb3e291981dff04432ee0" + "etag": "1e2387e1198a7f81c1ce8a7d54d427401e29fa13ab8c6ea415fcc9b1e666e170" } ] } diff --git a/dashboards/Security Posture/Security Posture.json b/dashboards/Security Posture/Security Posture.json index d800d0b..eb71d90 100644 --- a/dashboards/Security Posture/Security Posture.json +++ b/dashboards/Security Posture/Security Posture.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "a680ab9e-a503-471d-929e-d8efbcc54652", + "name": "63c89b07-ec71-44aa-80a1-2be13f791603", "displayName": "Corelight → Security Posture", "definition": { "filters": [ @@ -20,42 +20,42 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "b9c1f8a7-e472-4387-aa51-3e8993f8e218", - "2bc3a325-e841-4d6b-9cfd-9eee6b285222", - "51b4f1c6-a999-43fb-a8a2-9354b1c190e0", - "db549487-9d66-400f-aa50-41b4cfbc5e03", - "03e947ce-86ec-4b49-b16d-86645fa05980", - "df5eca2d-f782-41e2-8f6c-790f7dae28ed", - "f37440ab-7c69-45ef-b57a-a6bb1e702659", - "882e57c0-0ee0-4ae3-98a9-2ef396ec4391", - "c8bb14fc-9264-4c64-a62d-6f9bc412d26a", - "c099f20f-1b29-4d7b-807f-f58cee750c9d", - "8f597aeb-3223-4e1b-a7af-8367f744aa88", - "8b009067-34a9-4646-ad43-3621c15cf09a", - "c4d6236a-76f3-4326-a7fa-4b3bb7a245bb", - "faccfb8a-67e2-459c-a418-8e476b46d84b", - "40505ca5-bdbb-4ea1-bcc6-a592d2655f1f", - "64dfe17e-049f-49a6-bcdf-545ca3818629", - "a96a49f9-a87d-4ed0-b5a3-c1ff86851aaa", - "648158d1-cc83-435b-bd75-d637ecbe640a", - "40dc9b6c-4383-45e9-b0ac-b72dc933b710", - "b910d05d-289f-4cc0-94df-d976666cbde3", - "9fd29f39-6465-4d76-a30e-029bc7457d9a", - "3b999ba0-9e0b-4fa7-a99e-0cef17405724", - "793b34b6-011f-4591-8fdc-551a00d884bb", - "64b59882-6b0b-4694-9260-278d4b1a5262", - "09e7c473-c43b-4e6d-b51d-0fe27c09458c", - "bedd0f55-8c22-43e8-bb69-592779dcba33", - "ea49f8d2-300c-4b68-bae3-76e0f1da2372", - "8932a0eb-b7a8-432f-b706-88f07e577486", - "c44787fb-d56f-4b9d-91ea-c0845d420349", - "d0fa705d-bc2a-4cb4-ba9d-879fa6eda9d4", - "07dbedd7-fce7-4350-a5d8-44e8543983c2", - "3d3061a4-5d71-4ca6-a4ac-64584af5869b", - "3ca4c864-e757-4427-a6a9-74f1cb6a2282", - "65dbfbab-184f-46b9-833e-b16c132f53a6", - "f16e71d4-4d75-4073-8837-4b9641a5af46", - "a6896a24-533f-4c7d-a9e8-8d4c61e40897" + "8332c849-c3b2-4368-bc40-1d0ae28e0344", + "f8368e66-ee75-4bd3-a24c-e228603f78e4", + "7cf89a1f-b085-4264-a568-9c961d06dc25", + "e03f32ac-535e-416f-88fe-355755964f20", + "f97866fb-0848-4589-87a4-a3b596a307b1", + "0bd0c826-2cda-422f-a505-8ac6634c9576", + "ff853a13-305c-43d8-8903-765c5c72e384", + "4e644063-a8f6-4360-92a1-dcc49190011d", + "5bd10bcc-e066-4d8f-b498-018ae81031c9", + "d33d8db5-c0a5-4456-a74d-cd64dc8c3e90", + "6fcea0b2-828c-4eae-aecc-61295bec3634", + "a232c209-bf7b-4182-9c00-222b5821355e", + "37aa89e0-6e28-4f64-9ba5-ba5f74730ebc", + "bdb2e4d4-f476-440b-a1f4-8e6b548e6468", + "0524da24-5741-4240-a0f9-ef099c3ac299", + "d4c509c1-8e0a-4da2-9050-9db76248f2ae", + "02be61d5-03d7-4248-a009-72fa9eb245f4", + "ee042be8-50d3-4816-b40d-6799f06059b0", + "a80cffe8-1921-42b7-be4d-13f95b129363", + "926acd15-1ecb-403a-bbac-c4306103771b", + "d4fbc846-273e-4a87-b9cf-862ca171446b", + "e0eed114-36c7-46c5-8e57-c7d23ebd015e", + "281a200b-6810-469e-a18a-5a63b68b1dc8", + "2bd8bf73-50d0-41be-8725-f69ae1d3a6fe", + "77b08f17-755b-45a9-b75b-7d77b8d18133", + "d8db0de3-00e7-4bc7-94cd-e53046d33e33", + "72db0ce3-b934-4d75-a4a2-d578ee24f9e1", + "cef7bdea-753b-4036-86a4-ec542a13816e", + "c039611b-25f1-4272-9141-00f0b7a3204b", + "252a3a4b-f2b6-4eac-b672-3acbb8ee6923", + "5c0dbbe6-8b58-451e-a991-1c0614d5c230", + "a1762cd4-00b1-484a-82cc-badf04003a09", + "495f956c-719b-470e-9390-c094be2fcdd0", + "8b883541-e68c-4f3b-bd84-684790bc0619", + "6ba7eb13-3fc9-405e-bd81-d0885f0c94bb", + "db880a51-1dd3-4997-b9db-146d92d3f524" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -74,48 +74,48 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "b9c1f8a7-e472-4387-aa51-3e8993f8e218", - "2bc3a325-e841-4d6b-9cfd-9eee6b285222", - "51b4f1c6-a999-43fb-a8a2-9354b1c190e0", - "03e947ce-86ec-4b49-b16d-86645fa05980", - "db549487-9d66-400f-aa50-41b4cfbc5e03", - "df5eca2d-f782-41e2-8f6c-790f7dae28ed", - "f37440ab-7c69-45ef-b57a-a6bb1e702659", - "882e57c0-0ee0-4ae3-98a9-2ef396ec4391", - "c8bb14fc-9264-4c64-a62d-6f9bc412d26a", - "c099f20f-1b29-4d7b-807f-f58cee750c9d", - "8f597aeb-3223-4e1b-a7af-8367f744aa88", - "8b009067-34a9-4646-ad43-3621c15cf09a", - "c4d6236a-76f3-4326-a7fa-4b3bb7a245bb", - "faccfb8a-67e2-459c-a418-8e476b46d84b", - "64dfe17e-049f-49a6-bcdf-545ca3818629", - "40505ca5-bdbb-4ea1-bcc6-a592d2655f1f", - "a96a49f9-a87d-4ed0-b5a3-c1ff86851aaa", - "648158d1-cc83-435b-bd75-d637ecbe640a", - "40dc9b6c-4383-45e9-b0ac-b72dc933b710", - "b910d05d-289f-4cc0-94df-d976666cbde3", - "9fd29f39-6465-4d76-a30e-029bc7457d9a", - "3b999ba0-9e0b-4fa7-a99e-0cef17405724", - "793b34b6-011f-4591-8fdc-551a00d884bb", - "64b59882-6b0b-4694-9260-278d4b1a5262", - "09e7c473-c43b-4e6d-b51d-0fe27c09458c", - "bedd0f55-8c22-43e8-bb69-592779dcba33", - "ea49f8d2-300c-4b68-bae3-76e0f1da2372", - "8932a0eb-b7a8-432f-b706-88f07e577486", - "c44787fb-d56f-4b9d-91ea-c0845d420349", - "d0fa705d-bc2a-4cb4-ba9d-879fa6eda9d4", - "07dbedd7-fce7-4350-a5d8-44e8543983c2", - "3ca4c864-e757-4427-a6a9-74f1cb6a2282", - "3d3061a4-5d71-4ca6-a4ac-64584af5869b", - "65dbfbab-184f-46b9-833e-b16c132f53a6", - "f16e71d4-4d75-4073-8837-4b9641a5af46", - "a6896a24-533f-4c7d-a9e8-8d4c61e40897" + "8332c849-c3b2-4368-bc40-1d0ae28e0344", + "f8368e66-ee75-4bd3-a24c-e228603f78e4", + "7cf89a1f-b085-4264-a568-9c961d06dc25", + "f97866fb-0848-4589-87a4-a3b596a307b1", + "e03f32ac-535e-416f-88fe-355755964f20", + "0bd0c826-2cda-422f-a505-8ac6634c9576", + "ff853a13-305c-43d8-8903-765c5c72e384", + "4e644063-a8f6-4360-92a1-dcc49190011d", + "5bd10bcc-e066-4d8f-b498-018ae81031c9", + "d33d8db5-c0a5-4456-a74d-cd64dc8c3e90", + "6fcea0b2-828c-4eae-aecc-61295bec3634", + "a232c209-bf7b-4182-9c00-222b5821355e", + "37aa89e0-6e28-4f64-9ba5-ba5f74730ebc", + "bdb2e4d4-f476-440b-a1f4-8e6b548e6468", + "d4c509c1-8e0a-4da2-9050-9db76248f2ae", + "0524da24-5741-4240-a0f9-ef099c3ac299", + "02be61d5-03d7-4248-a009-72fa9eb245f4", + "ee042be8-50d3-4816-b40d-6799f06059b0", + "a80cffe8-1921-42b7-be4d-13f95b129363", + "926acd15-1ecb-403a-bbac-c4306103771b", + "d4fbc846-273e-4a87-b9cf-862ca171446b", + "e0eed114-36c7-46c5-8e57-c7d23ebd015e", + "281a200b-6810-469e-a18a-5a63b68b1dc8", + "2bd8bf73-50d0-41be-8725-f69ae1d3a6fe", + "77b08f17-755b-45a9-b75b-7d77b8d18133", + "d8db0de3-00e7-4bc7-94cd-e53046d33e33", + "72db0ce3-b934-4d75-a4a2-d578ee24f9e1", + "cef7bdea-753b-4036-86a4-ec542a13816e", + "c039611b-25f1-4272-9141-00f0b7a3204b", + "252a3a4b-f2b6-4eac-b672-3acbb8ee6923", + "5c0dbbe6-8b58-451e-a991-1c0614d5c230", + "495f956c-719b-470e-9390-c094be2fcdd0", + "a1762cd4-00b1-484a-82cc-badf04003a09", + "8b883541-e68c-4f3b-bd84-684790bc0619", + "6ba7eb13-3fc9-405e-bd81-d0885f0c94bb", + "db880a51-1dd3-4997-b9db-146d92d3f524" ] } ], "charts": [ { - "dashboardChart": "03e947ce-86ec-4b49-b16d-86645fa05980", + "dashboardChart": "f97866fb-0848-4589-87a4-a3b596a307b1", "chartLayout": { "startX": 0, "spanX": 24, @@ -128,7 +128,7 @@ ] }, { - "dashboardChart": "3b999ba0-9e0b-4fa7-a99e-0cef17405724", + "dashboardChart": "e0eed114-36c7-46c5-8e57-c7d23ebd015e", "chartLayout": { "startX": 24, "spanX": 24, @@ -141,7 +141,7 @@ ] }, { - "dashboardChart": "51b4f1c6-a999-43fb-a8a2-9354b1c190e0", + "dashboardChart": "7cf89a1f-b085-4264-a568-9c961d06dc25", "chartLayout": { "startX": 48, "spanX": 24, @@ -154,7 +154,7 @@ ] }, { - "dashboardChart": "65dbfbab-184f-46b9-833e-b16c132f53a6", + "dashboardChart": "8b883541-e68c-4f3b-bd84-684790bc0619", "chartLayout": { "startX": 72, "spanX": 24, @@ -167,7 +167,7 @@ ] }, { - "dashboardChart": "c44787fb-d56f-4b9d-91ea-c0845d420349", + "dashboardChart": "c039611b-25f1-4272-9141-00f0b7a3204b", "chartLayout": { "startX": 0, "spanX": 96, @@ -180,7 +180,7 @@ ] }, { - "dashboardChart": "2bc3a325-e841-4d6b-9cfd-9eee6b285222", + "dashboardChart": "f8368e66-ee75-4bd3-a24c-e228603f78e4", "chartLayout": { "startX": 0, "spanX": 19, @@ -193,7 +193,7 @@ ] }, { - "dashboardChart": "8f597aeb-3223-4e1b-a7af-8367f744aa88", + "dashboardChart": "6fcea0b2-828c-4eae-aecc-61295bec3634", "chartLayout": { "startX": 57, "spanX": 19, @@ -206,7 +206,7 @@ ] }, { - "dashboardChart": "9fd29f39-6465-4d76-a30e-029bc7457d9a", + "dashboardChart": "d4fbc846-273e-4a87-b9cf-862ca171446b", "chartLayout": { "startX": 38, "spanX": 19, @@ -219,7 +219,7 @@ ] }, { - "dashboardChart": "c4d6236a-76f3-4326-a7fa-4b3bb7a245bb", + "dashboardChart": "37aa89e0-6e28-4f64-9ba5-ba5f74730ebc", "chartLayout": { "startX": 76, "spanX": 20, @@ -232,7 +232,7 @@ ] }, { - "dashboardChart": "648158d1-cc83-435b-bd75-d637ecbe640a", + "dashboardChart": "ee042be8-50d3-4816-b40d-6799f06059b0", "chartLayout": { "startX": 0, "spanX": 96, @@ -245,7 +245,7 @@ ] }, { - "dashboardChart": "b910d05d-289f-4cc0-94df-d976666cbde3", + "dashboardChart": "926acd15-1ecb-403a-bbac-c4306103771b", "chartLayout": { "startX": 0, "spanX": 24, @@ -258,7 +258,7 @@ ] }, { - "dashboardChart": "882e57c0-0ee0-4ae3-98a9-2ef396ec4391", + "dashboardChart": "4e644063-a8f6-4360-92a1-dcc49190011d", "chartLayout": { "startX": 0, "spanX": 96, @@ -271,7 +271,7 @@ ] }, { - "dashboardChart": "a96a49f9-a87d-4ed0-b5a3-c1ff86851aaa", + "dashboardChart": "02be61d5-03d7-4248-a009-72fa9eb245f4", "chartLayout": { "startX": 24, "spanX": 24, @@ -284,7 +284,7 @@ ] }, { - "dashboardChart": "db549487-9d66-400f-aa50-41b4cfbc5e03", + "dashboardChart": "e03f32ac-535e-416f-88fe-355755964f20", "chartLayout": { "startX": 48, "spanX": 24, @@ -297,7 +297,7 @@ ] }, { - "dashboardChart": "bedd0f55-8c22-43e8-bb69-592779dcba33", + "dashboardChart": "d8db0de3-00e7-4bc7-94cd-e53046d33e33", "chartLayout": { "startX": 72, "spanX": 24, @@ -310,7 +310,7 @@ ] }, { - "dashboardChart": "df5eca2d-f782-41e2-8f6c-790f7dae28ed", + "dashboardChart": "0bd0c826-2cda-422f-a505-8ac6634c9576", "chartLayout": { "startX": 0, "spanX": 33, @@ -323,7 +323,7 @@ ] }, { - "dashboardChart": "64b59882-6b0b-4694-9260-278d4b1a5262", + "dashboardChart": "2bd8bf73-50d0-41be-8725-f69ae1d3a6fe", "chartLayout": { "startX": 33, "spanX": 32, @@ -336,7 +336,7 @@ ] }, { - "dashboardChart": "ea49f8d2-300c-4b68-bae3-76e0f1da2372", + "dashboardChart": "72db0ce3-b934-4d75-a4a2-d578ee24f9e1", "chartLayout": { "startX": 65, "spanX": 31, @@ -349,7 +349,7 @@ ] }, { - "dashboardChart": "07dbedd7-fce7-4350-a5d8-44e8543983c2", + "dashboardChart": "5c0dbbe6-8b58-451e-a991-1c0614d5c230", "chartLayout": { "startX": 0, "spanX": 48, @@ -362,7 +362,7 @@ ] }, { - "dashboardChart": "f37440ab-7c69-45ef-b57a-a6bb1e702659", + "dashboardChart": "ff853a13-305c-43d8-8903-765c5c72e384", "chartLayout": { "startX": 0, "spanX": 96, @@ -375,7 +375,7 @@ ] }, { - "dashboardChart": "c099f20f-1b29-4d7b-807f-f58cee750c9d", + "dashboardChart": "d33d8db5-c0a5-4456-a74d-cd64dc8c3e90", "chartLayout": { "startX": 48, "spanX": 48, @@ -388,7 +388,7 @@ ] }, { - "dashboardChart": "faccfb8a-67e2-459c-a418-8e476b46d84b", + "dashboardChart": "bdb2e4d4-f476-440b-a1f4-8e6b548e6468", "chartLayout": { "startX": 0, "spanX": 24, @@ -401,7 +401,7 @@ ] }, { - "dashboardChart": "3ca4c864-e757-4427-a6a9-74f1cb6a2282", + "dashboardChart": "495f956c-719b-470e-9390-c094be2fcdd0", "chartLayout": { "startX": 48, "spanX": 24, @@ -414,7 +414,7 @@ ] }, { - "dashboardChart": "c8bb14fc-9264-4c64-a62d-6f9bc412d26a", + "dashboardChart": "5bd10bcc-e066-4d8f-b498-018ae81031c9", "chartLayout": { "startX": 72, "spanX": 24, @@ -427,7 +427,7 @@ ] }, { - "dashboardChart": "793b34b6-011f-4591-8fdc-551a00d884bb", + "dashboardChart": "281a200b-6810-469e-a18a-5a63b68b1dc8", "chartLayout": { "startX": 0, "spanX": 96, @@ -440,7 +440,7 @@ ] }, { - "dashboardChart": "40505ca5-bdbb-4ea1-bcc6-a592d2655f1f", + "dashboardChart": "0524da24-5741-4240-a0f9-ef099c3ac299", "chartLayout": { "startX": 72, "spanX": 24, @@ -453,7 +453,7 @@ ] }, { - "dashboardChart": "3d3061a4-5d71-4ca6-a4ac-64584af5869b", + "dashboardChart": "a1762cd4-00b1-484a-82cc-badf04003a09", "chartLayout": { "startX": 0, "spanX": 69, @@ -466,7 +466,7 @@ ] }, { - "dashboardChart": "a6896a24-533f-4c7d-a9e8-8d4c61e40897", + "dashboardChart": "db880a51-1dd3-4997-b9db-146d92d3f524", "chartLayout": { "startX": 69, "spanX": 27, @@ -479,7 +479,7 @@ ] }, { - "dashboardChart": "8932a0eb-b7a8-432f-b706-88f07e577486", + "dashboardChart": "cef7bdea-753b-4036-86a4-ec542a13816e", "chartLayout": { "startX": 0, "spanX": 96, @@ -492,7 +492,7 @@ ] }, { - "dashboardChart": "b9c1f8a7-e472-4387-aa51-3e8993f8e218", + "dashboardChart": "8332c849-c3b2-4368-bc40-1d0ae28e0344", "chartLayout": { "startX": 0, "spanX": 96, @@ -505,7 +505,7 @@ ] }, { - "dashboardChart": "64dfe17e-049f-49a6-bcdf-545ca3818629", + "dashboardChart": "d4c509c1-8e0a-4da2-9050-9db76248f2ae", "chartLayout": { "startX": 0, "spanX": 96, @@ -518,7 +518,7 @@ ] }, { - "dashboardChart": "d0fa705d-bc2a-4cb4-ba9d-879fa6eda9d4", + "dashboardChart": "252a3a4b-f2b6-4eac-b672-3acbb8ee6923", "chartLayout": { "startX": 19, "spanX": 19, @@ -531,7 +531,7 @@ ] }, { - "dashboardChart": "09e7c473-c43b-4e6d-b51d-0fe27c09458c", + "dashboardChart": "77b08f17-755b-45a9-b75b-7d77b8d18133", "chartLayout": { "startX": 0, "spanX": 24, @@ -544,7 +544,7 @@ ] }, { - "dashboardChart": "40dc9b6c-4383-45e9-b0ac-b72dc933b710", + "dashboardChart": "a80cffe8-1921-42b7-be4d-13f95b129363", "chartLayout": { "startX": 24, "spanX": 24, @@ -557,7 +557,7 @@ ] }, { - "dashboardChart": "8b009067-34a9-4646-ad43-3621c15cf09a", + "dashboardChart": "a232c209-bf7b-4182-9c00-222b5821355e", "chartLayout": { "startX": 48, "spanX": 24, @@ -570,7 +570,7 @@ ] }, { - "dashboardChart": "f16e71d4-4d75-4073-8837-4b9641a5af46", + "dashboardChart": "6ba7eb13-3fc9-405e-bd81-d0885f0c94bb", "chartLayout": { "startX": 24, "spanX": 24, @@ -585,16 +585,16 @@ ] }, "type": "CUSTOM", - "etag": "3b95b12926b90b39d357fe44d560360280f9b02d0ad8d418383786a3c4273fdb", + "etag": "1f239bd423a2bad628845f39ddc42397cd15b196d26843659dd9f138321c24cf", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "3b999ba0-9e0b-4fa7-a99e-0cef17405724", + "name": "e0eed114-36c7-46c5-8e57-c7d23ebd015e", "displayName": "Unique Source IPs", "description": "Unique Source IPs", "chartDatasource": { - "dashboardQuery": "c0d12d77-8c3c-4051-8fb9-9c2d89228e6e", + "dashboardQuery": "1133d158-0843-4438-a4af-2649262dd6aa", "dataSources": [ "UDM" ] @@ -630,14 +630,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "5f6d48ef9c2e6576ae7848f7f6e972d96374099d886ab217a44b80e211f1f3d5" + "etag": "2921a3adad41e52373d5c466b50462036a3fc6c9daad823a62940be2c4d99a38" }, { - "name": "03e947ce-86ec-4b49-b16d-86645fa05980", + "name": "f97866fb-0848-4589-87a4-a3b596a307b1", "displayName": " Suricata Alerts", "description": "All Suricata Alerts", "chartDatasource": { - "dashboardQuery": "21021c87-2589-4cd7-93bd-e8049f0638be", + "dashboardQuery": "20fd36ed-72d0-4fbf-ac06-f3dced3d5bfa", "dataSources": [ "UDM" ] @@ -673,14 +673,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "5c0813b8983d03da195614debdef21f9a1721d06617ab6be091b627a4faf3f61" + "etag": "9687c2355ad96d11f3b560d63b4d8db4c37284e966dfeb8cc289cbc550c8fce1" }, { - "name": "faccfb8a-67e2-459c-a418-8e476b46d84b", + "name": "bdb2e4d4-f476-440b-a1f4-8e6b548e6468", "displayName": "Unencrypted Connections", "description": "Unencrypted Connections", "chartDatasource": { - "dashboardQuery": "8a0d36e4-d817-4a9c-8c34-2f41116e035d", + "dashboardQuery": "d22e092e-1faa-419d-89f1-609194a9ea5c", "dataSources": [ "UDM" ] @@ -716,15 +716,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "71e1d428edf0146118acf2520e197dc5c0e70123fb1899127102b2ee12dc84e2", + "etag": "6e828ae48b67d3dbba4d411f1a83ff6c71f8c39578325e400c7144f6395cecd6", "drillDownConfig": {} }, { - "name": "40dc9b6c-4383-45e9-b0ac-b72dc933b710", + "name": "a80cffe8-1921-42b7-be4d-13f95b129363", "displayName": "Unusual Qtypes", "description": "Unusual Qtypes", "chartDatasource": { - "dashboardQuery": "4e73a301-7875-4984-bd9a-5c147e43f10c", + "dashboardQuery": "62ed17c8-6345-4f20-8157-8bc6c9eaa4c8", "dataSources": [ "UDM" ] @@ -760,14 +760,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "c0415d58bd9f7579f05cbc5a271f0ee571a8abb4f583c2b17477cf8d974614f7" + "etag": "0d3cd6dce7b68371ca23f98cf29671ad6948e6a36cb88e483be93069608c6e50" }, { - "name": "ea49f8d2-300c-4b68-bae3-76e0f1da2372", + "name": "72db0ce3-b934-4d75-a4a2-d578ee24f9e1", "displayName": "Expiring Certs.", "description": "Expiring Certs.", "chartDatasource": { - "dashboardQuery": "954c3b96-2575-41e5-80c0-b1aa61e2089c", + "dashboardQuery": "eed864f3-3baf-4629-8366-876a88ac9169", "dataSources": [ "UDM" ] @@ -803,15 +803,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "dcf374fa2215bf2791c56b9686e5bd9c839429d30c1ca0a15edb25989d90233e", + "etag": "1722d749571fee80e9cb8e90dcd57dbc48f52b061702fc45c59860c3f9976e5e", "drillDownConfig": {} }, { - "name": "64b59882-6b0b-4694-9260-278d4b1a5262", + "name": "2bd8bf73-50d0-41be-8725-f69ae1d3a6fe", "displayName": "Certs w/ Low Keys", "description": "Certs w/ Low Keys", "chartDatasource": { - "dashboardQuery": "15d4a6fe-557e-4616-81a7-84abc71d5d32", + "dashboardQuery": "8716c912-f0bc-48b3-bf9b-4b908d2e0dda", "dataSources": [ "UDM" ] @@ -847,15 +847,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e948a37bd4bf15aff2d81690306ae558a4eb3485e897193d6a6491f0d64eb543", + "etag": "316ce1ca7cf5ee3ba9a620cc81f36e6a6e018320c7875d6b77d0b3ef6105315e", "drillDownConfig": {} }, { - "name": "c8bb14fc-9264-4c64-a62d-6f9bc412d26a", + "name": "5bd10bcc-e066-4d8f-b498-018ae81031c9", "displayName": "FTP Sessions", "description": "FTP Sessions", "chartDatasource": { - "dashboardQuery": "8d96b21d-6480-4e60-b35c-f768c64b4c8c", + "dashboardQuery": "24bb0a2f-3170-4775-83e5-992d245b7013", "dataSources": [ "UDM" ] @@ -891,15 +891,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "539567bee3cb03374c8c26c633a611986a1d244fb2589e292e4e9468490da935", + "etag": "bab1d7b6d62eeda9ca3f1fcb2ef220272fae9b43d7da37a9271d3270d063afdd", "drillDownConfig": {} }, { - "name": "bedd0f55-8c22-43e8-bb69-592779dcba33", + "name": "d8db0de3-00e7-4bc7-94cd-e53046d33e33", "displayName": "Avg Alerts Per Source IP", "description": "Avg Alerts Per Source IP", "chartDatasource": { - "dashboardQuery": "6e3d14c0-cf2a-4fe2-9e69-2ee89cbf3ad8", + "dashboardQuery": "43b5e72c-a8ca-44a5-9f6e-eaf53d2ffc66", "dataSources": [ "UDM" ] @@ -935,13 +935,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "dddb9d91bdbdc2dd8dcf3cd78708419c61536b77a09fee92d9e07557e4579069" + "etag": "0b53bad4e12fb3535008eb5c7b6184e32139b3e610ca814aab80424ffbf7872b" }, { - "name": "3d3061a4-5d71-4ca6-a4ac-64584af5869b", + "name": "a1762cd4-00b1-484a-82cc-badf04003a09", "displayName": "Geolocation of DNS Responses", "chartDatasource": { - "dashboardQuery": "5a66e4a1-20d4-4221-9c27-32a8e00b11a4", + "dashboardQuery": "3a74631c-cbdf-4431-be6b-d1650ecc2808", "dataSources": [ "UDM" ] @@ -974,13 +974,13 @@ } }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "9acd568b5305db1b5148a15699c7954d3facdf0c8c644b47f438b838380e6c08" + "etag": "511e6b66802d63dcdf8c087e4d8686c44cac588bfd171f7a79af8c94a09bddeb" }, { - "name": "648158d1-cc83-435b-bd75-d637ecbe640a", + "name": "ee042be8-50d3-4816-b40d-6799f06059b0", "displayName": "Notices Over Time", "chartDatasource": { - "dashboardQuery": "0ddbbf51-408e-4c7d-978a-f57134c325e3", + "dashboardQuery": "4b8ea778-f516-4afe-b5af-fc0d64ab92f6", "dataSources": [ "UDM" ] @@ -1022,14 +1022,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "b0115b431ce5d4f66705ac17c1ac71fb497ff65617c300b3a8c854d6948da3d1" + "etag": "1d95362a82949e430a207c1825b69e28acb1ae8ebe6d646253d491a58623bf57" }, { - "name": "8b009067-34a9-4646-ad43-3621c15cf09a", + "name": "a232c209-bf7b-4182-9c00-222b5821355e", "displayName": "NXDOMAIN Responses", "description": "NXDOMAIN Responses", "chartDatasource": { - "dashboardQuery": "7c2fb619-f74a-4b9d-92a6-86db4ab6b2f3", + "dashboardQuery": "ddc94ac8-5075-4246-b98e-18e2e5d0eb2d", "dataSources": [ "UDM" ] @@ -1065,14 +1065,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a9836cc9d80e7cb1e7349647d2ec69dfa113700e1a04a1859b9f789c30289b56" + "etag": "2ede4301aab72899cc6bd9af52670e454fd3e1f1bb825edb58f44e194ef08abc" }, { - "name": "2bc3a325-e841-4d6b-9cfd-9eee6b285222", + "name": "f8368e66-ee75-4bd3-a24c-e228603f78e4", "displayName": " Notices", "description": "Messages Excluding Intel", "chartDatasource": { - "dashboardQuery": "ab3d7cdc-b58c-4f72-9e91-fce95dc7e2d1", + "dashboardQuery": "b14c7ad0-f389-4c11-9f7f-b35f456cc472", "dataSources": [ "UDM" ] @@ -1108,14 +1108,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fdb3c4f55649c1e79a1f0c9128ed00ddf49d8040890c64ab7a09c158273f4c61" + "etag": "53760e1c7d6236fe90fdab5635553731556e7ed9d98d0007a8a796d42c533631" }, { - "name": "df5eca2d-f782-41e2-8f6c-790f7dae28ed", + "name": "0bd0c826-2cda-422f-a505-8ac6634c9576", "displayName": "Self Signed Certs", "description": "Self Signed Certs", "chartDatasource": { - "dashboardQuery": "3c771f58-d86c-4a86-82d0-c3e62a6de189", + "dashboardQuery": "639ef081-fcb2-4363-9304-d2ef37353414", "dataSources": [ "UDM" ] @@ -1151,14 +1151,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0d9b0e8a7ad696667e59ca37a8ac503047f69044e105f138f720c9b1c92094d0", + "etag": "dcf5bf8bd0adab47cdb14146e5f544e7e4d6f7d95d2c5ff6f97f71c594b49f3f", "drillDownConfig": {} }, { - "name": "a6896a24-533f-4c7d-a9e8-8d4c61e40897", + "name": "db880a51-1dd3-4997-b9db-146d92d3f524", "displayName": " ", "chartDatasource": { - "dashboardQuery": "f3b60823-6a86-45e1-86cd-2bd83550ff2d", + "dashboardQuery": "7993ca98-d5b7-4863-ba12-0e4ba9d37f6f", "dataSources": [ "UDM" ] @@ -1192,13 +1192,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "13fb0dc747bead9c8a04ac31c05afd94929b24c79a0041f1a0e902c7c35dd37f" + "etag": "92915d8456714072ebabda21d0291a5da61a22f56b785eb1fe593e039b688655" }, { - "name": "f37440ab-7c69-45ef-b57a-a6bb1e702659", + "name": "ff853a13-305c-43d8-8903-765c5c72e384", "displayName": "Encrypted Traffic Over Time", "chartDatasource": { - "dashboardQuery": "678aba1b-8bc7-4e1e-b7cb-7a3e67742d18", + "dashboardQuery": "1be9c5ca-5be0-4af6-b5d9-d87b0f599a41", "dataSources": [ "UDM" ] @@ -1240,14 +1240,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6944c90fbd7490a063d24f94d5da164469f7736d19253a0d88de4dec0e0e5761" + "etag": "bcf27b59239d8dbb1f37b00a60501e409bbb5bf45a2c8344bdba469630161ead" }, { - "name": "b910d05d-289f-4cc0-94df-d976666cbde3", + "name": "926acd15-1ecb-403a-bbac-c4306103771b", "displayName": "Threat Intel", "description": "Intel Indicators", "chartDatasource": { - "dashboardQuery": "5504a4a8-2242-4666-8a6b-71ba3cff8da4", + "dashboardQuery": "b616624f-c53d-4866-8c4f-29899fcbf789", "dataSources": [ "UDM" ] @@ -1283,13 +1283,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "298706e2bb1656d5146beaabbd78848c0b28cd4d21daf1abd71746a2a05aeb17" + "etag": "e6df5372fc5bd12e118bb843ac62a8c4f8c3a5ab64f4ac6c98a6bbd66c64144e" }, { - "name": "882e57c0-0ee0-4ae3-98a9-2ef396ec4391", + "name": "4e644063-a8f6-4360-92a1-dcc49190011d", "displayName": "Intel Alerts Over Time", "chartDatasource": { - "dashboardQuery": "4e369b31-d85e-4b44-b7cf-ed95e52d84a4", + "dashboardQuery": "3c38ffae-a63f-490b-9a6f-4802a916da65", "dataSources": [ "UDM" ] @@ -1331,13 +1331,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "c1601489e3b80ca28d450d6b603c984bef32d7a9434d128c9e756a75bf683187" + "etag": "f6090dd3fc87753043718a4629b25d2cedc62373ad53668a3dfc19e4698e87c1" }, { - "name": "c44787fb-d56f-4b9d-91ea-c0845d420349", + "name": "c039611b-25f1-4272-9141-00f0b7a3204b", "displayName": "Suricata Alerts Over Time", "chartDatasource": { - "dashboardQuery": "d9021760-8911-4f9f-89ac-d0e9e3134df3", + "dashboardQuery": "986ea62f-5281-4719-9f84-a2e60cbdb778", "dataSources": [ "UDM" ] @@ -1379,14 +1379,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "080aaff6607125a4ed13b7588bf5327680f3f24046c5ad15f8c7ce67b534b86e" + "etag": "2ff88423f33f860197602dcf29dc57af4381148ca7c114c0ad87dfc88ed469b4" }, { - "name": "65dbfbab-184f-46b9-833e-b16c132f53a6", + "name": "8b883541-e68c-4f3b-bd84-684790bc0619", "displayName": "Unique Signatures", "description": "Unique Signatures", "chartDatasource": { - "dashboardQuery": "f3928ccf-6d4c-4934-a62e-680389548846", + "dashboardQuery": "043c1924-2a96-459b-8077-23a3d2e75452", "dataSources": [ "UDM" ] @@ -1422,14 +1422,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "218ebce270b8463175a384d1410ffa4f4c584cd3c05a668d9daff18a363153ba" + "etag": "d9838cca450c398a222fae3ed1e8b3fc53866af352a9f43c1662c3d6fc6e6d9d" }, { - "name": "a96a49f9-a87d-4ed0-b5a3-c1ff86851aaa", + "name": "02be61d5-03d7-4248-a009-72fa9eb245f4", "displayName": "Unique Indicators", "description": "Unique Indicators", "chartDatasource": { - "dashboardQuery": "d9143131-735d-446b-a2c3-40384c092ad5", + "dashboardQuery": "b69bf89b-cf03-4d29-a025-0bf92f9eb634", "dataSources": [ "UDM" ] @@ -1465,13 +1465,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "4228a27c0f9d530164d66ef77de50fa86ad07d7c3457aecb63b1acce70f99349" + "etag": "5648a35dcd8a3be57eff09e0e9a188fc0e8f9fd4cf07a2a3be5c75d09bf09a73" }, { - "name": "793b34b6-011f-4591-8fdc-551a00d884bb", + "name": "281a200b-6810-469e-a18a-5a63b68b1dc8", "displayName": "Top Unencrypted Protocols Used", "chartDatasource": { - "dashboardQuery": "14e08e64-fb7b-4a91-8395-bbc6fdf84bee", + "dashboardQuery": "d99b0896-5888-4bef-9d8b-e7784d90d7d0", "dataSources": [ "UDM" ] @@ -2371,13 +2371,13 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "b42a4300506493b11dbf15b3d474a81f8527b6584316997d3bea845494e4f42f" + "etag": "fd191c5e484fbfe4505b9dde2ef8a873075a364b5005f8bc5ad7bacae3dae07f" }, { - "name": "8932a0eb-b7a8-432f-b706-88f07e577486", + "name": "cef7bdea-753b-4036-86a4-ec542a13816e", "displayName": "Top VPN Destinations by Country", "chartDatasource": { - "dashboardQuery": "777346ba-f77c-4cef-870b-92f80499f4ea", + "dashboardQuery": "58154165-78cd-4dae-b213-9e13b5329f40", "dataSources": [ "UDM" ] @@ -2385,7 +2385,7 @@ "visualization": { "series": [ { - "seriesName": "Unspecified", + "seriesName": "none", "seriesType": "BAR", "encode": { "x": "country", @@ -2395,7 +2395,7 @@ "itemStyle": { "color": "#1a73e8" }, - "seriesUniqueValue": "undefined" + "seriesUniqueValue": "none" } ], "xAxes": [ @@ -2418,14 +2418,15 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "26e448c5516cc545159bd3933d514eb7e9f48b4cf2953a2ad690f077bfe34982" + "etag": "3939c3f5f7ae67459a1312a7a1a9a3e379730cee9cd5dfa6c6657dcc9dda57c5", + "drillDownConfig": {} }, { - "name": "3ca4c864-e757-4427-a6a9-74f1cb6a2282", + "name": "495f956c-719b-470e-9390-c094be2fcdd0", "displayName": "Telnet Sessions", "description": "Telnet Sessions", "chartDatasource": { - "dashboardQuery": "ba50d4a0-c416-4763-86d2-3badaeaa03ca", + "dashboardQuery": "9b60c9bd-6551-4c57-b7ad-d12704f51b84", "dataSources": [ "UDM" ] @@ -2461,13 +2462,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e3e31d1cffe2a0ddff4b4d6b6861887d8232d5f82788bf79e22f61be70945057" + "etag": "b4669685da5563d41c3e1575a8a61a18f8ba83457dedeecaa5b576f9c365aa12" }, { - "name": "07dbedd7-fce7-4350-a5d8-44e8543983c2", + "name": "5c0dbbe6-8b58-451e-a991-1c0614d5c230", "displayName": "TLS Versions", "chartDatasource": { - "dashboardQuery": "08d4ab9e-5576-46ce-8572-a9f541a3f906", + "dashboardQuery": "eceaa386-3ed3-48d7-aadd-b8036a7b1f9d", "dataSources": [ "UDM" ] @@ -2506,14 +2507,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "997cddb28b0ecea14a5cbb9c5780fd8a0d3986cc37d864768351d807f73a7eb4" + "etag": "52135ddc77a2f441099bbea8b9d9912969a1c45f6bb0688121a0f5ff00c96a05" }, { - "name": "c4d6236a-76f3-4326-a7fa-4b3bb7a245bb", + "name": "37aa89e0-6e28-4f64-9ba5-ba5f74730ebc", "displayName": "Unique Note Count", "description": "Unique Note Count", "chartDatasource": { - "dashboardQuery": "146dfb93-1886-4f30-9ee1-ebf3e1b9d825", + "dashboardQuery": "5627a1de-9eb5-4584-aa77-632453b012f3", "dataSources": [ "UDM" ] @@ -2549,14 +2550,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "1f25e9f682f3922c7f0f99f4d6781fa44b10f409921527f2c615302aad2d7a47" + "etag": "0f002b2ff26ddc1e0b64b58e1bd928a3d63a42618d7ad63797e5555bf44271ee" }, { - "name": "51b4f1c6-a999-43fb-a8a2-9354b1c190e0", + "name": "7cf89a1f-b085-4264-a568-9c961d06dc25", "displayName": "Unique Destination IPs", "description": "Unique Destination IPs", "chartDatasource": { - "dashboardQuery": "31bb7a4a-8e6e-47c9-817a-6570268fce17", + "dashboardQuery": "641baa8b-6b81-4a13-a184-e31eb9b4c3d8", "dataSources": [ "UDM" ] @@ -2592,14 +2593,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "291d8f3e743169ac84ed5623385207255544d00dd516b27c6a96c0389974a330" + "etag": "0261f1cef2d67dd18938c543ad4731701fd5cfdb3058179fd3eb6aece58184ab" }, { - "name": "09e7c473-c43b-4e6d-b51d-0fe27c09458c", + "name": "77b08f17-755b-45a9-b75b-7d77b8d18133", "displayName": "Failed DNS Queries", "description": "Failed DNS Queries", "chartDatasource": { - "dashboardQuery": "399e87fc-f33e-4d12-ad28-7061bdc42554", + "dashboardQuery": "d97add35-add2-468a-b751-d51503f38203", "dataSources": [ "UDM" ] @@ -2635,14 +2636,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "338650beb8cbf2103e89310a28dd3ca088f893106f0240df6469786ed847cf5d" + "etag": "039406e1202eac739a4a578d9431dfc6fbd62c8f766670fded35aa5c2b64105c" }, { - "name": "9fd29f39-6465-4d76-a30e-029bc7457d9a", + "name": "d4fbc846-273e-4a87-b9cf-862ca171446b", "displayName": "SSL Certs. Issues", "description": "SSL Certs. Issues", "chartDatasource": { - "dashboardQuery": "3a408f40-ce5e-410e-9d91-ba43b280fdb9", + "dashboardQuery": "deb83f58-2310-43f2-b30f-1d0dca4fc347", "dataSources": [ "UDM" ] @@ -2678,14 +2679,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0af2c645c2ac84ad2ec7d5dc5e20d4f54e62bd6828af3e5c2c82334061d4fdff" + "etag": "a507ee789851fe9fda4a6b749772f5cf07660c1c6e0e4228e785106790c1483d" }, { - "name": "40505ca5-bdbb-4ea1-bcc6-a592d2655f1f", + "name": "0524da24-5741-4240-a0f9-ef099c3ac299", "displayName": "Internal DNS Servers", "description": "Internal DNS Servers", "chartDatasource": { - "dashboardQuery": "837d3f9f-70db-43e1-a0cc-25f115b18033", + "dashboardQuery": "317700ac-2169-4087-9ce5-acf2d935913f", "dataSources": [ "UDM" ] @@ -2721,13 +2722,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "03241b5cc0f050dd12dfa0a11f2494d2f1ebb2737ac26db18105a5bbec94e5b1" + "etag": "fe62d1b879b029f7391b74e67719aaec4d7652b6402e39bc17f3c7ff7595d944" }, { - "name": "64dfe17e-049f-49a6-bcdf-545ca3818629", + "name": "d4c509c1-8e0a-4da2-9050-9db76248f2ae", "displayName": "RDP Authentication Attempts", "chartDatasource": { - "dashboardQuery": "9e52fd59-0ce2-47e5-82c5-085ec45c193a", + "dashboardQuery": "740623da-8a53-418c-a16b-946a51b04da3", "dataSources": [ "UDM" ] @@ -2767,15 +2768,15 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "12a3517141b3b82891bffd1b253f85af26c3a94fb822989d60e7260fec553147", + "etag": "e4bf90efc584ee0e165c8182d91485240d3c5adef8e58162425cb6d19c1c1846", "drillDownConfig": {} }, { - "name": "d0fa705d-bc2a-4cb4-ba9d-879fa6eda9d4", + "name": "252a3a4b-f2b6-4eac-b672-3acbb8ee6923", "displayName": "Attack Count", "description": "Attack Count", "chartDatasource": { - "dashboardQuery": "c32fa2a5-b162-4a24-8e57-a5df0ebeda6f", + "dashboardQuery": "ddba3f62-889c-435d-9a34-54e3e3d8b80e", "dataSources": [ "UDM" ] @@ -2811,13 +2812,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d2abe337d4bdf8a251f0d575a921bee10fa3345cf40d5058a8a47eb7f8f6bcd5" + "etag": "485f32b32ea4a94f71865aad8366ebec689f182d5c97606f1166382898e73def" }, { - "name": "c099f20f-1b29-4d7b-807f-f58cee750c9d", + "name": "d33d8db5-c0a5-4456-a74d-cd64dc8c3e90", "displayName": "Internal TLS Versions Profile", "chartDatasource": { - "dashboardQuery": "b30c0a3b-0184-48dc-92bd-8f52cb59663f", + "dashboardQuery": "3435b82a-e901-4146-be36-68e5cbfef05c", "dataSources": [ "UDM" ] @@ -2854,14 +2855,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "30353a9fc83d7965009e699791066549f95c1b3c07528634a2dc41067518b1a6" + "etag": "3884b1f97fdd3e46d2a4caa29de2eba423528f402905f7868bf37815c2f94bdb" }, { - "name": "f16e71d4-4d75-4073-8837-4b9641a5af46", + "name": "6ba7eb13-3fc9-405e-bd81-d0885f0c94bb", "displayName": " SMB v1 Connections", "description": "SMB v1 Connections", "chartDatasource": { - "dashboardQuery": "d3bc892e-ffa6-47e7-99a2-fd44d87afe05", + "dashboardQuery": "4c4cbe98-48bd-408c-8ee2-dc0c3d370837", "dataSources": [ "UDM" ] @@ -2897,13 +2898,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "4e617dea9d6b97e9fb927f680ccc94528f0eba5ef94ca22fee02e8c773152a93" + "etag": "31d7dfc0eeeb4a48ab4dd50624c2773b38bbfefc68e5436fc6b6b8d3de893cb8", + "drillDownConfig": {} }, { - "name": "b9c1f8a7-e472-4387-aa51-3e8993f8e218", + "name": "8332c849-c3b2-4368-bc40-1d0ae28e0344", "displayName": "Outbound VPN Connections", "chartDatasource": { - "dashboardQuery": "b05c779f-b19f-46c7-9021-bf694daf4053", + "dashboardQuery": "b4968e73-3cea-4fa7-a317-9f55355d491c", "dataSources": [ "UDM" ] @@ -2946,14 +2948,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f3229a072ca19f31bf2b49823e1b73922dfde9fd442c72af65e8e4665083cd10" + "etag": "14f2ac7f2bea909ffb3f1f5a461d664f418c45446efbc495bd10f805d408a37c" }, { - "name": "db549487-9d66-400f-aa50-41b4cfbc5e03", + "name": "e03f32ac-535e-416f-88fe-355755964f20", "displayName": "Avg Alerts Per Indicator", "description": "Avg Alerts Per Indicator", "chartDatasource": { - "dashboardQuery": "9f219418-bdb5-4109-91db-4135cec09b9a", + "dashboardQuery": "7c7a11d2-5181-455c-9c95-59332b22049c", "dataSources": [ "UDM" ] @@ -2989,14 +2991,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "da8b32dde33850a66c98168daf805fd3abe98ac2d0867d8f17812c038ba40401" + "etag": "6c3aa1f39d687cceacc3a882a8f3046cf3ebeea0acacaa7d806421a3618232b9" }, { - "name": "8f597aeb-3223-4e1b-a7af-8367f744aa88", + "name": "6fcea0b2-828c-4eae-aecc-61295bec3634", "displayName": "Meterpreter Count", "description": "Meterpreter Count", "chartDatasource": { - "dashboardQuery": "3d4a44e2-1140-48cb-b63a-ddf263047fce", + "dashboardQuery": "451827c0-3f0b-4c03-bbb5-0d246841a494", "dataSources": [ "UDM" ] @@ -3032,12 +3034,12 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "7a1e0a59f585da8f80f818b503759c98d549a838c32fb74b1725750f657b7887" + "etag": "01b2aa848a71c9fd38a73494b1fe682cbc24d1cfbac4a792218064bb40113d85" } ], "dashboardQueries": [ { - "name": "21021c87-2589-4cd7-93bd-e8049f0638be", + "name": "20fd36ed-72d0-4fbf-ac06-f3dced3d5bfa", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\" \r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -3045,10 +3047,10 @@ "startTimeVal": "1" } }, - "etag": "e139a0603df4f1a931233fee5715c67bf273b50a95510109da2daf4c2dc57da6" + "etag": "b74734b49fcb11f21089fb0a728385f4b6fdf7b420e9d3850476554e8bd68272" }, { - "name": "4e369b31-d85e-4b44-b7cf-ed95e52d84a4", + "name": "3c38ffae-a63f-490b-9a6f-4802a916da65", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"intel\" \r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3056,10 +3058,10 @@ "startTimeVal": "1" } }, - "etag": "5410c050eac2a8e2f37fc82db7a3d67c54b68ddb92a246305418b2d80f05381a" + "etag": "b58bc031b7d2b1421703a05c4f63571c05dcd11d21c913f4560ebcb28ad0d60b" }, { - "name": "678aba1b-8bc7-4e1e-b7cb-7a3e67742d18", + "name": "1be9c5ca-5be0-4af6-b5d9-d87b0f599a41", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3067,10 +3069,10 @@ "startTimeVal": "1" } }, - "etag": "0a2d3cad9de57b155a1cfe1e6475c56faa7964fd37f19612e7b41e3ca0066f20" + "etag": "9f5378f23c4b2026de3b84bb342a9f84441d71df0301a342a1c71274ab30da90" }, { - "name": "5a66e4a1-20d4-4221-9c27-32a8e00b11a4", + "name": "3a74631c-cbdf-4431-be6b-d1650ecc2808", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"dns\"\r\n$lat = target.ip_geo_artifact.location.region_latitude\r\n$long = target.ip_geo_artifact.location.region_longitude\r\n$lat != 0\r\n$long != 0\r\n$country = if(target.ip_geo_artifact.location.country_or_region!=\"\", target.ip_geo_artifact.location.country_or_region, \"No Country\")\r\nmatch:\r\n $lat, $long, $country\r\noutcome:\r\n $count = count(metadata.id)", "input": { "relativeTime": { @@ -3078,10 +3080,10 @@ "startTimeVal": "1" } }, - "etag": "c175084e9692f5deb066d4ddc562d210fa62b3823edc83843584bad23b0abe17" + "etag": "ed455d8528d657bfa0b01fbad258bf0bb4b3084ea7204db0db9361132137faac" }, { - "name": "15d4a6fe-557e-4616-81a7-84abc71d5d32", + "name": "8716c912-f0bc-48b3-bf9b-4b908d2e0dda", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"x509\" \r\nabout.domain.last_https_certificate.public_key.rsa.key_size < 2048\r\noutcome:\r\n $count=count_distinct(about.domain.last_https_certificate.thumbprint)", "input": { "relativeTime": { @@ -3089,10 +3091,10 @@ "startTimeVal": "1" } }, - "etag": "52b222ec5a1da59bd60dc617cbbf29bd81ffab85d0d3eeba78857756b8857c82" + "etag": "d241e54774c5019670ad911b122105f3fc5031aae3ec1054fbe292eb3f262c98" }, { - "name": "d9021760-8911-4f9f-89ac-d0e9e3134df3", + "name": "986ea62f-5281-4719-9f84-a2e60cbdb778", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\" \r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3100,10 +3102,10 @@ "startTimeVal": "10" } }, - "etag": "e64077114069d5e0e846c400a87aec2fb5bdf6413223268a7345cc0fb9ba527b" + "etag": "f69bca82640dc215486dd3ae64798e327a2d65886d8b498183285cf406c030ae" }, { - "name": "5504a4a8-2242-4666-8a6b-71ba3cff8da4", + "name": "b616624f-c53d-4866-8c4f-29899fcbf789", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"intel\" \r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -3111,10 +3113,10 @@ "startTimeVal": "1" } }, - "etag": "f39e3e1b655e9f5ed0df8cb283df920cadd86cfebb384584ccc618c82dda3da9" + "etag": "4100b904feb759a720ec4c61fafd8cf17ffe93f46fecf212fff8797f66a71bc9" }, { - "name": "d9143131-735d-446b-a2c3-40384c092ad5", + "name": "b69bf89b-cf03-4d29-a025-0bf92f9eb634", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"intel\" \r\n$indicators=about.labels[\"indicator\"]\r\noutcome:\r\n $count=count_distinct($indicators)", "input": { "relativeTime": { @@ -3122,10 +3124,10 @@ "startTimeVal": "1" } }, - "etag": "8b46e397dd8e5a6bd4817800729584a5a9210c5003288ea0dfd530f08207a72b" + "etag": "44b66c03e8914212d87dcf3ff011bb49c723d4f39c78292f5c5fadeecab87523" }, { - "name": "c32fa2a5-b162-4a24-8e57-a5df0ebeda6f", + "name": "ddba3f62-889c-435d-9a34-54e3e3d8b80e", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= \"notice\"\r\nsecurity_result.description!=/^Intel/\r\nprincipal.ip!=\"\"\r\n$attack_type=re.capture(security_result.description, `^(?P[^\\s]+)`)\r\n$attack_type=/^ATTACK::/\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "timeWindow": { @@ -3133,10 +3135,10 @@ "endTime": "2025-03-25T23:59:59Z" } }, - "etag": "9b9e9692784e8955719d68507555ebf79630c6c5f6c94d7a0f4cecc997a5b562" + "etag": "7381779a3dc5d8308486c240d19230a81e1fcbbc3424d510e9a328bec2238490" }, { - "name": "ba50d4a0-c416-4763-86d2-3badaeaa03ca", + "name": "9b60c9bd-6551-4c57-b7ad-d12704f51b84", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= /^conn/\r\ntarget.port=23\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -3144,10 +3146,10 @@ "startTimeVal": "1" } }, - "etag": "f824f0cd9cf598e63bf2cf61bdfdc68f279aa7b8895780e5dcbff5ac2ef41c82" + "etag": "be4521702e3035c47060439a941547a23eabdc02a342bf7827935c5a2bb13514" }, { - "name": "b05c779f-b19f-46c7-9021-bf694daf4053", + "name": "b4968e73-3cea-4fa7-a317-9f55355d491c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\nNOT target.ip in cidr %internal_cidr_list \r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count = count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3155,10 +3157,10 @@ "startTimeVal": "10" } }, - "etag": "3b12305d3d6485e077032ca61ad9aebebe53092950de9f2d23984159936142e9" + "etag": "5878b3bbef896c752ebd782413837b507374557609e973998733f89dce5d9bc6" }, { - "name": "ab3d7cdc-b58c-4f72-9e91-fce95dc7e2d1", + "name": "b14c7ad0-f389-4c11-9f7f-b35f456cc472", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"notice\" \r\nsecurity_result.description != /^Intel/\r\nprincipal.ip != \"\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -3166,10 +3168,10 @@ "startTimeVal": "1" } }, - "etag": "2a4e79f9a0889c24dd39eeb972cca5b8b47571d5ffdc32f415a15acb408f0928" + "etag": "1926e7a5e702276a0fb9a5dba55f1399c178ce4fe99bd8a64a901ddd69a4b90b" }, { - "name": "146dfb93-1886-4f30-9ee1-ebf3e1b9d825", + "name": "5627a1de-9eb5-4584-aa77-632453b012f3", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"notice\" \r\noutcome:\r\n $count=count_distinct(security_result.description)", "input": { "relativeTime": { @@ -3177,10 +3179,10 @@ "startTimeVal": "1" } }, - "etag": "f6343de00b8103bcfcf35c59bdd1e78e6c2543cf631a8b856776ee4bda24c069" + "etag": "6f6e1dc37ffffdcab7ec1e70c95ba505043094e35a8681e715715b73e4bc3994" }, { - "name": "9e52fd59-0ce2-47e5-82c5-085ec45c193a", + "name": "740623da-8a53-418c-a16b-946a51b04da3", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"rdp\"\r\nsecurity_result.action=\"ALLOW\" OR security_result.action=\"FAIL\"\r\n$auth_result=if(security_result.action=\"ALLOW\", \"Success\", \r\n if(security_result.action=\"FAIL\", \"Failure\", \"Unknown\"\r\n ))\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $auth_result\r\noutcome:\r\n $count = count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3188,10 +3190,10 @@ "startTimeVal": "1" } }, - "etag": "019a40080ef9e9335cc53d14c61e925884b69e1d148938db9af8cd48c257a9ee" + "etag": "7b5ecae159d7debbe7475a08b18461d8808e8bc572d1bc78c28e20bfce92cbf5" }, { - "name": "9f219418-bdb5-4109-91db-4135cec09b9a", + "name": "7c7a11d2-5181-455c-9c95-59332b22049c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"intel\"\r\n$indicators=about.labels[\"indicator\"]\r\noutcome:\r\n $avg_alerts_per_indicators=math.round(count_distinct(metadata.id) / count_distinct($indicators), 2)", "input": { "relativeTime": { @@ -3199,10 +3201,10 @@ "startTimeVal": "1" } }, - "etag": "deff57cd40ac7c0c79285897d050899fd464954fe7db482ba76845129b1e3462" + "etag": "4be309f934c70cab235e298edbf5f13bc3d3f62774c5da2571c981a228a9b5d6" }, { - "name": "6e3d14c0-cf2a-4fe2-9e69-2ee89cbf3ad8", + "name": "43b5e72c-a8ca-44a5-9f6e-eaf53d2ffc66", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"intel\"\r\noutcome:\r\n $avg_alerts_per_source_ip=math.round(count_distinct(metadata.id) / count_distinct(principal.ip), 2)", "input": { "relativeTime": { @@ -3210,10 +3212,10 @@ "startTimeVal": "1" } }, - "etag": "5b0cc7043d733ce4e2ee5cf1dd07303b8dc6a659722f98ea7448a059a41f5f14" + "etag": "408b9329b201747d50fe9751c6cc6095e9829bc3d16e3dbcf3c18820a5b5776f" }, { - "name": "0ddbbf51-408e-4c7d-978a-f57134c325e3", + "name": "4b8ea778-f516-4afe-b5af-fc0d64ab92f6", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"notice\" \r\nsecurity_result.description != /^Intel/\r\nprincipal.ip != \"\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3221,10 +3223,10 @@ "startTimeVal": "1" } }, - "etag": "e0eaa4e1c3cc88cf1192b21b12626456da8e61b464ce394c789b46b77129900a" + "etag": "56b731470528cb64073258faf42f4bed8295a78f7a120199ffbea742fd8d8c71" }, { - "name": "4e73a301-7875-4984-bd9a-5c147e43f10c", + "name": "62ed17c8-6345-4f20-8157-8bc6c9eaa4c8", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= \"dns\"\r\nabout.labels[\"qtype_name\"]=\"ANY\" OR about.labels[\"qtype_name\"]=\"AXFR\" OR about.labels[\"qtype_name\"]=\"IXFR\" OR about.labels[\"qtype_name\"]=\"TXT\"\r\noutcome:\r\n $unusual_qtypes=count(metadata.id)", "input": { "relativeTime": { @@ -3232,21 +3234,21 @@ "startTimeVal": "1" } }, - "etag": "8df39a3907ecd25327e308629c03f62fe6328270de7b049903bd6f75b5b15dac" + "etag": "14280db901665b040bacda299f9f198e928b35fc48fa96eec77cf8134ae822a5" }, { - "name": "3c771f58-d86c-4a86-82d0-c3e62a6de189", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\n$is_self_signed=if(security_result.description=\"self signed certificate\", \"yes\", \"no\")\r\n$is_self_signed=\"yes\"\r\ntarget.ip in cidr %internal_cidr_list //Is dest. ip is internal?\r\n$ssl_subject_common_name=network.tls.client.server_name\r\n$ssl_subject_common_name!=\"\"\r\noutcome:\r\n $count=count_distinct($ssl_subject_common_name)", + "name": "639ef081-fcb2-4363-9304-d2ef37353414", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nsecurity_result.description=\"self signed certificate\"\r\ntarget.ip in cidr %internal_cidr_list //Is dest. ip is internal?\r\n$ssl_subject_common_name=network.tls.client.server_name\r\n$ssl_subject_common_name!=\"\"\r\noutcome:\r\n $count=count_distinct($ssl_subject_common_name)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "c16e20bcc1e6689ad092bc5c71dd996678626bbfbc200140772401a548c3c1a3" + "etag": "649a2df6e9e4a34ec29752b2a341d237f66852c3340638885af6a02c4a11ebdd" }, { - "name": "8d96b21d-6480-4e60-b35c-f768c64b4c8c", + "name": "24bb0a2f-3170-4775-83e5-992d245b7013", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ftp\" \r\noutcome:\r\n $count_of_uids=count_distinct(network.session_id)", "input": { "relativeTime": { @@ -3254,10 +3256,10 @@ "startTimeVal": "1" } }, - "etag": "6ce761e4652f6f10842b85770a49f4ed4e7f2ebed9dc8b2cdee3c2f50c444a9b" + "etag": "9973e68498a34dc63fccb8650fa102232d1e2dc692737b0af2bd3b2be1a47c14" }, { - "name": "f3b60823-6a86-45e1-86cd-2bd83550ff2d", + "name": "7993ca98-d5b7-4863-ba12-0e4ba9d37f6f", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"dns\"\r\n$country = if(target.ip_geo_artifact.location.country_or_region!=\"\", target.ip_geo_artifact.location.country_or_region, \"No Country\")\r\nmatch:\r\n $country\r\noutcome:\r\n $count = count(metadata.id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -3265,10 +3267,10 @@ "startTimeVal": "1" } }, - "etag": "0bd4b398ac8310f913d39c993a85ce9ecf5b8136d3f0009ca8c84815cd121098" + "etag": "a5939c6c166c2d3c58b6805ff04dbd74eb07a46f3ff515de06f8258a64993d95" }, { - "name": "8a0d36e4-d817-4a9c-8c34-2f41116e035d", + "name": "d22e092e-1faa-419d-89f1-609194a9ea5c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"etc_viz\" \r\nabout.labels[\"viz_stat\"]=\"C\" OR about.labels[\"viz_stat\"]=\"Cc\" OR about.labels[\"viz_stat\"]=\"C!\" OR about.labels[\"viz_stat\"]=\"cc\"\r\noutcome:\r\n $count_of_uids=count_distinct(network.session_id)", "input": { "relativeTime": { @@ -3276,10 +3278,10 @@ "startTimeVal": "1" } }, - "etag": "c415d8964b05b89185b08195205b2876995fe47f4764517ead074f90b0b4a80a" + "etag": "bc4969f5f9657d572e4e2f2a955b0343045d280b0f196ebfe56f2465fe6c00b7" }, { - "name": "b30c0a3b-0184-48dc-92bd-8f52cb59663f", + "name": "3435b82a-e901-4146-be36-68e5cbfef05c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\nprincipal.ip in cidr %internal_cidr_list \r\n$version_status=if(network.tls.version=\"TLSv13\", \"Most Secure\", \r\n if(network.tls.version=\"TLSv12\", \"Secure\",\r\n if(network.tls.version=\"DTLSv12\", \"Secure\",\r\n if(network.tls.version=\"unknown-64282\", \"Unknown\", \"Old Version\"\r\n ))))\r\nmatch:\r\n $version_status\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -3287,21 +3289,21 @@ "startTimeVal": "1" } }, - "etag": "a1227df60872a314059070abac7645324fe2e28ec8cd89f428ceee420076cfef" + "etag": "fc41b27fd80578d1cdc3865d6897aea36719609b988658d6631a2d724be13d9a" }, { - "name": "d3bc892e-ffa6-47e7-99a2-fd44d87afe05", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"smb_mapping\" OR metadata.product_event_type = \"smb_files\" \r\n$smb_version=if(target.port=139, \"SMBv1\", \r\n if(target.port=445, \"SMBv2_or_SMBv3\", \"Unknown\"\r\n ))\r\n$smb_version=\"SMBv1\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "name": "4c4cbe98-48bd-408c-8ee2-dc0c3d370837", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"smb_mapping\" OR metadata.product_event_type = \"smb_files\" \r\ntarget.port=139\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "5730705aeb35ab3a71f84cec82aa2e5f6c0dee0d9c066bd2ed0eda2b65f7d383" + "etag": "5435104e6f778d9abbf968445b25f6fd3de5cfbb0d7b5cccdcfefd0a013d8fa4" }, { - "name": "14e08e64-fb7b-4a91-8395-bbc6fdf84bee", + "name": "d99b0896-5888-4bef-9d8b-e7784d90d7d0", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= /^conn/\r\n$service=about.labels[\"service\"]\r\n$service!=\"\"\r\n$service!=\"ssl\" AND $service!=\"tls\" AND $service!=\"ssl,http\" AND $service!=\"http,ssl\" AND $service!=\"ssh\" AND $service!=\"https\" AND $service!=\"dtls\" AND $service!=\"ssl,xmpp\" AND $service!=\"spicy_ipsec_ike_udp\" AND $service!=\"spicy_ipsec_udp\" AND $service!=\"spicy_ipsec_ike_udp,spicy_ipsec_udp\" AND $service!=\"spicy_stun_tcp\" AND $service!=\"krb,krb_tcp\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $service\r\noutcome:\r\n $unencrypted_traffic_volume=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -3309,10 +3311,10 @@ "startTimeVal": "1" } }, - "etag": "be6d1f48baa2ca254674d729eeb62a5867b1e4a6811ca729fd98aab5e51964bb" + "etag": "18491d74e4446c00b237c39c33514d7e9ba3051bee57cd90750627df08a1f903" }, { - "name": "31bb7a4a-8e6e-47c9-817a-6570268fce17", + "name": "641baa8b-6b81-4a13-a184-e31eb9b4c3d8", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\" \r\noutcome:\r\n $count=count_distinct(target.ip)", "input": { "relativeTime": { @@ -3320,21 +3322,21 @@ "startTimeVal": "1" } }, - "etag": "57d9a88362313ec0ffa3060060e6d4bc46f90c287c4d1a7b8041ebe8e780fc14" + "etag": "335376b2cb2234486da4b9cffbf1c9cd2cc0d060ced2bf1f1ef42fb06d62d88d" }, { - "name": "777346ba-f77c-4cef-870b-92f80499f4ea", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\n$country = if(target.ip_geo_artifact.location.country_or_region!=\"\", target.ip_geo_artifact.location.country_or_region, \"No Country\")\r\n$country != \"No Country\"\r\nmatch:\r\n $country\r\noutcome:\r\n $count = count_distinct(target.ip)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "name": "58154165-78cd-4dae-b213-9e13b5329f40", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"vpn\"\r\ntarget.ip_geo_artifact.location.country_or_region!=\"\"\r\n$country = if(target.ip_geo_artifact.location.country_or_region!=\"\", target.ip_geo_artifact.location.country_or_region, \"No Country\")\r\nmatch:\r\n $country\r\noutcome:\r\n $count = count_distinct(target.ip)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "b71d134bc55ef2c86628306d797e7cc29ad43c2236a3a072116d95b711bd34a2" + "etag": "0621a74d6357b7e2f52e67b4e0afc70dd876fb5d16cfc859ab2c99449863ec19" }, { - "name": "399e87fc-f33e-4d12-ad28-7061bdc42554", + "name": "d97add35-add2-468a-b751-d51503f38203", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= \"dns\"\r\nabout.labels[\"rcode_name\"]=\"SERVFAIL\" OR about.labels[\"rcode_name\"]=\"REFUSED\" OR about.labels[\"rcode_name\"]=\"FORMERR\" OR about.labels[\"rcode_name\"]=\"NOTIMP\" OR about.labels[\"rcode_name\"]=\"NOTAUTH\"\r\noutcome:\r\n $dns_fails=count(about.labels[\"rcode_name\"])", "input": { "relativeTime": { @@ -3342,10 +3344,10 @@ "startTimeVal": "1" } }, - "etag": "18b05454ee522c23ba4e6f65680c0edb83b62fbd0a7f0d204cb28bb75a7a5581" + "etag": "1f6724dc7be299b2fb031a19a4ab56b4f95cf642941e7b4929697780780494df" }, { - "name": "3d4a44e2-1140-48cb-b63a-ddf263047fce", + "name": "451827c0-3f0b-4c03-bbb5-0d246841a494", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"notice\" \r\nsecurity_result.description = \"MeterpreterDetection::Meterpreter_Detected\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -3353,10 +3355,10 @@ "startTimeVal": "1" } }, - "etag": "281a45faea3b36b0e47f60a17f762cf0ee745c242f08d66c57c0cf4c7ac73a13" + "etag": "027c7af67d6ee6b51e0ac276c956115c2fa5269a8b7ca43988346ce64c4f44ca" }, { - "name": "7c2fb619-f74a-4b9d-92a6-86db4ab6b2f3", + "name": "ddc94ac8-5075-4246-b98e-18e2e5d0eb2d", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= \"dns\"\r\nabout.labels[\"rcode_name\"]=\"NXDOMAIN\" OR about.labels[\"rcode_name\"]=\"NOERROR\"\r\noutcome:\r\n $nxdomain_responses=count(metadata.id)", "input": { "relativeTime": { @@ -3364,10 +3366,10 @@ "startTimeVal": "1" } }, - "etag": "ec2686ab0880f499d09992483877d1f41c68cfa9154a6b8ffa15d22315a753a2" + "etag": "7fdbd4cf959ad0041af73d8481596b706642043d5e62dc257881ca9bf418a29c" }, { - "name": "08d4ab9e-5576-46ce-8572-a9f541a3f906", + "name": "eceaa386-3ed3-48d7-aadd-b8036a7b1f9d", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssl\" \r\n$version_status=if(network.tls.version=\"TLSv13\", \"Most Secure\", \r\n if(network.tls.version=\"TLSv12\", \"Secure\",\r\n if(network.tls.version=\"DTLSv12\", \"Secure\",\r\n if(network.tls.version=\"unknown-64282\", \"Unknown\", \"Old Version\"\r\n ))))\r\nmatch:\r\n $version_status\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -3375,10 +3377,10 @@ "startTimeVal": "1" } }, - "etag": "e91baa0eb15f31bbaabba1cdb9e8b1357bd08de26ab3b362504b82a39d8e9cf2" + "etag": "037e7248150886e5e791d9e39db2b5cdd12f340df08f647308eb49bf762163ab" }, { - "name": "f3928ccf-6d4c-4934-a62e-680389548846", + "name": "043c1924-2a96-459b-8077-23a3d2e75452", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\" \r\noutcome:\r\n $count=count_distinct(security_result.rule_id)", "input": { "relativeTime": { @@ -3386,10 +3388,10 @@ "startTimeVal": "1" } }, - "etag": "e369de11f1de7e3da67927d648fb077e91cd5a95f9f22fe1b5a583ccbbbb7348" + "etag": "67ccb9ef07996a421e0fb47bdbb05a9ffdecb47b2b3fdb52c6bf452cce11a5da" }, { - "name": "c0d12d77-8c3c-4051-8fb9-9c2d89228e6e", + "name": "1133d158-0843-4438-a4af-2649262dd6aa", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\" \r\noutcome:\r\n $count=count_distinct(principal.ip)", "input": { "relativeTime": { @@ -3397,10 +3399,10 @@ "startTimeVal": "1" } }, - "etag": "aaa8ff4a0e47b7521a88ebf6c100ab10420971032da4ae8c94e13e7682455a1f" + "etag": "dfb762b9330f568ebb6da7cd4a98bbead762e1d12914377919c5d7f5d2972243" }, { - "name": "837d3f9f-70db-43e1-a0cc-25f115b18033", + "name": "317700ac-2169-4087-9ce5-acf2d935913f", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type= \"dns\"\r\ntarget.port=53 OR target.port=5353\r\ntarget.ip!=\"\"\r\ntarget.ip in cidr %internal_cidr_list\r\noutcome:\r\n $number_of_internal_dns_servers=count_distinct(target.ip)", "input": { "relativeTime": { @@ -3408,10 +3410,10 @@ "startTimeVal": "1" } }, - "etag": "e83ac26a7fd62d7bb3bcdefc55a696140a7e4fef6b321016d86b3cec8e56b172" + "etag": "09e22c415da0772fc08604c612c3549675ed35fad58903337104002146a6ebc2" }, { - "name": "3a408f40-ce5e-410e-9d91-ba43b280fdb9", + "name": "deb83f58-2310-43f2-b30f-1d0dca4fc347", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"notice\" \r\nsecurity_result.description = \"SSL::Certificate_Expired\" OR security_result.description = \"SSL::Invalid_Server_Cert\" OR security_result.description = \"SSL::Old_Version\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -3419,10 +3421,10 @@ "startTimeVal": "1" } }, - "etag": "92a029c37abef35d87790fe9b15888c0acea8901c3ad3ff96f7922e4bb9fe304" + "etag": "278f93ff242a6f5e11cd0086c6567b2841c49a28a181795734bed662c4a08428" }, { - "name": "954c3b96-2575-41e5-80c0-b1aa61e2089c", + "name": "eed864f3-3baf-4629-8366-876a88ac9169", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"x509\" \r\n$days_to_expire = math.round((about.domain.last_https_certificate.validity.expiry_time.seconds - timestamp.current_seconds()) / 86400, 0)\r\n$days_to_expire > 0 AND $days_to_expire <= 15\r\noutcome:\r\n $distinct_certs=count_distinct(about.domain.last_https_certificate.thumbprint)", "input": { "relativeTime": { @@ -3430,7 +3432,7 @@ "startTimeVal": "1" } }, - "etag": "b2b113c6e6be078e7879c0242387fe6dc4c33787ff076f64913477b8390406ca" + "etag": "0889cf1d82d7dfefb67dfdf09701621920ebe2ebbc6d27e63761805ba3e25d1a" } ] } diff --git a/dashboards/Security Workflows/Corelight Suricata IDS Alert Overview.json b/dashboards/Security Workflows/Corelight Suricata IDS Alert Overview.json index dbaa683..c300c4f 100644 --- a/dashboards/Security Workflows/Corelight Suricata IDS Alert Overview.json +++ b/dashboards/Security Workflows/Corelight Suricata IDS Alert Overview.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "2023e4ca-4a0c-4e4c-940b-92253c61dc3b", + "name": "6eb397b2-848a-44d9-92dd-961df3425508", "displayName": "Corelight → Security Workflows → Corelight Suricata IDS Alert Overview", "definition": { "filters": [ @@ -20,14 +20,14 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "9be43278-6525-4394-b353-5c3a96e6ffb2", - "68275b18-0396-4077-a932-8e9f4daa2a1a", - "8df944eb-c88b-40d1-8351-f1e9c6b54843", - "fefdb9c6-fe7f-4b37-8815-ce4fd06fcb04", - "8a60d066-94f8-4792-bd7e-4e3cd4e2358a", - "a1c5e44b-e3d3-4597-8dd0-b0b233fac461", - "eccad596-573b-4290-992e-a5843492bf93", - "e7fc4004-7bd1-463a-9819-5881692896fb" + "14bb3a9c-175d-474e-924e-442556432b07", + "fc27bb00-555f-485d-9a2c-a72c1b4e37cb", + "85892ccd-ccdb-426e-833b-d934aa64175e", + "bfda3f23-25dd-48ed-bac6-0c2ca2faf452", + "2c9f7eb0-5d00-46b4-bed4-cfdaf5c2aae9", + "e4ebc5b8-f646-48b2-b156-a7fa38ff9a26", + "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13", + "cf5b88d7-99a9-4af9-a790-853ce1ed3059" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -46,14 +46,14 @@ ], "displayName": "Source IP", "chartIds": [ - "9be43278-6525-4394-b353-5c3a96e6ffb2", - "68275b18-0396-4077-a932-8e9f4daa2a1a", - "8df944eb-c88b-40d1-8351-f1e9c6b54843", - "fefdb9c6-fe7f-4b37-8815-ce4fd06fcb04", - "8a60d066-94f8-4792-bd7e-4e3cd4e2358a", - "a1c5e44b-e3d3-4597-8dd0-b0b233fac461", - "eccad596-573b-4290-992e-a5843492bf93", - "e7fc4004-7bd1-463a-9819-5881692896fb" + "14bb3a9c-175d-474e-924e-442556432b07", + "fc27bb00-555f-485d-9a2c-a72c1b4e37cb", + "85892ccd-ccdb-426e-833b-d934aa64175e", + "bfda3f23-25dd-48ed-bac6-0c2ca2faf452", + "2c9f7eb0-5d00-46b4-bed4-cfdaf5c2aae9", + "e4ebc5b8-f646-48b2-b156-a7fa38ff9a26", + "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13", + "cf5b88d7-99a9-4af9-a790-853ce1ed3059" ] }, { @@ -70,14 +70,14 @@ ], "displayName": "Severity", "chartIds": [ - "9be43278-6525-4394-b353-5c3a96e6ffb2", - "68275b18-0396-4077-a932-8e9f4daa2a1a", - "8df944eb-c88b-40d1-8351-f1e9c6b54843", - "fefdb9c6-fe7f-4b37-8815-ce4fd06fcb04", - "8a60d066-94f8-4792-bd7e-4e3cd4e2358a", - "a1c5e44b-e3d3-4597-8dd0-b0b233fac461", - "eccad596-573b-4290-992e-a5843492bf93", - "e7fc4004-7bd1-463a-9819-5881692896fb" + "14bb3a9c-175d-474e-924e-442556432b07", + "fc27bb00-555f-485d-9a2c-a72c1b4e37cb", + "85892ccd-ccdb-426e-833b-d934aa64175e", + "bfda3f23-25dd-48ed-bac6-0c2ca2faf452", + "2c9f7eb0-5d00-46b4-bed4-cfdaf5c2aae9", + "e4ebc5b8-f646-48b2-b156-a7fa38ff9a26", + "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13", + "cf5b88d7-99a9-4af9-a790-853ce1ed3059" ] }, { @@ -94,14 +94,14 @@ ], "displayName": "Category", "chartIds": [ - "9be43278-6525-4394-b353-5c3a96e6ffb2", - "68275b18-0396-4077-a932-8e9f4daa2a1a", - "8df944eb-c88b-40d1-8351-f1e9c6b54843", - "fefdb9c6-fe7f-4b37-8815-ce4fd06fcb04", - "8a60d066-94f8-4792-bd7e-4e3cd4e2358a", - "a1c5e44b-e3d3-4597-8dd0-b0b233fac461", - "eccad596-573b-4290-992e-a5843492bf93", - "e7fc4004-7bd1-463a-9819-5881692896fb" + "14bb3a9c-175d-474e-924e-442556432b07", + "fc27bb00-555f-485d-9a2c-a72c1b4e37cb", + "85892ccd-ccdb-426e-833b-d934aa64175e", + "bfda3f23-25dd-48ed-bac6-0c2ca2faf452", + "2c9f7eb0-5d00-46b4-bed4-cfdaf5c2aae9", + "e4ebc5b8-f646-48b2-b156-a7fa38ff9a26", + "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13", + "cf5b88d7-99a9-4af9-a790-853ce1ed3059" ] }, { @@ -118,13 +118,13 @@ ], "displayName": "SID (For Log Details)", "chartIds": [ - "eccad596-573b-4290-992e-a5843492bf93" + "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13" ] } ], "charts": [ { - "dashboardChart": "8df944eb-c88b-40d1-8351-f1e9c6b54843", + "dashboardChart": "85892ccd-ccdb-426e-833b-d934aa64175e", "chartLayout": { "startX": 0, "spanX": 96, @@ -139,7 +139,7 @@ ] }, { - "dashboardChart": "8a60d066-94f8-4792-bd7e-4e3cd4e2358a", + "dashboardChart": "2c9f7eb0-5d00-46b4-bed4-cfdaf5c2aae9", "chartLayout": { "startX": 32, "spanX": 32, @@ -154,7 +154,7 @@ ] }, { - "dashboardChart": "9be43278-6525-4394-b353-5c3a96e6ffb2", + "dashboardChart": "14bb3a9c-175d-474e-924e-442556432b07", "chartLayout": { "startX": 0, "spanX": 32, @@ -169,7 +169,7 @@ ] }, { - "dashboardChart": "fefdb9c6-fe7f-4b37-8815-ce4fd06fcb04", + "dashboardChart": "bfda3f23-25dd-48ed-bac6-0c2ca2faf452", "chartLayout": { "startX": 64, "spanX": 32, @@ -184,7 +184,7 @@ ] }, { - "dashboardChart": "e7fc4004-7bd1-463a-9819-5881692896fb", + "dashboardChart": "cf5b88d7-99a9-4af9-a790-853ce1ed3059", "chartLayout": { "startX": 0, "spanX": 48, @@ -199,7 +199,7 @@ ] }, { - "dashboardChart": "68275b18-0396-4077-a932-8e9f4daa2a1a", + "dashboardChart": "fc27bb00-555f-485d-9a2c-a72c1b4e37cb", "chartLayout": { "startX": 48, "spanX": 48, @@ -214,7 +214,7 @@ ] }, { - "dashboardChart": "a1c5e44b-e3d3-4597-8dd0-b0b233fac461", + "dashboardChart": "e4ebc5b8-f646-48b2-b156-a7fa38ff9a26", "chartLayout": { "startX": 0, "spanX": 96, @@ -229,7 +229,7 @@ ] }, { - "dashboardChart": "eccad596-573b-4290-992e-a5843492bf93", + "dashboardChart": "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13", "chartLayout": { "startX": 0, "spanX": 96, @@ -247,15 +247,15 @@ ] }, "type": "CUSTOM", - "etag": "d23a12a9e33b2c05e38e66906e6a4a537043106f2b32cefffc33c8233c3c2a66", + "etag": "2a113e903bb79582d5a41f03d3298151ff1a704026d3c04666f4438563e63ca1", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "a1c5e44b-e3d3-4597-8dd0-b0b233fac461", + "name": "e4ebc5b8-f646-48b2-b156-a7fa38ff9a26", "displayName": "Signature Analysis", "chartDatasource": { - "dashboardQuery": "a7ed7d9b-abf5-48aa-8469-e1167815330d", + "dashboardQuery": "cc976d60-7af6-4691-8811-e5ad171dbf26", "dataSources": [ "UDM" ] @@ -301,14 +301,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "1b59c19e2bdc9c232ca2524a80ea1147c3e3cbd7de1a0dcb52adba2063ff06df", + "etag": "35fea9bfdfcae9439bac04d42182e0ac78fa7725015d5afd885b248e0e236203", "drillDownConfig": {} }, { - "name": "eccad596-573b-4290-992e-a5843492bf93", + "name": "486ea6f8-f5fe-4e5b-afb0-4fd8fba49c13", "displayName": "Log Details", "chartDatasource": { - "dashboardQuery": "82a2dbd1-c548-4495-8610-6230c737227f", + "dashboardQuery": "85d7d5ee-7eee-4912-b481-12f6ccfdd9d2", "dataSources": [ "UDM" ] @@ -370,14 +370,66 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e9211bbff595706317bd4127a6db5905b670d3d6612657495ce050e2bc2bf5ae", - "drillDownConfig": {} + "etag": "ed3d6877ba919514726557c8194fe0e38fbda17039d5bbecde59cb5c7574cc79", + "drillDownConfig": { + "leftDrillDowns": [ + { + "id": "principal.ip", + "displayName": "Run Search on principal.ip", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "target.ip", + "displayName": "Run Search on target.ip", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "target.port", + "displayName": "Run Search on target.port", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "service", + "displayName": "Run Search on Service", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "security_result.rule_name", + "displayName": "Run Search on security_result.rule_name", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "security_result.rule_id", + "displayName": "Run Search on security_result.rule_id", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "uid", + "displayName": "Run Search on Session ID", + "defaultSettings": { + "enabled": true + } + } + ] + } }, { - "name": "68275b18-0396-4077-a932-8e9f4daa2a1a", + "name": "fc27bb00-555f-485d-9a2c-a72c1b4e37cb", "displayName": "Origin Summary", "chartDatasource": { - "dashboardQuery": "f55a5f8f-1a2f-4f38-b6f0-ff28ae25a028", + "dashboardQuery": "9481622e-422d-47e0-813e-efd87a0888d0", "dataSources": [ "UDM" ] @@ -415,14 +467,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "8d1791a0cda37507e78e31a0da3a0a170c93c03c995b46821b17b298c90acab3", + "etag": "7e9ae4c117cc99f9076dd118c70cc925235f0f554899d88f68ec3c98ed260048", "drillDownConfig": {} }, { - "name": "e7fc4004-7bd1-463a-9819-5881692896fb", + "name": "cf5b88d7-99a9-4af9-a790-853ce1ed3059", "displayName": "Category Analysis", "chartDatasource": { - "dashboardQuery": "5aa38ea5-5b01-4966-86b2-181dc034ef29", + "dashboardQuery": "41d1beea-ed17-427f-a466-41ebe713b91b", "dataSources": [ "UDM" ] @@ -456,14 +508,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "0a6706a06b5cb2691c12ce4b288ff5d4230f1e011402960750adebe8d01e41d9", + "etag": "e885577155c6eb1b280748a182026f3c114230248337ab23fea3468a29ed6269", "drillDownConfig": {} }, { - "name": "fefdb9c6-fe7f-4b37-8815-ce4fd06fcb04", + "name": "bfda3f23-25dd-48ed-bac6-0c2ca2faf452", "displayName": "Alerts with CVEs", "chartDatasource": { - "dashboardQuery": "1360c7cf-dc09-4b67-b906-73dae5c3a2df", + "dashboardQuery": "927f24cd-1958-422d-86cb-e553b0569f5a", "dataSources": [ "UDM" ] @@ -499,14 +551,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6e70bf83981f6ae8d21dad364077c957b9b5cb22afa69ee78b3fb02b05ce01fc", + "etag": "c727203bb56929a348c65ef66b386116fc69e1aaf629a372288935fc998c9204", "drillDownConfig": {} }, { - "name": "9be43278-6525-4394-b353-5c3a96e6ffb2", + "name": "14bb3a9c-175d-474e-924e-442556432b07", "displayName": "Unique Rules Alerting", "chartDatasource": { - "dashboardQuery": "51664daa-e420-42fb-84a5-1fcbc3b256b6", + "dashboardQuery": "227f0e2d-e423-4d46-9ecb-e48556e2389e", "dataSources": [ "UDM" ] @@ -542,14 +594,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "9a0d74e74d6a298f974a10bfe56eb0005aea7d6f8e514ff5883c1c2d1abae375", + "etag": "ec1a5ce36894d1bee7169766dc220dca831f88b3cd9f35c9051f33466c23b25a", "drillDownConfig": {} }, { - "name": "8a60d066-94f8-4792-bd7e-4e3cd4e2358a", + "name": "2c9f7eb0-5d00-46b4-bed4-cfdaf5c2aae9", "displayName": "Total IDS Hits", "chartDatasource": { - "dashboardQuery": "a2a3195f-9cea-46a7-bfa6-9cb09a3d42f3", + "dashboardQuery": "a3490f39-7626-4e3d-a702-bffa5f322e94", "dataSources": [ "UDM" ] @@ -585,14 +637,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "150f9fd7b7a68ef8b28bb6823abcced0108eb54ff15ca903991b65a7d3d4f28f", + "etag": "df1d7b780567620ee628a54175a89271251ef8fd04b70ea671eda12544972775", "drillDownConfig": {} }, { - "name": "8df944eb-c88b-40d1-8351-f1e9c6b54843", + "name": "85892ccd-ccdb-426e-833b-d934aa64175e", "displayName": "IDS Hits Over Time", "chartDatasource": { - "dashboardQuery": "269b11f2-5237-4d71-9849-d177828e4dbf", + "dashboardQuery": "db6ea139-ad01-431d-b609-dc9e45999c39", "dataSources": [ "UDM" ] @@ -633,13 +685,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f110e30b8ddf81db735237149ce18df291522f414e3b38d105a8a25857732bd6", + "etag": "5973726181799b08c9d513beee5b5d98d195cfc263ad6a1228dce1e4290060ec", "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "a2a3195f-9cea-46a7-bfa6-9cb09a3d42f3", + "name": "a3490f39-7626-4e3d-a702-bffa5f322e94", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\nadditional.fields.key = \"alert_severity\"\r\nsecurity_result.category_details!=\"\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -647,10 +699,10 @@ "startTimeVal": "1" } }, - "etag": "c3fe1f9ba887dd26f49402b6304a7f27b01b01941bdf0235b1c7a63b10e2692c" + "etag": "2d786cd8c4e8fb15bde58220cde1e610e01bffac463e55835a91c0d946f85f8a" }, { - "name": "269b11f2-5237-4d71-9849-d177828e4dbf", + "name": "db6ea139-ad01-431d-b609-dc9e45999c39", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\nadditional.fields.key = \"alert_severity\"\r\nsecurity_result.category_details!=\"\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -658,32 +710,32 @@ "startTimeVal": "1" } }, - "etag": "46ff4698a4fa137d8ad277a1d311238740758577a75314af2cbecb2867aee160" + "etag": "8e7ac529c5c3da471ba170ff413608ef78296347f4d3e4e6cd7f7e2b4a226e77" }, { - "name": "a7ed7d9b-abf5-48aa-8469-e1167815330d", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\n$severity=if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Informational\",\"Informational\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Critical\",\"Critical\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Major\",\"Medium\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Minor\", \"Low\", \"Unknown\"))))\r\n$severity!=\"Unknown\"\r\nsecurity_result.category_details!=\"\"\r\nmatch:\r\n $severity, security_result.rule_name, security_result.rule_id\r\noutcome:\r\n $source_count=count_distinct(principal.ip)\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $source_count desc, $count desc", + "name": "cc976d60-7af6-4691-8811-e5ad171dbf26", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\n(security_result.rule_labels.key = \"signature_severity\" AND (security_result.rule_labels.value = \"Informational\" OR security_result.rule_labels.value = \"Critical\" OR security_result.rule_labels.value = \"Major\" OR security_result.rule_labels.value = \"Minor\"))\r\n$severity=if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Informational\",\"Informational\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Critical\",\"Critical\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Major\",\"Medium\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Minor\", \"Low\", \"Unknown\"))))\r\nsecurity_result.category_details!=\"\"\r\nmatch:\r\n $severity, security_result.rule_name, security_result.rule_id\r\noutcome:\r\n $source_count=count_distinct(principal.ip)\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $source_count desc, $count desc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "3b79fbabd169556fc428e99f19436b37b478c7785e42856715ed8e94960c5994" + "etag": "3d1754da5038f6c60e73d7210f2f11cb346c8ca3143a93491c04ef64ece54357" }, { - "name": "82a2dbd1-c548-4495-8610-6230c737227f", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\n$severity=if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Informational\",\"Informational\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Critical\",\"Critical\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Major\",\"Medium\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Minor\", \"Low\", \"Unknown\"))))\r\n$severity!=\"Unknown\"\r\nsecurity_result.category_details!=\"\"\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\n$service=about.labels[\"service\"]\r\n$uid=network.session_id\r\nmatch:\r\n $time, principal.ip, target.ip, target.port, $service, $severity, security_result.rule_name, security_result.rule_id, $uid\r\norder:\r\n $time desc", + "name": "85d7d5ee-7eee-4912-b481-12f6ccfdd9d2", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\n(security_result.rule_labels.key = \"signature_severity\" AND (security_result.rule_labels.value = \"Informational\" OR security_result.rule_labels.value = \"Critical\" OR security_result.rule_labels.value = \"Major\" OR security_result.rule_labels.value = \"Minor\"))\r\n$severity=if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Informational\",\"Informational\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Critical\",\"Critical\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Major\",\"Medium\",\r\n if(security_result.rule_labels.key = \"signature_severity\" AND security_result.rule_labels.value = \"Minor\", \"Low\", \"Unknown\"))))\r\nsecurity_result.category_details!=\"\"\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\n$service=about.labels[\"service\"]\r\n$uid=network.session_id\r\nmatch:\r\n $time, principal.ip, target.ip, target.port, $service, $severity, security_result.rule_name, security_result.rule_id, $uid\r\norder:\r\n $time desc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "48b9359d50675e3fe879b5558691e5d800cac3e14e233d4c0f0cf39074746631" + "etag": "29252668ab4e09a774c40f379e50e4dc813ca369416881b3a1db0071c5a787ed" }, { - "name": "f55a5f8f-1a2f-4f38-b6f0-ff28ae25a028", + "name": "9481622e-422d-47e0-813e-efd87a0888d0", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\nadditional.fields.key = \"alert_severity\"\r\nsecurity_result.category_details!=\"\"\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $signature_count=count_distinct(security_result.rule_name)\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $signature_count desc, $count desc", "input": { "relativeTime": { @@ -691,10 +743,10 @@ "startTimeVal": "1" } }, - "etag": "042823f21176ace8fc1e6a403b593be0f31466b1b7c66521eeb6dd860a9dc8c0" + "etag": "1a12acc3b30082d3ab0ffdb298dcef25a94c1a7c93895aa63a71202c52c335e8" }, { - "name": "5aa38ea5-5b01-4966-86b2-181dc034ef29", + "name": "41d1beea-ed17-427f-a466-41ebe713b91b", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\nadditional.fields.key = \"alert_severity\"\r\nsecurity_result.category_details!=\"\"\r\nmatch:\r\n security_result.category_details\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -702,10 +754,10 @@ "startTimeVal": "1" } }, - "etag": "509d1edcd7605645d0839c8e383779ba14299b67af54d7079ee24f861f646668" + "etag": "668be7b18fefc7dfcc8d5ab1ae6ea7844c90266381ed0d895f8639495a3b7c48" }, { - "name": "1360c7cf-dc09-4b67-b906-73dae5c3a2df", + "name": "927f24cd-1958-422d-86cb-e553b0569f5a", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\nadditional.fields.key = \"alert_severity\"\r\nsecurity_result.category_details!=\"\"\r\nstrings.contains(security_result.summary, \"CVE\") OR strings.contains(re.capture(security_result.description, \"metadata:([^;]+)\"), \"CVE\")\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { @@ -713,10 +765,10 @@ "startTimeVal": "1" } }, - "etag": "0c7888bf65a9c6bbe3affeb4cb7c5fbbb85f47622d7381bd9cb45b7e6a10ec25" + "etag": "fab6dde8735f5595b2d81f0ef22469ca1acb2f1720ac17a3f4669335e4b12601" }, { - "name": "51664daa-e420-42fb-84a5-1fcbc3b256b6", + "name": "227f0e2d-e423-4d46-9ecb-e48556e2389e", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"suricata_corelight\"\r\nprincipal.ip!=\"\"\r\nadditional.fields.key = \"alert_severity\"\r\nsecurity_result.category_details!=\"\"\r\noutcome:\r\n $count=count_distinct(security_result.rule_name)", "input": { "relativeTime": { @@ -724,7 +776,7 @@ "startTimeVal": "1" } }, - "etag": "76eb75b3f2e32946e878bca371f59db74e14245e85b33f63b05ccfa0c15fb114" + "etag": "eed89900751f81abe723e7101646506b1f1add4d8247229fe629b5f2abd52c55" } ] } diff --git a/dashboards/Security Workflows/IP Interrogation.json b/dashboards/Security Workflows/IP Interrogation.json index 84a0da1..7de185d 100644 --- a/dashboards/Security Workflows/IP Interrogation.json +++ b/dashboards/Security Workflows/IP Interrogation.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "81579185-817b-4ec8-b522-70fdafabaa4f", + "name": "1d34f0f5-f088-4744-b725-3d923368969b", "displayName": "Corelight → Security Workflows → IP Interrogation", "definition": { "filters": [ @@ -20,13 +20,13 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "dc35771b-2b24-41bc-b41a-af54b8733c46", - "92a31f16-453e-4f37-810d-761c5e0c8027", - "ec71d919-aeb9-4191-92a1-17c6c327c825", - "9aff7e56-9cf0-4a42-9e73-99278d4c5cb9", - "8a236d64-3ec8-4b46-bb60-11223cba9d27", - "554624f4-c079-4a91-a87e-66ace378a9b4", - "d7f27045-0054-4eae-b43f-b8bb9a559d06" + "7b891adc-888d-4dc5-8e9e-42daebf853e0", + "489d2455-211e-42eb-919a-c142d8915bc0", + "e2118b78-0dbe-4666-a611-d13380ecb834", + "418e2d99-58f4-4842-8520-7930ad96b434", + "756c9000-89ce-4d8f-b76f-560606b12068", + "6dd03259-c4f7-469f-8da4-6255dfdd7a78", + "3f242673-d9be-4c12-8c81-04d26e87539e" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -45,13 +45,13 @@ ], "displayName": "Source IP", "chartIds": [ - "dc35771b-2b24-41bc-b41a-af54b8733c46", - "92a31f16-453e-4f37-810d-761c5e0c8027", - "ec71d919-aeb9-4191-92a1-17c6c327c825", - "9aff7e56-9cf0-4a42-9e73-99278d4c5cb9", - "8a236d64-3ec8-4b46-bb60-11223cba9d27", - "554624f4-c079-4a91-a87e-66ace378a9b4", - "d7f27045-0054-4eae-b43f-b8bb9a559d06" + "7b891adc-888d-4dc5-8e9e-42daebf853e0", + "489d2455-211e-42eb-919a-c142d8915bc0", + "e2118b78-0dbe-4666-a611-d13380ecb834", + "418e2d99-58f4-4842-8520-7930ad96b434", + "756c9000-89ce-4d8f-b76f-560606b12068", + "6dd03259-c4f7-469f-8da4-6255dfdd7a78", + "3f242673-d9be-4c12-8c81-04d26e87539e" ] }, { @@ -68,19 +68,19 @@ ], "displayName": "Destination IP", "chartIds": [ - "92a31f16-453e-4f37-810d-761c5e0c8027", - "dc35771b-2b24-41bc-b41a-af54b8733c46", - "ec71d919-aeb9-4191-92a1-17c6c327c825", - "9aff7e56-9cf0-4a42-9e73-99278d4c5cb9", - "8a236d64-3ec8-4b46-bb60-11223cba9d27", - "554624f4-c079-4a91-a87e-66ace378a9b4", - "d7f27045-0054-4eae-b43f-b8bb9a559d06" + "489d2455-211e-42eb-919a-c142d8915bc0", + "7b891adc-888d-4dc5-8e9e-42daebf853e0", + "e2118b78-0dbe-4666-a611-d13380ecb834", + "418e2d99-58f4-4842-8520-7930ad96b434", + "756c9000-89ce-4d8f-b76f-560606b12068", + "6dd03259-c4f7-469f-8da4-6255dfdd7a78", + "3f242673-d9be-4c12-8c81-04d26e87539e" ] } ], "charts": [ { - "dashboardChart": "554624f4-c079-4a91-a87e-66ace378a9b4", + "dashboardChart": "6dd03259-c4f7-469f-8da4-6255dfdd7a78", "chartLayout": { "startX": 0, "spanX": 47, @@ -94,7 +94,7 @@ ] }, { - "dashboardChart": "ec71d919-aeb9-4191-92a1-17c6c327c825", + "dashboardChart": "e2118b78-0dbe-4666-a611-d13380ecb834", "chartLayout": { "startX": 0, "spanX": 96, @@ -108,7 +108,7 @@ ] }, { - "dashboardChart": "dc35771b-2b24-41bc-b41a-af54b8733c46", + "dashboardChart": "7b891adc-888d-4dc5-8e9e-42daebf853e0", "chartLayout": { "startX": 0, "spanX": 96, @@ -122,7 +122,7 @@ ] }, { - "dashboardChart": "8a236d64-3ec8-4b46-bb60-11223cba9d27", + "dashboardChart": "756c9000-89ce-4d8f-b76f-560606b12068", "chartLayout": { "startX": 0, "spanX": 48, @@ -136,7 +136,7 @@ ] }, { - "dashboardChart": "92a31f16-453e-4f37-810d-761c5e0c8027", + "dashboardChart": "489d2455-211e-42eb-919a-c142d8915bc0", "chartLayout": { "startX": 0, "spanX": 96, @@ -150,7 +150,7 @@ ] }, { - "dashboardChart": "9aff7e56-9cf0-4a42-9e73-99278d4c5cb9", + "dashboardChart": "418e2d99-58f4-4842-8520-7930ad96b434", "chartLayout": { "startX": 48, "spanX": 48, @@ -164,7 +164,7 @@ ] }, { - "dashboardChart": "d7f27045-0054-4eae-b43f-b8bb9a559d06", + "dashboardChart": "3f242673-d9be-4c12-8c81-04d26e87539e", "chartLayout": { "startX": 47, "spanX": 49, @@ -180,15 +180,15 @@ ] }, "type": "CUSTOM", - "etag": "dbfd83bfe2e238d30c839625ee748652c2ea2df3cb679fba8a59a4d41dd74dc4", + "etag": "edc7b06502716d498f6da69f85e1bb09fb074a33ac91eab08abe57364fd8551f", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "9aff7e56-9cf0-4a42-9e73-99278d4c5cb9", + "name": "418e2d99-58f4-4842-8520-7930ad96b434", "displayName": "HTTP: Web Ports Breakdown", "chartDatasource": { - "dashboardQuery": "3c9cc012-2110-43f1-8b30-d2487ce96a12", + "dashboardQuery": "a0819eea-c239-4aef-b5b0-6dcc8113380e", "dataSources": [ "UDM" ] @@ -222,13 +222,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "38c8ab7e3a1c05c6bfd71749905bfb0916887a3b5b394d3cb8f2d96beaa73a7a" + "etag": "9e68ee386eb11a0929188e66ba1d360a96c54027d8ee6fe71c31a5b97f94a89f", + "drillDownConfig": {} }, { - "name": "d7f27045-0054-4eae-b43f-b8bb9a559d06", + "name": "3f242673-d9be-4c12-8c81-04d26e87539e", "displayName": "Connections: Internal vs External", "chartDatasource": { - "dashboardQuery": "2b126217-9e93-4012-9e08-1954ccfd19b6", + "dashboardQuery": "fab8ba14-5a40-4fd2-8aed-4e5da165106e", "dataSources": [ "UDM" ] @@ -241,13 +242,47 @@ "value": "count", "itemName": "is_internal_external" }, - "dataLabel": {}, + "dataLabel": { + "show": true + }, "radius": [ "0%", "70%" ], "itemStyle": { - "color": "undefined" + "color": "b=>{const {map:c}=RIf(this.theme);b=YJf(b,qJf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "Internal", + "value": { + "color": "#1a73e8", + "label": "Internal" + } + }, + { + "key": "External", + "value": { + "color": "#eb730a", + "label": "External" + } + }, + { + "key": "Outbound", + "value": { + "color": "#10a3b7", + "label": "Outbound" + } + }, + { + "key": "Inbound", + "value": { + "color": "#ec453b", + "label": "Inbound" + } + } + ] } } ], @@ -270,13 +305,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "5a402ee73e48000496399ede4f0d0cf98d8b73eff22ac058fd557cc72b9abe71" + "etag": "87e71cbb4c74173c759b41ef67a7a918e316e0852c24cfb62f0afbf28e243606", + "drillDownConfig": {} }, { - "name": "92a31f16-453e-4f37-810d-761c5e0c8027", + "name": "489d2455-211e-42eb-919a-c142d8915bc0", "displayName": "HTTP: Rare User Agents", "chartDatasource": { - "dashboardQuery": "fa01e337-69af-480e-bcf5-9e058ef56d35", + "dashboardQuery": "0c85a531-d72d-4c42-9188-a0820157fc8a", "dataSources": [ "UDM" ] @@ -318,14 +354,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d9422a58ed585a54777befb7b8581e938b606ae672c8ca0a9ab373315bd20c8c" + "etag": "87e3bd79430a81fe6713c5bd1643d0a281e610c102cec30ce4ff0ef18e750e63" }, { - "name": "8a236d64-3ec8-4b46-bb60-11223cba9d27", + "name": "756c9000-89ce-4d8f-b76f-560606b12068", "displayName": "Corelight Data Sets", "description": "Corelight Supporting Data Sources for Source", "chartDatasource": { - "dashboardQuery": "d8684b03-2bf9-4d8b-af5b-b8ebbc848fb8", + "dashboardQuery": "cd016dff-9dba-42de-8301-29c12c494878", "dataSources": [ "UDM" ] @@ -367,13 +403,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "99c62bbb836ae46d2ff09f2c09e2294a3f576204f766d99348939a4a0cda9edd" + "etag": "0bd9a2b375d248e798019999b8e1a77243c1ed9020f24f85862b4ccdab9596df" }, { - "name": "554624f4-c079-4a91-a87e-66ace378a9b4", + "name": "6dd03259-c4f7-469f-8da4-6255dfdd7a78", "displayName": "Connections: Top Non-Web Protocol Usage", "chartDatasource": { - "dashboardQuery": "e5444f7b-136c-4d46-8987-f940185b7f44", + "dashboardQuery": "f92ee604-5166-4562-9bd3-a79a1dda7754", "dataSources": [ "UDM" ] @@ -381,12 +417,17 @@ "visualization": { "series": [ { + "seriesName": "none", "seriesType": "BAR", "encode": { "x": "protocol", "y": "count" }, - "dataLabel": {} + "dataLabel": {}, + "itemStyle": { + "color": "undefined" + }, + "seriesUniqueValue": "none" } ], "xAxes": [ @@ -397,7 +438,7 @@ ], "yAxes": [ { - "axisType": "VALUE", + "axisType": "CATEGORY", "displayName": "Count" } ], @@ -409,13 +450,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "669decb2f1ceff0d4e592dc374111d9340f8c55e9c549a356bbc3afeb32017af" + "etag": "ef05c3c20a3a27e8ae9f72bb484e6e38c30273d54836eac175a9e5f0a16022a9", + "drillDownConfig": {} }, { - "name": "ec71d919-aeb9-4191-92a1-17c6c327c825", + "name": "e2118b78-0dbe-4666-a611-d13380ecb834", "displayName": "Connections: Top Connections/Services by Bytes Transferred", "chartDatasource": { - "dashboardQuery": "6cf78168-e340-471d-b18c-99b57535f32d", + "dashboardQuery": "1522ae0b-b072-4e83-b323-39345f5775dd", "dataSources": [ "UDM" ] @@ -469,14 +511,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "3465246fbfdff589fd74a920d75c7efac158e50e1c86437342e71d8e89287d8a", + "etag": "1b26a197d9bf79df67eadb60f9ab69a72e21c975f77f8c905d5d5981c62d2174", "drillDownConfig": {} }, { - "name": "dc35771b-2b24-41bc-b41a-af54b8733c46", + "name": "7b891adc-888d-4dc5-8e9e-42daebf853e0", "displayName": "HTTP: Top Destination IP, Method & URI", "chartDatasource": { - "dashboardQuery": "cafbec59-13a2-4f6f-bbbd-88b8ab6da7bc", + "dashboardQuery": "c0e13934-db77-4823-a241-20ced5aecb1c", "dataSources": [ "UDM" ] @@ -522,56 +564,57 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "391b4d9ddfa4baf931d3bc13beca5b8fb52a4dbc04464c130d9da068d1f719d0" + "etag": "6301cd0d4cbd3d4d0b7b295eb6758f8461214368f72172e2c6db14062a6c00a1", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "6cf78168-e340-471d-b18c-99b57535f32d", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = /^conn/\r\nprincipal.ip != \"\" OR target.ip != \"\"\r\n$country_len=strings.length(target.ip_geo_artifact.location.country_or_region)\r\n$host_len=strings.length(target.ip_geo_artifact.network.dns_domain)\r\n($host_len=0 AND $country_len=0) OR $host_len > 0\r\n$is_broadcast=if(principal.ip=\"0.0.0.0\" OR principal.ip=\"255.255.255.255\" OR target.ip=\"255.255.255.255\" OR target.ip=\"0.0.0.0\",\"true\",\"false\")\r\n$is_broadcast=\"false\"\r\n$principal_ip=principal.ip\r\n$target_ip=target.ip\r\n$target_ip != \"192.168.0.255\"\r\n$uid=network.session_id\r\n$protocol=if(network.ip_protocol = 88, strings.concat(\"EIGRP/\",target.port),\r\n if(network.ip_protocol = 50, strings.concat(\"ESP/\",target.port),\r\n if(network.ip_protocol = 97, strings.concat(\"ETHERIP/\",target.port),\r\n if(network.ip_protocol = 47, strings.concat(\"GRE/\",target.port),\r\n if(network.ip_protocol = 1, strings.concat(\"ICMP/\",target.port),\r\n if(network.ip_protocol = 58, strings.concat(\"ICMP6/\",target.port),\r\n if(network.ip_protocol = 2, strings.concat(\"IGMP/\",target.port),\r\n if(network.ip_protocol = 41, strings.concat(\"IP6IN4/\",target.port),\r\n if(network.ip_protocol = 103, strings.concat(\"PIM/\",target.port),\r\n if(network.ip_protocol = 132, strings.concat(\"SCTP/\",target.port),\r\n if(network.ip_protocol = 6, strings.concat(\"TCP/\",target.port),\r\n if(network.ip_protocol = 17, strings.concat(\"UDP/\",target.port),\r\n if(network.ip_protocol = 0, strings.concat(\"UNKNOWN_IP_PROTOCOL/\",target.port),\r\n if(network.ip_protocol = 112, strings.concat(\"VRRP/\",target.port),\r\n strings.concat(\"UNKNOWN_IP_PROTOCOL/\",target.port)))))))))))))))\r\n$hostname=if(target.ip_geo_artifact.network.dns_domain=\"\", \"Unknown\", target.ip_geo_artifact.network.dns_domain)\r\nmatch:\r\n $principal_ip, $target_ip, $protocol, $uid, $hostname,target.ip_geo_artifact.location.country_or_region\r\noutcome:\r\n $total_bytes=sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]) + cast.as_float(target.labels[\"resp_ip_bytes\"]))\r\norder:\r\n $total_bytes desc\r\nlimit:\r\n 10", + "name": "1522ae0b-b072-4e83-b323-39345f5775dd", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = /^conn/\r\nprincipal.ip != \"\" OR target.ip != \"\"\r\n$country_len=strings.length(target.ip_geo_artifact.location.country_or_region)\r\n$host_len=strings.length(target.ip_geo_artifact.network.dns_domain)\r\n($host_len=0 AND $country_len=0) OR $host_len > 0\r\nprincipal.ip!=\"0.0.0.0\" AND principal.ip!=\"255.255.255.255\" AND target.ip!=\"255.255.255.255\" AND target.ip!=\"0.0.0.0\"\r\n$principal_ip=principal.ip\r\n$target_ip=target.ip\r\n$target_ip != \"192.168.0.255\"\r\n$uid=network.session_id\r\n$protocol=if(network.ip_protocol = 88, strings.concat(\"EIGRP/\",target.port),\r\n if(network.ip_protocol = 50, strings.concat(\"ESP/\",target.port),\r\n if(network.ip_protocol = 97, strings.concat(\"ETHERIP/\",target.port),\r\n if(network.ip_protocol = 47, strings.concat(\"GRE/\",target.port),\r\n if(network.ip_protocol = 1, strings.concat(\"ICMP/\",target.port),\r\n if(network.ip_protocol = 58, strings.concat(\"ICMP6/\",target.port),\r\n if(network.ip_protocol = 2, strings.concat(\"IGMP/\",target.port),\r\n if(network.ip_protocol = 41, strings.concat(\"IP6IN4/\",target.port),\r\n if(network.ip_protocol = 103, strings.concat(\"PIM/\",target.port),\r\n if(network.ip_protocol = 132, strings.concat(\"SCTP/\",target.port),\r\n if(network.ip_protocol = 6, strings.concat(\"TCP/\",target.port),\r\n if(network.ip_protocol = 17, strings.concat(\"UDP/\",target.port),\r\n if(network.ip_protocol = 0, strings.concat(\"UNKNOWN_IP_PROTOCOL/\",target.port),\r\n if(network.ip_protocol = 112, strings.concat(\"VRRP/\",target.port),\r\n strings.concat(\"UNKNOWN_IP_PROTOCOL/\",target.port)))))))))))))))\r\n$hostname=if(target.ip_geo_artifact.network.dns_domain=\"\", \"Unknown\", target.ip_geo_artifact.network.dns_domain)\r\nmatch:\r\n $principal_ip, $target_ip, $protocol, $uid, $hostname,target.ip_geo_artifact.location.country_or_region\r\noutcome:\r\n $total_bytes=sum(cast.as_float(principal.labels[\"orig_ip_bytes\"]) + cast.as_float(target.labels[\"resp_ip_bytes\"]))\r\norder:\r\n $total_bytes desc\r\nlimit:\r\n 10", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "58cc060af942ebdbe1c9f42bad275f183cee21c7dc646d55619f009f855f2e53" + "etag": "2a7cda3b6cc297e17334981977c2351df64a9ad2256bfead83c2cc50c6f0af28" }, { - "name": "cafbec59-13a2-4f6f-bbbd-88b8ab6da7bc", + "name": "c0e13934-db77-4823-a241-20ced5aecb1c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = /^http/\r\nprincipal.ip != \"\" OR target.ip != \"\"\r\n$principal_ip=principal.ip\r\n$target_ip=target.ip\r\n$method=network.http.method\r\n$uri=target.url\r\nmatch:\r\n $target_ip, $principal_ip, $method, $uri\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { - "timeWindow": { - "startTime": "2025-03-26T00:00:00Z", - "endTime": "2025-03-27T06:27:04.388Z" + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" } }, - "etag": "a5a962889992b6f2e1d4eeca189c6bcf3c9c9dbc948d8d5d32549242d9553b4f" + "etag": "6bd8b13a54b6539ff73be184fe5fe3573a81455eca692355cbfcd158e8d8ca18" }, { - "name": "3c9cc012-2110-43f1-8b30-d2487ce96a12", + "name": "a0819eea-c239-4aef-b5b0-6dcc8113380e", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"http\"\r\nprincipal.ip != \"\" OR target.ip != \"\"\r\ntarget.port = 80 OR target.port = 8080 OR target.port = 443\r\nmatch:\r\n target.port\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { - "timeWindow": { - "startTime": "2025-03-26T00:00:00Z", - "endTime": "2025-03-27T06:30:07.579Z" + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" } }, - "etag": "750212de724c174ad14976a62f93db545114a9afd6c8e627feabad19d6e4da86" + "etag": "e8aea133adf369c1b92bcb60d9e1af77fba42f5efb9315cec7fe45bd3f179866" }, { - "name": "2b126217-9e93-4012-9e08-1954ccfd19b6", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nprincipal.ip != \"\" OR target.ip != \"\"\r\n$is_internal_external=if(about.labels[\"local_resp\"] = \"true\" AND about.labels[\"local_orig\"] = \"true\", \"Internal\", \r\n if(about.labels[\"local_resp\"] = \"false\" AND about.labels[\"local_orig\"] = \"false\", \"External\",\r\n if(about.labels[\"local_resp\"] = \"true\" AND about.labels[\"local_orig\"] = \"false\", \"Inbound\",\r\n if(about.labels[\"local_resp\"] = \"false\" AND about.labels[\"local_orig\"] = \"true\", \"Outbound\", \"Unknown\"\r\n ))))\r\n$is_internal_external!=\"Unknown\"\r\nmatch:\r\n $is_internal_external\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "name": "fab8ba14-5a40-4fd2-8aed-4e5da165106e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"conn\" \r\nprincipal.ip != \"\" OR target.ip != \"\"\r\n(about.labels[\"local_resp\"] = \"true\" AND about.labels[\"local_orig\"] = \"true\") OR (about.labels[\"local_resp\"] = \"false\" AND about.labels[\"local_orig\"] = \"false\") OR (about.labels[\"local_resp\"] = \"true\" AND about.labels[\"local_orig\"] = \"false\") OR (about.labels[\"local_resp\"] = \"false\" AND about.labels[\"local_orig\"] = \"true\")\r\n$is_internal_external=if(about.labels[\"local_resp\"] = \"true\" AND about.labels[\"local_orig\"] = \"true\", \"Internal\", \r\n if(about.labels[\"local_resp\"] = \"false\" AND about.labels[\"local_orig\"] = \"false\", \"External\",\r\n if(about.labels[\"local_resp\"] = \"true\" AND about.labels[\"local_orig\"] = \"false\", \"Inbound\",\r\n if(about.labels[\"local_resp\"] = \"false\" AND about.labels[\"local_orig\"] = \"true\", \"Outbound\", \"Unknown\"\r\n ))))\r\nmatch:\r\n $is_internal_external\r\noutcome:\r\n $count=count_distinct(metadata.id)", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "7e2f1410f850c2af2bd6d8dade037b5bb79fd33c1c73fe5e59d5f99b7adb0c98" + "etag": "0fffb448e269203059f7e09df366b4f7bbdc55751632aaf2f067c891e508593c" }, { - "name": "fa01e337-69af-480e-bcf5-9e058ef56d35", + "name": "0c85a531-d72d-4c42-9188-a0820157fc8a", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = /^http/ \r\nmatch:\r\n network.http.user_agent\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count asc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -579,10 +622,10 @@ "startTimeVal": "1" } }, - "etag": "a98d4c75a8a537d8602bc54ef266cbe46f9b86633d3f4910c00b991c933a551b" + "etag": "fbfdf7eaff290c6a1bd1f30b54de6802f3d0fca174fa4232b1972944f9715095" }, { - "name": "d8684b03-2bf9-4d8b-af5b-b8ebbc848fb8", + "name": "cd016dff-9dba-42de-8301-29c12c494878", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type != /^conn/ \r\nmetadata.product_event_type != \"http\"\r\nmetadata.product_event_type != \"asoc:nba:event\"\r\nprincipal.ip != \"\" OR target.ip != \"\"\r\nmatch:\r\n metadata.product_event_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -590,18 +633,18 @@ "startTimeVal": "1" } }, - "etag": "7e2e76332869e33ce77f1ebd2e488b50db216ed13d5780fd12e1a159b81e1031" + "etag": "fff84279c582fbf8aef6f72714f4c577622277bf9c3a2d238dc7f5ba303eb8a8" }, { - "name": "e5444f7b-136c-4d46-8987-f940185b7f44", + "name": "f92ee604-5166-4562-9bd3-a79a1dda7754", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = /^conn/\r\nprincipal.ip != \"\" OR target.ip != \"\"\r\ntarget.port != 80\r\ntarget.port != 8080\r\ntarget.port != 443\r\n$protocol = if(network.ip_protocol = 88, strings.concat(\"EIGRP/\",target.port),\r\n if(network.ip_protocol = 50, strings.concat(\"ESP/\",target.port),\r\n if(network.ip_protocol = 97, strings.concat(\"ETHERIP/\",target.port),\r\n if(network.ip_protocol = 47, strings.concat(\"GRE/\",target.port),\r\n if(network.ip_protocol = 1, strings.concat(\"ICMP/\",target.port),\r\n if(network.ip_protocol = 58, strings.concat(\"ICMP6/\",target.port),\r\n if(network.ip_protocol = 2, strings.concat(\"IGMP/\",target.port),\r\n if(network.ip_protocol = 41, strings.concat(\"IP6IN4/\",target.port),\r\n if(network.ip_protocol = 103, strings.concat(\"PIM/\",target.port),\r\n if(network.ip_protocol = 132, strings.concat(\"SCTP/\",target.port),\r\n if(network.ip_protocol = 6, strings.concat(\"TCP/\",target.port),\r\n if(network.ip_protocol = 17, strings.concat(\"UDP/\",target.port),\r\n if(network.ip_protocol = 0, strings.concat(\"UNKNOWN_IP_PROTOCOL/\",target.port),\r\n if(network.ip_protocol = 112, strings.concat(\"VRRP/\",target.port),\r\n strings.concat(\"UNKNOWN_IP_PROTOCOL/\",target.port)))))))))))))))\r\nmatch:\r\n $protocol\r\noutcome:\r\n $count = count(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { - "timeWindow": { - "startTime": "2025-03-26T00:00:00Z", - "endTime": "2025-03-27T06:25:01.388Z" + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" } }, - "etag": "f43c1b60f80fee6a6452f1adac469de2d59f1b13a1add56ad00c952e242519dc" + "etag": "fb882764dd7284b5d2ff433546a9d896df4e4d3fbcdfb0cec3fa40d40b91f271" } ] } diff --git a/dashboards/Security Workflows/Log Hunting.json b/dashboards/Security Workflows/Log Hunting.json index debe6f5..1bb09cd 100644 --- a/dashboards/Security Workflows/Log Hunting.json +++ b/dashboards/Security Workflows/Log Hunting.json @@ -1,442 +1,442 @@ -{ - "dashboards": [ - { - "dashboard": { - "name": "0e5c4e41-a4b9-41b2-91e1-c24e52b8cb06", - "displayName": "Corelight → Security Workflows → Log Hunting", - "definition": { - "filters": [ - { - "id": "GlobalTimeFilter", - "dataSource": "GLOBAL", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "PAST", - "fieldValues": [ - "1", - "DAY" - ] - } - ], - "displayName": "Global Time Filter", - "chartIds": [ - "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", - "ea05a21f-8bdd-422f-842c-59b4edc66604", - "120f3c36-6f37-4e2b-a411-8c6dc85f3804" - ], - "isStandardTimeRangeFilter": true, - "isStandardTimeRangeFilterEnabled": true - }, - { - "id": "2e65874d-fe4c-44f5-8e1d-2db779868c7f", - "dataSource": "UDM", - "fieldPath": "metadata.product_event_type", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "EQUAL", - "fieldValues": [ - "" - ] - } - ], - "displayName": "Event Type", - "chartIds": [ - "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", - "120f3c36-6f37-4e2b-a411-8c6dc85f3804" - ] - }, - { - "id": "fc31ef73-16b7-491c-8018-4c997d1edd0f", - "dataSource": "UDM", - "fieldPath": "principal.ip", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "EQUAL", - "fieldValues": [ - "" - ] - } - ], - "displayName": "Source IP", - "chartIds": [ - "120f3c36-6f37-4e2b-a411-8c6dc85f3804", - "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8" - ] - }, - { - "id": "435456c8-9351-494e-a943-076b6733d3d5", - "dataSource": "UDM", - "fieldPath": "target.ip", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "EQUAL", - "fieldValues": [ - "" - ] - } - ], - "displayName": "Destination IP", - "chartIds": [ - "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", - "120f3c36-6f37-4e2b-a411-8c6dc85f3804" - ] - } - ], - "charts": [ - { - "dashboardChart": "120f3c36-6f37-4e2b-a411-8c6dc85f3804", - "chartLayout": { - "startX": 0, - "spanX": 42, - "startY": 0, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter", - "2e65874d-fe4c-44f5-8e1d-2db779868c7f", - "fc31ef73-16b7-491c-8018-4c997d1edd0f", - "435456c8-9351-494e-a943-076b6733d3d5" - ] - }, - { - "dashboardChart": "ea05a21f-8bdd-422f-842c-59b4edc66604", - "chartLayout": { - "startX": 42, - "spanX": 54, - "startY": 0, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter" - ] - }, - { - "dashboardChart": "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 27, - "spanY": 39 - }, - "filtersIds": [ - "GlobalTimeFilter", - "2e65874d-fe4c-44f5-8e1d-2db779868c7f", - "fc31ef73-16b7-491c-8018-4c997d1edd0f", - "435456c8-9351-494e-a943-076b6733d3d5" - ] - } - ] - }, - "type": "CUSTOM", - "etag": "99638f63fb831762607e66338421252c22184d1f60038bdcb5ceaf4ce719acc3", - "access": "DASHBOARD_PRIVATE" - }, - "dashboardCharts": [ - { - "name": "ea05a21f-8bdd-422f-842c-59b4edc66604", - "displayName": "All Corelight Data for This Unique Entity", - "description": "ONLY Time Range Filter Applies to This Graph", - "chartDatasource": { - "dashboardQuery": "3054065e-8269-476f-8dc3-ae4b330e8e21", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesName": "none", - "seriesType": "BAR", - "encode": { - "x": "metadata.product_event_type", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "undefined" - }, - "seriesUniqueValue": "none" - } - ], - "xAxes": [ - { - "axisType": "CATEGORY", - "displayName": "Event Type" - } - ], - "yAxes": [ - { - "axisType": "VALUE", - "displayName": "Count" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "330c7a8257d5812ab4779550461b172b07d426ca791e955cb90a5eda11d31b03", - "drillDownConfig": {} - }, - { - "name": "120f3c36-6f37-4e2b-a411-8c6dc85f3804", - "displayName": "Filtered Corelight data for this unique entity", - "chartDatasource": { - "dashboardQuery": "6d449b63-1aff-4884-a9b3-0b0404fd6b8d", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "metadata.product_event_type" - }, - "dataLabel": { - "show": true - }, - "radius": [ - "0%", - "70%" - ], - "itemStyle": { - "color": "b=>{const {map:c}=Cyf(this.theme);b=Jzf(b,bzf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" - }, - "itemColors": { - "colors": [ - { - "key": "ssl", - "value": { - "color": "#1a73e8", - "label": "ssl" - } - }, - { - "key": "dns", - "value": { - "color": "#eb730a", - "label": "dns" - } - }, - { - "key": "conn", - "value": { - "color": "#10a3b7", - "label": "conn" - } - }, - { - "key": "notice", - "value": { - "color": "#ec453b", - "label": "notice" - } - }, - { - "key": "rdp", - "value": { - "color": "#e51f8f", - "label": "rdp" - } - }, - { - "key": "vpn", - "value": { - "color": "#923ef9", - "label": "vpn" - } - }, - { - "key": "ssh", - "value": { - "color": "#4aa207", - "label": "ssh" - } - }, - { - "key": "http", - "value": { - "color": "#5350fb", - "label": "http" - } - }, - { - "key": "files", - "value": { - "color": "#009886", - "label": "files" - } - }, - { - "key": "suricata_corelight", - "value": { - "color": "#0c67df", - "label": "suricata_corelight" - } - } - ] - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fa33ac72b5bed96f03d08c49249ef3000349db528d27880f8a9f058048bc5e00", - "drillDownConfig": {} - }, - { - "name": "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", - "displayName": "Log Data", - "chartDatasource": { - "dashboardQuery": "8dac4599-9dfe-4c3a-abb5-689ae521f426", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "time", - "header": "Time" - }, - { - "field": "metadata.product_event_type", - "header": "Event Type" - }, - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "target.port", - "header": "Destination Port" - }, - { - "field": "uid", - "header": "UID" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "526303bd2dda7815a09dffa7c8206979e5734e3edf72fa68f0a1f69e9fc8df97", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "metadata.product_event_type", - "displayName": "Run Search on metadata.product_event_type", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "principal.ip", - "displayName": "Run Search on principal.ip", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "target.ip", - "displayName": "Run Search on target.ip", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "target.port", - "displayName": "Run Search on target.port", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "uid", - "displayName": "Run Search on UID", - "defaultSettings": { - "enabled": true - } - } - ] - } - } - ], - "dashboardQueries": [ - { - "name": "6d449b63-1aff-4884-a9b3-0b0404fd6b8d", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type!=/^corelight/\r\nprincipal.ip != \"\" OR target.ip != \"\" OR network.session_id != \"\"\r\nmatch:\r\n metadata.product_event_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "a28f3f06e0c0f899dfd8621baa4db6c3a6f555bf1c09f4a76fe8d2798795fb8e" - }, - { - "name": "8dac4599-9dfe-4c3a-abb5-689ae521f426", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type!=/^corelight/\r\nprincipal.ip != \"\" OR target.ip != \"\" OR network.session_id != \"\"\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\n$uid=network.session_id\r\nmatch:\r\n $time, metadata.product_event_type, principal.ip, target.ip, target.port, $uid\r\norder: \r\n $time asc ", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "0764240e497ed5035a6d81fc2e99c74c148f0a1966599900c89a22f7021eeacd" - }, - { - "name": "3054065e-8269-476f-8dc3-ae4b330e8e21", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type!=/^corelight/\r\nprincipal.ip != \"\" OR target.ip != \"\" OR network.session_id != \"\"\r\nmatch:\r\n metadata.product_event_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "4c2792d8b2b7632a1cb80146685eeb2914668dc54a37f1b2bc3a0c3c38d7badb" - } - ] - } - ] +{ + "dashboards": [ + { + "dashboard": { + "name": "0e5c4e41-a4b9-41b2-91e1-c24e52b8cb06", + "displayName": "Corelight → Security Workflows → Log Hunting", + "definition": { + "filters": [ + { + "id": "GlobalTimeFilter", + "dataSource": "GLOBAL", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "PAST", + "fieldValues": [ + "1", + "DAY" + ] + } + ], + "displayName": "Global Time Filter", + "chartIds": [ + "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", + "ea05a21f-8bdd-422f-842c-59b4edc66604", + "120f3c36-6f37-4e2b-a411-8c6dc85f3804" + ], + "isStandardTimeRangeFilter": true, + "isStandardTimeRangeFilterEnabled": true + }, + { + "id": "2e65874d-fe4c-44f5-8e1d-2db779868c7f", + "dataSource": "UDM", + "fieldPath": "metadata.product_event_type", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Event Type", + "chartIds": [ + "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", + "120f3c36-6f37-4e2b-a411-8c6dc85f3804" + ] + }, + { + "id": "fc31ef73-16b7-491c-8018-4c997d1edd0f", + "dataSource": "UDM", + "fieldPath": "principal.ip", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Source IP", + "chartIds": [ + "120f3c36-6f37-4e2b-a411-8c6dc85f3804", + "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8" + ] + }, + { + "id": "435456c8-9351-494e-a943-076b6733d3d5", + "dataSource": "UDM", + "fieldPath": "target.ip", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Destination IP", + "chartIds": [ + "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", + "120f3c36-6f37-4e2b-a411-8c6dc85f3804" + ] + } + ], + "charts": [ + { + "dashboardChart": "120f3c36-6f37-4e2b-a411-8c6dc85f3804", + "chartLayout": { + "startX": 0, + "spanX": 42, + "startY": 0, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter", + "2e65874d-fe4c-44f5-8e1d-2db779868c7f", + "fc31ef73-16b7-491c-8018-4c997d1edd0f", + "435456c8-9351-494e-a943-076b6733d3d5" + ] + }, + { + "dashboardChart": "ea05a21f-8bdd-422f-842c-59b4edc66604", + "chartLayout": { + "startX": 42, + "spanX": 54, + "startY": 0, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter" + ] + }, + { + "dashboardChart": "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 27, + "spanY": 39 + }, + "filtersIds": [ + "GlobalTimeFilter", + "2e65874d-fe4c-44f5-8e1d-2db779868c7f", + "fc31ef73-16b7-491c-8018-4c997d1edd0f", + "435456c8-9351-494e-a943-076b6733d3d5" + ] + } + ] + }, + "type": "CUSTOM", + "etag": "99638f63fb831762607e66338421252c22184d1f60038bdcb5ceaf4ce719acc3", + "access": "DASHBOARD_PRIVATE" + }, + "dashboardCharts": [ + { + "name": "ea05a21f-8bdd-422f-842c-59b4edc66604", + "displayName": "All Corelight Data for This Unique Entity", + "description": "ONLY Time Range Filter Applies to This Graph", + "chartDatasource": { + "dashboardQuery": "3054065e-8269-476f-8dc3-ae4b330e8e21", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesName": "none", + "seriesType": "BAR", + "encode": { + "x": "metadata.product_event_type", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "undefined" + }, + "seriesUniqueValue": "none" + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Event Type" + } + ], + "yAxes": [ + { + "axisType": "VALUE", + "displayName": "Count" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "330c7a8257d5812ab4779550461b172b07d426ca791e955cb90a5eda11d31b03", + "drillDownConfig": {} + }, + { + "name": "120f3c36-6f37-4e2b-a411-8c6dc85f3804", + "displayName": "Filtered Corelight data for this unique entity", + "chartDatasource": { + "dashboardQuery": "6d449b63-1aff-4884-a9b3-0b0404fd6b8d", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "metadata.product_event_type" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "0%", + "70%" + ], + "itemStyle": { + "color": "b=>{const {map:c}=Cyf(this.theme);b=Jzf(b,bzf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "ssl", + "value": { + "color": "#1a73e8", + "label": "ssl" + } + }, + { + "key": "dns", + "value": { + "color": "#eb730a", + "label": "dns" + } + }, + { + "key": "conn", + "value": { + "color": "#10a3b7", + "label": "conn" + } + }, + { + "key": "notice", + "value": { + "color": "#ec453b", + "label": "notice" + } + }, + { + "key": "rdp", + "value": { + "color": "#e51f8f", + "label": "rdp" + } + }, + { + "key": "vpn", + "value": { + "color": "#923ef9", + "label": "vpn" + } + }, + { + "key": "ssh", + "value": { + "color": "#4aa207", + "label": "ssh" + } + }, + { + "key": "http", + "value": { + "color": "#5350fb", + "label": "http" + } + }, + { + "key": "files", + "value": { + "color": "#009886", + "label": "files" + } + }, + { + "key": "suricata_corelight", + "value": { + "color": "#0c67df", + "label": "suricata_corelight" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "fa33ac72b5bed96f03d08c49249ef3000349db528d27880f8a9f058048bc5e00", + "drillDownConfig": {} + }, + { + "name": "5bbc72fc-ea6c-4fec-8c72-d1f13a04a7e8", + "displayName": "Log Data", + "chartDatasource": { + "dashboardQuery": "8dac4599-9dfe-4c3a-abb5-689ae521f426", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "time", + "header": "Time" + }, + { + "field": "metadata.product_event_type", + "header": "Event Type" + }, + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "target.port", + "header": "Destination Port" + }, + { + "field": "uid", + "header": "UID" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "526303bd2dda7815a09dffa7c8206979e5734e3edf72fa68f0a1f69e9fc8df97", + "drillDownConfig": { + "leftDrillDowns": [ + { + "id": "metadata.product_event_type", + "displayName": "Run Search on metadata.product_event_type", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "principal.ip", + "displayName": "Run Search on principal.ip", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "target.ip", + "displayName": "Run Search on target.ip", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "target.port", + "displayName": "Run Search on target.port", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "uid", + "displayName": "Run Search on UID", + "defaultSettings": { + "enabled": true + } + } + ] + } + } + ], + "dashboardQueries": [ + { + "name": "6d449b63-1aff-4884-a9b3-0b0404fd6b8d", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type!=/^corelight/\r\nprincipal.ip != \"\" OR target.ip != \"\" OR network.session_id != \"\"\r\nmatch:\r\n metadata.product_event_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "a28f3f06e0c0f899dfd8621baa4db6c3a6f555bf1c09f4a76fe8d2798795fb8e" + }, + { + "name": "8dac4599-9dfe-4c3a-abb5-689ae521f426", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type!=/^corelight/\r\nprincipal.ip != \"\" OR target.ip != \"\" OR network.session_id != \"\"\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\n$uid=network.session_id\r\nmatch:\r\n $time, metadata.product_event_type, principal.ip, target.ip, target.port, $uid\r\norder: \r\n $time asc ", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "0764240e497ed5035a6d81fc2e99c74c148f0a1966599900c89a22f7021eeacd" + }, + { + "name": "3054065e-8269-476f-8dc3-ae4b330e8e21", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type!=/^corelight/\r\nprincipal.ip != \"\" OR target.ip != \"\" OR network.session_id != \"\"\r\nmatch:\r\n metadata.product_event_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "4c2792d8b2b7632a1cb80146685eeb2914668dc54a37f1b2bc3a0c3c38d7badb" + } + ] + } + ] } \ No newline at end of file diff --git a/dashboards/Security Workflows/RDP Inferences Overview.json b/dashboards/Security Workflows/RDP Inferences Overview.json index f66ebc0..6dbbf1c 100644 --- a/dashboards/Security Workflows/RDP Inferences Overview.json +++ b/dashboards/Security Workflows/RDP Inferences Overview.json @@ -1,775 +1,775 @@ -{ - "dashboards": [ - { - "dashboard": { - "name": "d9a8c3c7-1bfc-4882-96c7-c9c27855bc35", - "displayName": "Corelight → Security Workflows → RDP Inferences Overview", - "definition": { - "filters": [ - { - "id": "GlobalTimeFilter", - "dataSource": "GLOBAL", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "PAST", - "fieldValues": [ - "1", - "DAY" - ] - } - ], - "displayName": "Global Time Filter", - "chartIds": [ - "24fe829d-8be2-45e3-b6e1-19f5584edfb4", - "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", - "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", - "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", - "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", - "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", - "01bd2637-7f83-4ac8-92fe-0a05e100cb50" - ], - "isStandardTimeRangeFilter": true, - "isStandardTimeRangeFilterEnabled": true - }, - { - "id": "7009c415-49e5-436f-a90a-8641e56d52f6", - "dataSource": "UDM", - "fieldPath": "observer.hostname", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "EQUAL", - "fieldValues": [ - "" - ] - } - ], - "displayName": "Corelight Sensor", - "chartIds": [ - "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", - "24fe829d-8be2-45e3-b6e1-19f5584edfb4", - "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", - "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", - "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", - "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", - "01bd2637-7f83-4ac8-92fe-0a05e100cb50" - ] - } - ], - "charts": [ - { - "dashboardChart": "24fe829d-8be2-45e3-b6e1-19f5584edfb4", - "chartLayout": { - "startX": 0, - "spanX": 48, - "startY": 0, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - }, - { - "dashboardChart": "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", - "chartLayout": { - "startX": 48, - "spanX": 48, - "startY": 0, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - }, - { - "dashboardChart": "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", - "chartLayout": { - "startX": 0, - "spanX": 21, - "startY": 27, - "spanY": 16 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - }, - { - "dashboardChart": "01bd2637-7f83-4ac8-92fe-0a05e100cb50", - "chartLayout": { - "startX": 21, - "spanX": 21, - "startY": 27, - "spanY": 16 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - }, - { - "dashboardChart": "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", - "chartLayout": { - "startX": 42, - "spanX": 54, - "startY": 27, - "spanY": 16 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - }, - { - "dashboardChart": "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 43, - "spanY": 20 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - }, - { - "dashboardChart": "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 63, - "spanY": 34 - }, - "filtersIds": [ - "GlobalTimeFilter", - "7009c415-49e5-436f-a90a-8641e56d52f6" - ] - } - ] - }, - "type": "CUSTOM", - "etag": "2630a6347e95dc4879da7249b70bd629d546439a51c8269920e9c8cd1eb36bcc", - "access": "DASHBOARD_PRIVATE" - }, - "dashboardCharts": [ - { - "name": "24fe829d-8be2-45e3-b6e1-19f5584edfb4", - "displayName": "Inferences Name", - "chartDatasource": { - "dashboardQuery": "eefef98d-49c6-47ea-b617-1a7e89e75739", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "about.labels.value" - }, - "dataLabel": {}, - "radius": [ - "0%", - "70%" - ], - "itemStyle": { - "color": "undefined" - }, - "itemColors": { - "colors": [ - { - "key": "APWA", - "value": { - "color": "#1a73e8", - "label": "APWA" - } - }, - { - "key": "SOC", - "value": { - "color": "#eb730a", - "label": "SOC" - } - }, - { - "key": "IPWA", - "value": { - "color": "#10a3b7", - "label": "IPWA" - } - }, - { - "key": "HBC", - "value": { - "color": "#d15f6b", - "label": "HBC" - } - }, - { - "key": "MSC", - "value": { - "color": "#e51f8f", - "label": "MSC" - } - }, - { - "key": "RAMA", - "value": { - "color": "#923ef9", - "label": "RAMA" - } - } - ] - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "7ac60945910b732511a929a8e06537a1a262dae851e164c41977b88f039d77bd" - }, - { - "name": "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", - "displayName": "Inferences Over Time", - "chartDatasource": { - "dashboardQuery": "5fc23a0b-21fd-4990-8e69-97ce78c994c8", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesName": "MMM", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "MMM", - "areaStyle": {} - }, - { - "seriesName": "SOC", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "SOC", - "areaStyle": {} - }, - { - "seriesName": "PWA", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "PWA", - "areaStyle": {} - }, - { - "seriesName": "APW", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "APW", - "areaStyle": {} - }, - { - "seriesName": "APWA", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "APWA", - "areaStyle": {} - }, - { - "seriesName": "IPWA", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "IPWA", - "areaStyle": {} - }, - { - "seriesName": "RAMA", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#4aa207" - }, - "seriesUniqueValue": "RAMA", - "areaStyle": {} - } - ], - "xAxes": [ - { - "axisType": "CATEGORY", - "displayName": "Time" - } - ], - "yAxes": [ - { - "axisType": "VALUE", - "displayName": "Count" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "seriesColumn": [ - "about.labels.value" - ], - "groupingType": "Stacked" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "56a983a27fa5867041f959dcd722a32a3506c5afe106602907e971b7dede8d25" - }, - { - "name": "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", - "displayName": "Successful Connections", - "description": "Successful Connections", - "chartDatasource": { - "dashboardQuery": "f9542357-bf92-4b4d-b30f-66b38b17df9e", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "TEXT", - "label": " ", - "field": "count", - "metricTrendConfig": { - "metricFormat": "METRIC_FORMAT_NUMBER", - "metricDisplayTrend": "METRIC_DISPLAY_TREND_ABSOLUTE_VALUE", - "metricTrendType": "METRIC_TREND_TYPE_REGULAR" - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "434481bd971df232b18b906c922ed73ea44282df0b6b20004c8375b985aa044b", - "drillDownConfig": {} - }, - { - "name": "01bd2637-7f83-4ac8-92fe-0a05e100cb50", - "displayName": "Failed Connections", - "description": "Failed Connections", - "chartDatasource": { - "dashboardQuery": "bd453f87-46a3-48d6-af5d-44e326e40bb5", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "TEXT", - "label": " ", - "field": "count", - "metricTrendConfig": { - "metricFormat": "METRIC_FORMAT_NUMBER", - "metricDisplayTrend": "METRIC_DISPLAY_TREND_ABSOLUTE_VALUE", - "metricTrendType": "METRIC_TREND_TYPE_REGULAR" - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "c60aa1d25b3dbeb2b13f5ff2fb7a6cd1b1829608b1f4c44cef70858165be7066", - "drillDownConfig": {} - }, - { - "name": "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", - "displayName": "RDP Connection Detail", - "chartDatasource": { - "dashboardQuery": "ae15226d-f9b4-4982-9877-e4475716ffb4", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "time", - "header": "Time" - }, - { - "field": "connecting_user", - "header": "Connecting User" - }, - { - "field": "observer.hostname", - "header": "Corelight Sensor" - }, - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "target.port", - "header": "Destination Port" - }, - { - "field": "auth_success", - "header": "Auth Success" - }, - { - "field": "about.labels.value", - "header": "Inferences" - }, - { - "field": "inference_name", - "header": "Inferences Name" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "d9037fe0757d105e1271a35930f4297049348d227aae32ce22628d9c873e3dcb", - "drillDownConfig": { - "leftDrillDowns": [ - { - "id": "connecting_user", - "displayName": "Run Search on Connecting User", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "observer.hostname", - "displayName": "Run Search on observer.hostname", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "principal.ip", - "displayName": "Run Search on principal.ip", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "target.ip", - "displayName": "Run Search on target.ip", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "target.port", - "displayName": "Run Search on target.port", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "auth_success", - "displayName": "Run Search on Auth Success", - "defaultSettings": { - "enabled": true - } - }, - { - "id": "about.labels.value", - "displayName": "Run Search on about.labels.value", - "defaultSettings": { - "enabled": true - } - } - ] - } - }, - { - "name": "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", - "displayName": "Security Protocols Used", - "chartDatasource": { - "dashboardQuery": "10fb4bbd-eba0-4f83-8377-8b77e45ef754", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "security_protocol" - }, - "dataLabel": {}, - "radius": [ - "0%", - "70%" - ] - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ab035ef92874c02e68325cffacc08cf6f7104b504bd91dea63595113e96ac848" - }, - { - "name": "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", - "displayName": "Connecting Users", - "chartDatasource": { - "dashboardQuery": "80da40e1-a6c6-4c9f-87ec-960c883d61aa", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "connecting_user", - "header": "Connecting User" - }, - { - "field": "auth_success", - "header": "Auth Success" - }, - { - "field": "count", - "header": "Count" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "23073a1457cf1249bd5b7d3e2e48b0b248cacaac370f86d634ff36ad2b6f43c9", - "drillDownConfig": {} - } - ], - "dashboardQueries": [ - { - "name": "80da40e1-a6c6-4c9f-87ec-960c883d61aa", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$auth_success=if(security_result.action=\"ALLOW\", \"True\", if(security_result.action=\"FAIL\", \"False\", \"No Value\"))\r\n$connecting_user=about.labels[\"cookie\"]\r\n$connecting_user!=\"\"\r\nmatch:\r\n $connecting_user, $auth_success\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "49e602b5ccb8db71178aa664fb4c92d9b240b316db3e771210703c2ed6bf34da" - }, - { - "name": "eefef98d-49c6-47ea-b617-1a7e89e75739", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nabout.labels.key=\"inferences\"\r\nabout.labels.value!=\"\"\r\nmatch:\r\n about.labels.value\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 50", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "8c75267dec04df78047d5f9331d147ef5a21358108e8e5f5bbd829936d48855c" - }, - { - "name": "5fc23a0b-21fd-4990-8e69-97ce78c994c8", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nabout.labels.key=\"inferences\"\r\nabout.labels.value!=\"\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, about.labels.value\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "76eb6e99dfa90d3aadf3dcb0c86c2544dc2051a11e009518a495de5f30f8feed" - }, - { - "name": "f9542357-bf92-4b4d-b30f-66b38b17df9e", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nsecurity_result.action=\"ALLOW\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "cbadc67f819a2742f6b0fd501ffee7eaa107e17b3e102d921dee6197702556e3" - }, - { - "name": "bd453f87-46a3-48d6-af5d-44e326e40bb5", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nsecurity_result.action!=\"ALLOW\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "1b875f7e8e9398c64f4b454814b4f164f629d0e33a7b9c024ad61792676a6c2e" - }, - { - "name": "ae15226d-f9b4-4982-9877-e4475716ffb4", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$connecting_user=about.labels[\"cookie\"]\r\n$auth_success=security_result.action\r\nabout.labels.key=\"inferences\"\r\n$inference_name=if(about.labels.value=\"FC\", \"FreeRDP Driven Client\",\r\nif(about.labels.value=\"MSC\", \"Metasploit Scanner Client\",\r\nif(about.labels.value=\"HBC\", \"THC-Hydra Bruteforce Client\",\r\nif(about.labels.value=\"CBC\", \"Crowbar Bruteforce Client\",\r\nif(about.labels.value=\"SLC\", \"SharpRDP Lateral Movement Client\",\r\nif(about.labels.value=\"SOC\", \"Scanner Other Client\",\r\nif(about.labels.value=\"RCGA\", \"Remote Credential Guard Authentication\",\r\nif(about.labels.value=\"RAMA\", \"Restricted Admin Mode Authentication\",\r\nif(about.labels.value=\"APWA\", \"Automated NTLM Password Authentication\",\r\nif(about.labels.value=\"IPWA\", \"Interactive NTLM Password Authentication\",\r\nif(about.labels.value=\"SLH\", \"Slow Handshake\", \"Unknown\"\r\n)))))))))))\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\nmatch:\r\n $time, $connecting_user, observer.hostname, principal.ip, target.ip, target.port, $auth_success, about.labels.value, $inference_name\r\norder:\r\n $time asc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "a0f8a2eee120289ad1e573da2dc9696cb9418ac727d4c96e3290ce0563242fb3" - }, - { - "name": "10fb4bbd-eba0-4f83-8377-8b77e45ef754", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$security_protocol=target.labels[\"security_protocol\"]\r\nmatch:\r\n $security_protocol\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 50", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "31cedf2e1d05185a94377bfb8a39112ca4bac2173c841bbe754d68b5c6f151fe" - } - ] - } - ] +{ + "dashboards": [ + { + "dashboard": { + "name": "d9a8c3c7-1bfc-4882-96c7-c9c27855bc35", + "displayName": "Corelight → Security Workflows → RDP Inferences Overview", + "definition": { + "filters": [ + { + "id": "GlobalTimeFilter", + "dataSource": "GLOBAL", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "PAST", + "fieldValues": [ + "1", + "DAY" + ] + } + ], + "displayName": "Global Time Filter", + "chartIds": [ + "24fe829d-8be2-45e3-b6e1-19f5584edfb4", + "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", + "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", + "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", + "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", + "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", + "01bd2637-7f83-4ac8-92fe-0a05e100cb50" + ], + "isStandardTimeRangeFilter": true, + "isStandardTimeRangeFilterEnabled": true + }, + { + "id": "7009c415-49e5-436f-a90a-8641e56d52f6", + "dataSource": "UDM", + "fieldPath": "observer.hostname", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Corelight Sensor", + "chartIds": [ + "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", + "24fe829d-8be2-45e3-b6e1-19f5584edfb4", + "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", + "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", + "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", + "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", + "01bd2637-7f83-4ac8-92fe-0a05e100cb50" + ] + } + ], + "charts": [ + { + "dashboardChart": "24fe829d-8be2-45e3-b6e1-19f5584edfb4", + "chartLayout": { + "startX": 0, + "spanX": 48, + "startY": 0, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + }, + { + "dashboardChart": "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", + "chartLayout": { + "startX": 48, + "spanX": 48, + "startY": 0, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + }, + { + "dashboardChart": "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", + "chartLayout": { + "startX": 0, + "spanX": 21, + "startY": 27, + "spanY": 16 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + }, + { + "dashboardChart": "01bd2637-7f83-4ac8-92fe-0a05e100cb50", + "chartLayout": { + "startX": 21, + "spanX": 21, + "startY": 27, + "spanY": 16 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + }, + { + "dashboardChart": "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", + "chartLayout": { + "startX": 42, + "spanX": 54, + "startY": 27, + "spanY": 16 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + }, + { + "dashboardChart": "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 43, + "spanY": 20 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + }, + { + "dashboardChart": "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 63, + "spanY": 34 + }, + "filtersIds": [ + "GlobalTimeFilter", + "7009c415-49e5-436f-a90a-8641e56d52f6" + ] + } + ] + }, + "type": "CUSTOM", + "etag": "2630a6347e95dc4879da7249b70bd629d546439a51c8269920e9c8cd1eb36bcc", + "access": "DASHBOARD_PRIVATE" + }, + "dashboardCharts": [ + { + "name": "24fe829d-8be2-45e3-b6e1-19f5584edfb4", + "displayName": "Inferences Name", + "chartDatasource": { + "dashboardQuery": "eefef98d-49c6-47ea-b617-1a7e89e75739", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "about.labels.value" + }, + "dataLabel": {}, + "radius": [ + "0%", + "70%" + ], + "itemStyle": { + "color": "undefined" + }, + "itemColors": { + "colors": [ + { + "key": "APWA", + "value": { + "color": "#1a73e8", + "label": "APWA" + } + }, + { + "key": "SOC", + "value": { + "color": "#eb730a", + "label": "SOC" + } + }, + { + "key": "IPWA", + "value": { + "color": "#10a3b7", + "label": "IPWA" + } + }, + { + "key": "HBC", + "value": { + "color": "#d15f6b", + "label": "HBC" + } + }, + { + "key": "MSC", + "value": { + "color": "#e51f8f", + "label": "MSC" + } + }, + { + "key": "RAMA", + "value": { + "color": "#923ef9", + "label": "RAMA" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "7ac60945910b732511a929a8e06537a1a262dae851e164c41977b88f039d77bd" + }, + { + "name": "0ae7b24b-503c-466c-b26d-0ba2629b5bd2", + "displayName": "Inferences Over Time", + "chartDatasource": { + "dashboardQuery": "5fc23a0b-21fd-4990-8e69-97ce78c994c8", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesName": "MMM", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "MMM", + "areaStyle": {} + }, + { + "seriesName": "SOC", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "SOC", + "areaStyle": {} + }, + { + "seriesName": "PWA", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "PWA", + "areaStyle": {} + }, + { + "seriesName": "APW", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#d15f6b" + }, + "seriesUniqueValue": "APW", + "areaStyle": {} + }, + { + "seriesName": "APWA", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#e51f8f" + }, + "seriesUniqueValue": "APWA", + "areaStyle": {} + }, + { + "seriesName": "IPWA", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#923ef9" + }, + "seriesUniqueValue": "IPWA", + "areaStyle": {} + }, + { + "seriesName": "RAMA", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#4aa207" + }, + "seriesUniqueValue": "RAMA", + "areaStyle": {} + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Time" + } + ], + "yAxes": [ + { + "axisType": "VALUE", + "displayName": "Count" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "seriesColumn": [ + "about.labels.value" + ], + "groupingType": "Stacked" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "56a983a27fa5867041f959dcd722a32a3506c5afe106602907e971b7dede8d25" + }, + { + "name": "9ff04d68-6c6b-4064-aead-8e2de0f0a70c", + "displayName": "Successful Connections", + "description": "Successful Connections", + "chartDatasource": { + "dashboardQuery": "f9542357-bf92-4b4d-b30f-66b38b17df9e", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "TEXT", + "label": " ", + "field": "count", + "metricTrendConfig": { + "metricFormat": "METRIC_FORMAT_NUMBER", + "metricDisplayTrend": "METRIC_DISPLAY_TREND_ABSOLUTE_VALUE", + "metricTrendType": "METRIC_TREND_TYPE_REGULAR" + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "434481bd971df232b18b906c922ed73ea44282df0b6b20004c8375b985aa044b", + "drillDownConfig": {} + }, + { + "name": "01bd2637-7f83-4ac8-92fe-0a05e100cb50", + "displayName": "Failed Connections", + "description": "Failed Connections", + "chartDatasource": { + "dashboardQuery": "bd453f87-46a3-48d6-af5d-44e326e40bb5", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "TEXT", + "label": " ", + "field": "count", + "metricTrendConfig": { + "metricFormat": "METRIC_FORMAT_NUMBER", + "metricDisplayTrend": "METRIC_DISPLAY_TREND_ABSOLUTE_VALUE", + "metricTrendType": "METRIC_TREND_TYPE_REGULAR" + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "c60aa1d25b3dbeb2b13f5ff2fb7a6cd1b1829608b1f4c44cef70858165be7066", + "drillDownConfig": {} + }, + { + "name": "b1b3a272-b958-4f28-afa9-e0b5f3c89e01", + "displayName": "RDP Connection Detail", + "chartDatasource": { + "dashboardQuery": "ae15226d-f9b4-4982-9877-e4475716ffb4", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "time", + "header": "Time" + }, + { + "field": "connecting_user", + "header": "Connecting User" + }, + { + "field": "observer.hostname", + "header": "Corelight Sensor" + }, + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "target.port", + "header": "Destination Port" + }, + { + "field": "auth_success", + "header": "Auth Success" + }, + { + "field": "about.labels.value", + "header": "Inferences" + }, + { + "field": "inference_name", + "header": "Inferences Name" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "d9037fe0757d105e1271a35930f4297049348d227aae32ce22628d9c873e3dcb", + "drillDownConfig": { + "leftDrillDowns": [ + { + "id": "connecting_user", + "displayName": "Run Search on Connecting User", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "observer.hostname", + "displayName": "Run Search on observer.hostname", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "principal.ip", + "displayName": "Run Search on principal.ip", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "target.ip", + "displayName": "Run Search on target.ip", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "target.port", + "displayName": "Run Search on target.port", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "auth_success", + "displayName": "Run Search on Auth Success", + "defaultSettings": { + "enabled": true + } + }, + { + "id": "about.labels.value", + "displayName": "Run Search on about.labels.value", + "defaultSettings": { + "enabled": true + } + } + ] + } + }, + { + "name": "2cf9beb9-b7b1-48d4-8c4c-aac0361e0e85", + "displayName": "Security Protocols Used", + "chartDatasource": { + "dashboardQuery": "10fb4bbd-eba0-4f83-8377-8b77e45ef754", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "security_protocol" + }, + "dataLabel": {}, + "radius": [ + "0%", + "70%" + ] + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "ab035ef92874c02e68325cffacc08cf6f7104b504bd91dea63595113e96ac848" + }, + { + "name": "c3cc6d94-c82a-4c17-a84e-94d61d1e34c5", + "displayName": "Connecting Users", + "chartDatasource": { + "dashboardQuery": "80da40e1-a6c6-4c9f-87ec-960c883d61aa", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "connecting_user", + "header": "Connecting User" + }, + { + "field": "auth_success", + "header": "Auth Success" + }, + { + "field": "count", + "header": "Count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "23073a1457cf1249bd5b7d3e2e48b0b248cacaac370f86d634ff36ad2b6f43c9", + "drillDownConfig": {} + } + ], + "dashboardQueries": [ + { + "name": "80da40e1-a6c6-4c9f-87ec-960c883d61aa", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$auth_success=if(security_result.action=\"ALLOW\", \"True\", if(security_result.action=\"FAIL\", \"False\", \"No Value\"))\r\n$connecting_user=about.labels[\"cookie\"]\r\n$connecting_user!=\"\"\r\nmatch:\r\n $connecting_user, $auth_success\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "49e602b5ccb8db71178aa664fb4c92d9b240b316db3e771210703c2ed6bf34da" + }, + { + "name": "eefef98d-49c6-47ea-b617-1a7e89e75739", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nabout.labels.key=\"inferences\"\r\nabout.labels.value!=\"\"\r\nmatch:\r\n about.labels.value\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 50", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "8c75267dec04df78047d5f9331d147ef5a21358108e8e5f5bbd829936d48855c" + }, + { + "name": "5fc23a0b-21fd-4990-8e69-97ce78c994c8", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nabout.labels.key=\"inferences\"\r\nabout.labels.value!=\"\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, about.labels.value\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "76eb6e99dfa90d3aadf3dcb0c86c2544dc2051a11e009518a495de5f30f8feed" + }, + { + "name": "f9542357-bf92-4b4d-b30f-66b38b17df9e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nsecurity_result.action=\"ALLOW\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "cbadc67f819a2742f6b0fd501ffee7eaa107e17b3e102d921dee6197702556e3" + }, + { + "name": "bd453f87-46a3-48d6-af5d-44e326e40bb5", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\nsecurity_result.action!=\"ALLOW\"\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "1b875f7e8e9398c64f4b454814b4f164f629d0e33a7b9c024ad61792676a6c2e" + }, + { + "name": "ae15226d-f9b4-4982-9877-e4475716ffb4", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$connecting_user=about.labels[\"cookie\"]\r\n$auth_success=security_result.action\r\nabout.labels.key=\"inferences\"\r\n$inference_name=if(about.labels.value=\"FC\", \"FreeRDP Driven Client\",\r\nif(about.labels.value=\"MSC\", \"Metasploit Scanner Client\",\r\nif(about.labels.value=\"HBC\", \"THC-Hydra Bruteforce Client\",\r\nif(about.labels.value=\"CBC\", \"Crowbar Bruteforce Client\",\r\nif(about.labels.value=\"SLC\", \"SharpRDP Lateral Movement Client\",\r\nif(about.labels.value=\"SOC\", \"Scanner Other Client\",\r\nif(about.labels.value=\"RCGA\", \"Remote Credential Guard Authentication\",\r\nif(about.labels.value=\"RAMA\", \"Restricted Admin Mode Authentication\",\r\nif(about.labels.value=\"APWA\", \"Automated NTLM Password Authentication\",\r\nif(about.labels.value=\"IPWA\", \"Interactive NTLM Password Authentication\",\r\nif(about.labels.value=\"SLH\", \"Slow Handshake\", \"Unknown\"\r\n)))))))))))\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\nmatch:\r\n $time, $connecting_user, observer.hostname, principal.ip, target.ip, target.port, $auth_success, about.labels.value, $inference_name\r\norder:\r\n $time asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "a0f8a2eee120289ad1e573da2dc9696cb9418ac727d4c96e3290ce0563242fb3" + }, + { + "name": "10fb4bbd-eba0-4f83-8377-8b77e45ef754", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"rdp\"\r\n$security_protocol=target.labels[\"security_protocol\"]\r\nmatch:\r\n $security_protocol\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 50", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "31cedf2e1d05185a94377bfb8a39112ca4bac2173c841bbe754d68b5c6f151fe" + } + ] + } + ] } \ No newline at end of file diff --git a/dashboards/Security Workflows/SSH Inferences Overview.json b/dashboards/Security Workflows/SSH Inferences Overview.json index 1ae87ed..84b7ccd 100644 --- a/dashboards/Security Workflows/SSH Inferences Overview.json +++ b/dashboards/Security Workflows/SSH Inferences Overview.json @@ -1,880 +1,880 @@ -{ - "dashboards": [ - { - "dashboard": { - "name": "51f566b5-ee61-47ab-b47c-518a0fac5423", - "displayName": "Corelight → Security Workflows → SSH Inferences Overview", - "definition": { - "filters": [ - { - "id": "GlobalTimeFilter", - "dataSource": "GLOBAL", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "PAST", - "fieldValues": [ - "1", - "DAY" - ] - } - ], - "displayName": "Global Time Filter", - "chartIds": [ - "e1c6f231-079e-486f-8b00-24efe9eccefc", - "6b37186d-3900-4e71-b746-542fb04d1a6b", - "be466519-09d3-4c47-a381-2d9b5e001594", - "991865ba-69e6-4880-a7b2-c9e6da4647f6", - "a05c4b0c-08d2-4630-8d6f-137ab824246c", - "ca23f4f0-3396-4df6-ac5e-4f78a161ee07" - ], - "isStandardTimeRangeFilter": true, - "isStandardTimeRangeFilterEnabled": true - }, - { - "id": "c3d5fc33-4da7-4119-8da7-94b7f5e34661", - "dataSource": "UDM", - "fieldPath": "security_result.summary", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "EQUAL", - "fieldValues": [ - "" - ] - } - ], - "displayName": "SSH Inferences", - "chartIds": [ - "e1c6f231-079e-486f-8b00-24efe9eccefc", - "6b37186d-3900-4e71-b746-542fb04d1a6b", - "be466519-09d3-4c47-a381-2d9b5e001594", - "a05c4b0c-08d2-4630-8d6f-137ab824246c", - "991865ba-69e6-4880-a7b2-c9e6da4647f6", - "ca23f4f0-3396-4df6-ac5e-4f78a161ee07" - ] - } - ], - "charts": [ - { - "dashboardChart": "ca23f4f0-3396-4df6-ac5e-4f78a161ee07", - "chartLayout": { - "startX": 0, - "spanX": 48, - "startY": 0, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter", - "c3d5fc33-4da7-4119-8da7-94b7f5e34661" - ] - }, - { - "dashboardChart": "be466519-09d3-4c47-a381-2d9b5e001594", - "chartLayout": { - "startX": 48, - "spanX": 48, - "startY": 0, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter", - "c3d5fc33-4da7-4119-8da7-94b7f5e34661" - ] - }, - { - "dashboardChart": "991865ba-69e6-4880-a7b2-c9e6da4647f6", - "chartLayout": { - "startX": 0, - "spanX": 48, - "startY": 27, - "spanY": 21 - }, - "filtersIds": [ - "GlobalTimeFilter", - "c3d5fc33-4da7-4119-8da7-94b7f5e34661" - ] - }, - { - "dashboardChart": "6b37186d-3900-4e71-b746-542fb04d1a6b", - "chartLayout": { - "startX": 48, - "spanX": 48, - "startY": 27, - "spanY": 21 - }, - "filtersIds": [ - "GlobalTimeFilter", - "c3d5fc33-4da7-4119-8da7-94b7f5e34661" - ] - }, - { - "dashboardChart": "e1c6f231-079e-486f-8b00-24efe9eccefc", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 48, - "spanY": 27 - }, - "filtersIds": [ - "GlobalTimeFilter", - "c3d5fc33-4da7-4119-8da7-94b7f5e34661" - ] - }, - { - "dashboardChart": "a05c4b0c-08d2-4630-8d6f-137ab824246c", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 75, - "spanY": 28 - }, - "filtersIds": [ - "GlobalTimeFilter", - "c3d5fc33-4da7-4119-8da7-94b7f5e34661" - ] - } - ] - }, - "type": "CUSTOM", - "etag": "09452a2f9dc3f0407de808efb59860cd6260596a7331afb51da745d6d08d775b", - "access": "DASHBOARD_PRIVATE" - }, - "dashboardCharts": [ - { - "name": "991865ba-69e6-4880-a7b2-c9e6da4647f6", - "displayName": "HASSH Fingerprint Details", - "chartDatasource": { - "dashboardQuery": "e0563f4c-607b-4ddf-ba8f-64fa9d4a179f", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "principal_ip", - "header": "Source IP" - }, - { - "field": "hassh", - "header": "HASSH Client" - }, - { - "field": "target_ip", - "header": "Destination IP" - }, - { - "field": "hassh_server", - "header": "HASSH Server" - }, - { - "field": "count", - "header": "Total Events" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "1cd00c91cc1ee1217c305fe2e034ae640bd5dda540fa106ef8fccb848851e275" - }, - { - "name": "be466519-09d3-4c47-a381-2d9b5e001594", - "displayName": "SSH Inferences Over Time", - "chartDatasource": { - "dashboardQuery": "0d30ffc7-6197-42eb-b09e-ec411aaf1b2e", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesName": "Other Scanning", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#009886" - }, - "seriesUniqueValue": "Other Scanning", - "areaStyle": {} - }, - { - "seriesName": "Keystrokes", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#4aa207" - }, - "seriesUniqueValue": "Keystrokes", - "areaStyle": {} - }, - { - "seriesName": "Client Trusted Server", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "Client Trusted Server", - "areaStyle": {} - }, - { - "seriesName": "Client Untrusted Server", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#5350fb" - }, - "seriesUniqueValue": "Client Untrusted Server", - "areaStyle": {} - }, - { - "seriesName": "Public Key Authentication", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "Public Key Authentication", - "areaStyle": {} - }, - { - "seriesName": "Automated Interaction", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "Automated Interaction", - "areaStyle": {} - }, - { - "seriesName": "Small Client File Download", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "Small Client File Download", - "areaStyle": {} - }, - { - "seriesName": "Large Client File Download", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "Large Client File Download", - "areaStyle": {} - }, - { - "seriesName": "Interactive Password Authentication", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "Interactive Password Authentication", - "areaStyle": {} - }, - { - "seriesName": "Small Client File Upload", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#5350fb" - }, - "seriesUniqueValue": "Small Client File Upload", - "areaStyle": {} - }, - { - "seriesName": "SSH Agent Forwarding Requested", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "SSH Agent Forwarding Requested", - "areaStyle": {} - }, - { - "seriesName": "Version Scanning", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "Version Scanning", - "areaStyle": {} - }, - { - "seriesName": "Reverse SSH Keystrokes", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#009886" - }, - "seriesUniqueValue": "Reverse SSH Keystrokes", - "areaStyle": {} - }, - { - "seriesName": "Reverse SSH Logged In", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#ec453b" - }, - "seriesUniqueValue": "Reverse SSH Logged In", - "areaStyle": {} - }, - { - "seriesName": "Reverse SSH Provisioned", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#6f7585" - }, - "seriesUniqueValue": "Reverse SSH Provisioned", - "areaStyle": {} - }, - { - "seriesName": "Capabilities Scanning", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "Capabilities Scanning", - "areaStyle": {} - }, - { - "seriesName": "Reverse SSH Initiated", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#4aa207" - }, - "seriesUniqueValue": "Reverse SSH Initiated", - "areaStyle": {} - }, - { - "seriesName": "Client Authentication Bypass", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "Client Authentication Bypass", - "areaStyle": {} - }, - { - "seriesName": "Large Client File Upload", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "Large Client File Upload", - "areaStyle": {} - }, - { - "seriesName": "Authentication Scanning", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#009886" - }, - "seriesUniqueValue": "Authentication Scanning", - "areaStyle": {} - } - ], - "xAxes": [ - { - "axisType": "CATEGORY", - "displayName": "Time" - } - ], - "yAxes": [ - { - "axisType": "VALUE", - "displayName": "Count" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "seriesColumn": [ - "inferences" - ], - "groupingType": "Stacked" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a22f74f73454f88c5df879e3d14cf1017c7ce7529f743fa3ecb1ac460ee50f46", - "drillDownConfig": {} - }, - { - "name": "6b37186d-3900-4e71-b746-542fb04d1a6b", - "displayName": "SSH Host Details", - "chartDatasource": { - "dashboardQuery": "5ba54869-c5c6-4596-a05a-aa00ba02859e", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "inferences", - "header": "Inferences" - }, - { - "field": "count", - "header": "Count" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "386cb938d160fed66eec11221e91f7312a129d2a856e0d985173b9748be3ac3e", - "drillDownConfig": {} - }, - { - "name": "e1c6f231-079e-486f-8b00-24efe9eccefc", - "displayName": "Inferences for Hosts with Host Key", - "chartDatasource": { - "dashboardQuery": "44a27bab-bbb8-4243-9d16-49405521e466", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "host_keys", - "header": "Host Key" - }, - { - "field": "inferences", - "header": "Inferences" - }, - { - "field": "count", - "header": "Count" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6be424fc93e7731179f0c92329090da8fc059832130dd84605018a40ec3a2b87", - "drillDownConfig": {} - }, - { - "name": "a05c4b0c-08d2-4630-8d6f-137ab824246c", - "displayName": "Log Data", - "description": "SSH Inference Log Data", - "chartDatasource": { - "dashboardQuery": "294ccf3c-a1a0-4d6f-ad75-18d3a3b58ddd", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "time", - "header": "Time" - }, - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "inferences", - "header": "Inferences" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e9614ce4dec9219e0316eb42b808c54c075b457c40c1a4539764ddf768796595", - "drillDownConfig": {} - }, - { - "name": "ca23f4f0-3396-4df6-ac5e-4f78a161ee07", - "displayName": "SSH Inferences", - "chartDatasource": { - "dashboardQuery": "f12849d9-0c48-451f-9517-5dbfee319e1b", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "inferences" - }, - "dataLabel": { - "show": true - }, - "radius": [ - "0%", - "70%" - ], - "itemStyle": { - "color": "b=>{const {map:c}=Cyf(this.theme);b=Jzf(b,bzf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" - }, - "itemColors": { - "colors": [ - { - "key": "Client Trusted Server", - "value": { - "color": "#1a73e8", - "label": "Client Trusted Server" - } - }, - { - "key": "Public Key Authentication", - "value": { - "color": "#eb730a", - "label": "Public Key Authentication" - } - }, - { - "key": "Automated Interaction", - "value": { - "color": "#10a3b7", - "label": "Automated Interaction" - } - }, - { - "key": "Large Client File Download", - "value": { - "color": "#ec453b", - "label": "Large Client File Download" - } - }, - { - "key": "Other Scanning", - "value": { - "color": "#e51f8f", - "label": "Other Scanning" - } - }, - { - "key": "Keystrokes", - "value": { - "color": "#923ef9", - "label": "Keystrokes" - } - }, - { - "key": "Capabilities Scanning", - "value": { - "color": "#6f7585", - "label": "Capabilities Scanning" - } - }, - { - "key": "Small Client File Download", - "value": { - "color": "#5350fb", - "label": "Small Client File Download" - } - }, - { - "key": "Client Authentication Bypass", - "value": { - "color": "#009886", - "label": "Client Authentication Bypass" - } - }, - { - "key": "Reverse SSH Initiated", - "value": { - "color": "#6f7585", - "label": "Reverse SSH Initiated" - } - } - ] - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "8938d65c5557ba642bc62d5529890164d02c2fa7f2077870d7450c1f9b4c8381", - "drillDownConfig": {} - } - ], - "dashboardQueries": [ - { - "name": "5ba54869-c5c6-4596-a05a-aa00ba02859e", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\nsecurity_result.summary !=\"\"\r\n$inference_name=if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\nif(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\nif(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\nif(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\nif(security_result.summary = \"Server Banner\", \"BAN\",\r\nif(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\nif(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\nif(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\nif(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\nif(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\nif(security_result.summary = \"Keystrokes\", \"KS\",\r\nif(security_result.summary = \"Large Client File Download\", \"LFD\",\r\nif(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\nif(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\nif(security_result.summary = \"None Authentication\", \"NA\",\r\nif(security_result.summary = \"No Remote Command\", \"NRC\",\r\nif(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\nif(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\nif(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\nif(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\nif(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\nif(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\nif(security_result.summary = \"Authentication Scanning\", \"SA\",\r\nif(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\nif(security_result.summary = \"Small Client File Download\", \"SFD\",\r\nif(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\nif(security_result.summary = \"Other Scanning\", \"SP\",\r\nif(security_result.summary = \"Version Scanning\", \"SV\",\r\nif(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n)))))))))))))))))))))))))))))\r\nmatch:\r\n principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct(strings.concat($inference_name, \" : \", security_result.summary))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 5", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "bdefbe93847fcc47634c52e052c437a1740f1e6ef327c3681e8b665e960b5c8a" - }, - { - "name": "44a27bab-bbb8-4243-9d16-49405521e466", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\nsecurity_result.summary !=\"\"\r\n$inference_name=if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\nif(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\nif(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\nif(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\nif(security_result.summary = \"Server Banner\", \"BAN\",\r\nif(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\nif(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\nif(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\nif(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\nif(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\nif(security_result.summary = \"Keystrokes\", \"KS\",\r\nif(security_result.summary = \"Large Client File Download\", \"LFD\",\r\nif(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\nif(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\nif(security_result.summary = \"None Authentication\", \"NA\",\r\nif(security_result.summary = \"No Remote Command\", \"NRC\",\r\nif(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\nif(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\nif(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\nif(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\nif(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\nif(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\nif(security_result.summary = \"Authentication Scanning\", \"SA\",\r\nif(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\nif(security_result.summary = \"Small Client File Download\", \"SFD\",\r\nif(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\nif(security_result.summary = \"Other Scanning\", \"SP\",\r\nif(security_result.summary = \"Version Scanning\", \"SV\",\r\nif(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n)))))))))))))))))))))))))))))\r\n$host_key=if(security_result.detection_fields.key = \"host_key\", security_result.detection_fields[\"host_key\"], network.tls.server.certificate.sha256)\r\n$host_key!=\"\"\r\nmatch:\r\n principal.ip, target.ip\r\noutcome:\r\n $host_keys=array_distinct($host_key)\r\n $inferences=array_distinct(strings.concat($inference_name, \" : \", security_result.summary))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "2e281a1c4fe4acb04597ce2d3689c23bc8dbe9ce716f04323a93381cf9325fb3" - }, - { - "name": "294ccf3c-a1a0-4d6f-ad75-18d3a3b58ddd", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\nsecurity_result.summary !=\"\"\r\n$inference_name=if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\nif(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\nif(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\nif(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\nif(security_result.summary = \"Server Banner\", \"BAN\",\r\nif(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\nif(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\nif(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\nif(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\nif(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\nif(security_result.summary = \"Keystrokes\", \"KS\",\r\nif(security_result.summary = \"Large Client File Download\", \"LFD\",\r\nif(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\nif(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\nif(security_result.summary = \"None Authentication\", \"NA\",\r\nif(security_result.summary = \"No Remote Command\", \"NRC\",\r\nif(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\nif(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\nif(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\nif(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\nif(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\nif(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\nif(security_result.summary = \"Authentication Scanning\", \"SA\",\r\nif(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\nif(security_result.summary = \"Small Client File Download\", \"SFD\",\r\nif(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\nif(security_result.summary = \"Other Scanning\", \"SP\",\r\nif(security_result.summary = \"Version Scanning\", \"SV\",\r\nif(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n)))))))))))))))))))))))))))))\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\nmatch:\r\n $time, principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct($inference_name)\r\norder:\r\n $time desc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "d5b3e91831b6cb909b143b24eafb2340abc14a0a62883773eaa24ca9b18bcffa" - }, - { - "name": "f12849d9-0c48-451f-9517-5dbfee319e1b", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inferences=security_result.summary\r\n$inferences!=\"\"\r\nmatch:\r\n $inferences\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "a84c8b720854234a952b12716e450a5e099f91d27fd95b5e58d8b0b8fde00d5d" - }, - { - "name": "e0563f4c-607b-4ddf-ba8f-64fa9d4a179f", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n\r\n$date=timestamp.get_date(metadata.event_timestamp.seconds)\r\n$hassh=if(principal.labels[\"hassh\"]!=\"\", principal.labels[\"hassh\"], \"Unknown\")\r\n$hassh_server=if(target.labels[\"hassh_server\"]!=\"\", target.labels[\"hassh_server\"], \"Unknown\")\r\n$principal_ip=if(principal.ip!=\"\", principal.ip, \"Unknown\")\r\n$target_ip=if(target.ip!=\"\", target.ip, \"Unknown\")\r\n\r\nmatch:\r\n $principal_ip, $hassh, $target_ip, $hassh_server\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 5", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "3f7b3e549eb377e36814d41ffd7d9d04a941d4c9deefc65125da3cf16bb5fd1a" - }, - { - "name": "0d30ffc7-6197-42eb-b09e-ec411aaf1b2e", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inferences=security_result.summary\r\n$inferences!=\"\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $inferences\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc\r\n\r\n", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "5046c72f6b89d2002387b16f24a9250f66412804b83002896014ccb0c988fa47" - } - ] - } - ] +{ + "dashboards": [ + { + "dashboard": { + "name": "51f566b5-ee61-47ab-b47c-518a0fac5423", + "displayName": "Corelight → Security Workflows → SSH Inferences Overview", + "definition": { + "filters": [ + { + "id": "GlobalTimeFilter", + "dataSource": "GLOBAL", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "PAST", + "fieldValues": [ + "1", + "DAY" + ] + } + ], + "displayName": "Global Time Filter", + "chartIds": [ + "e1c6f231-079e-486f-8b00-24efe9eccefc", + "6b37186d-3900-4e71-b746-542fb04d1a6b", + "be466519-09d3-4c47-a381-2d9b5e001594", + "991865ba-69e6-4880-a7b2-c9e6da4647f6", + "a05c4b0c-08d2-4630-8d6f-137ab824246c", + "ca23f4f0-3396-4df6-ac5e-4f78a161ee07" + ], + "isStandardTimeRangeFilter": true, + "isStandardTimeRangeFilterEnabled": true + }, + { + "id": "c3d5fc33-4da7-4119-8da7-94b7f5e34661", + "dataSource": "UDM", + "fieldPath": "security_result.summary", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "SSH Inferences", + "chartIds": [ + "e1c6f231-079e-486f-8b00-24efe9eccefc", + "6b37186d-3900-4e71-b746-542fb04d1a6b", + "be466519-09d3-4c47-a381-2d9b5e001594", + "a05c4b0c-08d2-4630-8d6f-137ab824246c", + "991865ba-69e6-4880-a7b2-c9e6da4647f6", + "ca23f4f0-3396-4df6-ac5e-4f78a161ee07" + ] + } + ], + "charts": [ + { + "dashboardChart": "ca23f4f0-3396-4df6-ac5e-4f78a161ee07", + "chartLayout": { + "startX": 0, + "spanX": 48, + "startY": 0, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter", + "c3d5fc33-4da7-4119-8da7-94b7f5e34661" + ] + }, + { + "dashboardChart": "be466519-09d3-4c47-a381-2d9b5e001594", + "chartLayout": { + "startX": 48, + "spanX": 48, + "startY": 0, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter", + "c3d5fc33-4da7-4119-8da7-94b7f5e34661" + ] + }, + { + "dashboardChart": "991865ba-69e6-4880-a7b2-c9e6da4647f6", + "chartLayout": { + "startX": 0, + "spanX": 48, + "startY": 27, + "spanY": 21 + }, + "filtersIds": [ + "GlobalTimeFilter", + "c3d5fc33-4da7-4119-8da7-94b7f5e34661" + ] + }, + { + "dashboardChart": "6b37186d-3900-4e71-b746-542fb04d1a6b", + "chartLayout": { + "startX": 48, + "spanX": 48, + "startY": 27, + "spanY": 21 + }, + "filtersIds": [ + "GlobalTimeFilter", + "c3d5fc33-4da7-4119-8da7-94b7f5e34661" + ] + }, + { + "dashboardChart": "e1c6f231-079e-486f-8b00-24efe9eccefc", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 48, + "spanY": 27 + }, + "filtersIds": [ + "GlobalTimeFilter", + "c3d5fc33-4da7-4119-8da7-94b7f5e34661" + ] + }, + { + "dashboardChart": "a05c4b0c-08d2-4630-8d6f-137ab824246c", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 75, + "spanY": 28 + }, + "filtersIds": [ + "GlobalTimeFilter", + "c3d5fc33-4da7-4119-8da7-94b7f5e34661" + ] + } + ] + }, + "type": "CUSTOM", + "etag": "09452a2f9dc3f0407de808efb59860cd6260596a7331afb51da745d6d08d775b", + "access": "DASHBOARD_PRIVATE" + }, + "dashboardCharts": [ + { + "name": "991865ba-69e6-4880-a7b2-c9e6da4647f6", + "displayName": "HASSH Fingerprint Details", + "chartDatasource": { + "dashboardQuery": "e0563f4c-607b-4ddf-ba8f-64fa9d4a179f", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "principal_ip", + "header": "Source IP" + }, + { + "field": "hassh", + "header": "HASSH Client" + }, + { + "field": "target_ip", + "header": "Destination IP" + }, + { + "field": "hassh_server", + "header": "HASSH Server" + }, + { + "field": "count", + "header": "Total Events" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "1cd00c91cc1ee1217c305fe2e034ae640bd5dda540fa106ef8fccb848851e275" + }, + { + "name": "be466519-09d3-4c47-a381-2d9b5e001594", + "displayName": "SSH Inferences Over Time", + "chartDatasource": { + "dashboardQuery": "0d30ffc7-6197-42eb-b09e-ec411aaf1b2e", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesName": "Other Scanning", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#009886" + }, + "seriesUniqueValue": "Other Scanning", + "areaStyle": {} + }, + { + "seriesName": "Keystrokes", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#4aa207" + }, + "seriesUniqueValue": "Keystrokes", + "areaStyle": {} + }, + { + "seriesName": "Client Trusted Server", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#d15f6b" + }, + "seriesUniqueValue": "Client Trusted Server", + "areaStyle": {} + }, + { + "seriesName": "Client Untrusted Server", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#5350fb" + }, + "seriesUniqueValue": "Client Untrusted Server", + "areaStyle": {} + }, + { + "seriesName": "Public Key Authentication", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "Public Key Authentication", + "areaStyle": {} + }, + { + "seriesName": "Automated Interaction", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "Automated Interaction", + "areaStyle": {} + }, + { + "seriesName": "Small Client File Download", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "Small Client File Download", + "areaStyle": {} + }, + { + "seriesName": "Large Client File Download", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "Large Client File Download", + "areaStyle": {} + }, + { + "seriesName": "Interactive Password Authentication", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#923ef9" + }, + "seriesUniqueValue": "Interactive Password Authentication", + "areaStyle": {} + }, + { + "seriesName": "Small Client File Upload", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#5350fb" + }, + "seriesUniqueValue": "Small Client File Upload", + "areaStyle": {} + }, + { + "seriesName": "SSH Agent Forwarding Requested", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#e51f8f" + }, + "seriesUniqueValue": "SSH Agent Forwarding Requested", + "areaStyle": {} + }, + { + "seriesName": "Version Scanning", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#923ef9" + }, + "seriesUniqueValue": "Version Scanning", + "areaStyle": {} + }, + { + "seriesName": "Reverse SSH Keystrokes", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#009886" + }, + "seriesUniqueValue": "Reverse SSH Keystrokes", + "areaStyle": {} + }, + { + "seriesName": "Reverse SSH Logged In", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#ec453b" + }, + "seriesUniqueValue": "Reverse SSH Logged In", + "areaStyle": {} + }, + { + "seriesName": "Reverse SSH Provisioned", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#6f7585" + }, + "seriesUniqueValue": "Reverse SSH Provisioned", + "areaStyle": {} + }, + { + "seriesName": "Capabilities Scanning", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "Capabilities Scanning", + "areaStyle": {} + }, + { + "seriesName": "Reverse SSH Initiated", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#4aa207" + }, + "seriesUniqueValue": "Reverse SSH Initiated", + "areaStyle": {} + }, + { + "seriesName": "Client Authentication Bypass", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "Client Authentication Bypass", + "areaStyle": {} + }, + { + "seriesName": "Large Client File Upload", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#d15f6b" + }, + "seriesUniqueValue": "Large Client File Upload", + "areaStyle": {} + }, + { + "seriesName": "Authentication Scanning", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#009886" + }, + "seriesUniqueValue": "Authentication Scanning", + "areaStyle": {} + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Time" + } + ], + "yAxes": [ + { + "axisType": "VALUE", + "displayName": "Count" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "seriesColumn": [ + "inferences" + ], + "groupingType": "Stacked" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "a22f74f73454f88c5df879e3d14cf1017c7ce7529f743fa3ecb1ac460ee50f46", + "drillDownConfig": {} + }, + { + "name": "6b37186d-3900-4e71-b746-542fb04d1a6b", + "displayName": "SSH Host Details", + "chartDatasource": { + "dashboardQuery": "5ba54869-c5c6-4596-a05a-aa00ba02859e", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "inferences", + "header": "Inferences" + }, + { + "field": "count", + "header": "Count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "386cb938d160fed66eec11221e91f7312a129d2a856e0d985173b9748be3ac3e", + "drillDownConfig": {} + }, + { + "name": "e1c6f231-079e-486f-8b00-24efe9eccefc", + "displayName": "Inferences for Hosts with Host Key", + "chartDatasource": { + "dashboardQuery": "44a27bab-bbb8-4243-9d16-49405521e466", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "host_keys", + "header": "Host Key" + }, + { + "field": "inferences", + "header": "Inferences" + }, + { + "field": "count", + "header": "Count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "6be424fc93e7731179f0c92329090da8fc059832130dd84605018a40ec3a2b87", + "drillDownConfig": {} + }, + { + "name": "a05c4b0c-08d2-4630-8d6f-137ab824246c", + "displayName": "Log Data", + "description": "SSH Inference Log Data", + "chartDatasource": { + "dashboardQuery": "294ccf3c-a1a0-4d6f-ad75-18d3a3b58ddd", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "time", + "header": "Time" + }, + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "inferences", + "header": "Inferences" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "e9614ce4dec9219e0316eb42b808c54c075b457c40c1a4539764ddf768796595", + "drillDownConfig": {} + }, + { + "name": "ca23f4f0-3396-4df6-ac5e-4f78a161ee07", + "displayName": "SSH Inferences", + "chartDatasource": { + "dashboardQuery": "f12849d9-0c48-451f-9517-5dbfee319e1b", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "inferences" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "0%", + "70%" + ], + "itemStyle": { + "color": "b=>{const {map:c}=Cyf(this.theme);b=Jzf(b,bzf(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;let d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "Client Trusted Server", + "value": { + "color": "#1a73e8", + "label": "Client Trusted Server" + } + }, + { + "key": "Public Key Authentication", + "value": { + "color": "#eb730a", + "label": "Public Key Authentication" + } + }, + { + "key": "Automated Interaction", + "value": { + "color": "#10a3b7", + "label": "Automated Interaction" + } + }, + { + "key": "Large Client File Download", + "value": { + "color": "#ec453b", + "label": "Large Client File Download" + } + }, + { + "key": "Other Scanning", + "value": { + "color": "#e51f8f", + "label": "Other Scanning" + } + }, + { + "key": "Keystrokes", + "value": { + "color": "#923ef9", + "label": "Keystrokes" + } + }, + { + "key": "Capabilities Scanning", + "value": { + "color": "#6f7585", + "label": "Capabilities Scanning" + } + }, + { + "key": "Small Client File Download", + "value": { + "color": "#5350fb", + "label": "Small Client File Download" + } + }, + { + "key": "Client Authentication Bypass", + "value": { + "color": "#009886", + "label": "Client Authentication Bypass" + } + }, + { + "key": "Reverse SSH Initiated", + "value": { + "color": "#6f7585", + "label": "Reverse SSH Initiated" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "8938d65c5557ba642bc62d5529890164d02c2fa7f2077870d7450c1f9b4c8381", + "drillDownConfig": {} + } + ], + "dashboardQueries": [ + { + "name": "5ba54869-c5c6-4596-a05a-aa00ba02859e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\nsecurity_result.summary !=\"\"\r\n$inference_name=if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\nif(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\nif(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\nif(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\nif(security_result.summary = \"Server Banner\", \"BAN\",\r\nif(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\nif(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\nif(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\nif(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\nif(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\nif(security_result.summary = \"Keystrokes\", \"KS\",\r\nif(security_result.summary = \"Large Client File Download\", \"LFD\",\r\nif(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\nif(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\nif(security_result.summary = \"None Authentication\", \"NA\",\r\nif(security_result.summary = \"No Remote Command\", \"NRC\",\r\nif(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\nif(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\nif(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\nif(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\nif(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\nif(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\nif(security_result.summary = \"Authentication Scanning\", \"SA\",\r\nif(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\nif(security_result.summary = \"Small Client File Download\", \"SFD\",\r\nif(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\nif(security_result.summary = \"Other Scanning\", \"SP\",\r\nif(security_result.summary = \"Version Scanning\", \"SV\",\r\nif(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n)))))))))))))))))))))))))))))\r\nmatch:\r\n principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct(strings.concat($inference_name, \" : \", security_result.summary))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 5", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "bdefbe93847fcc47634c52e052c437a1740f1e6ef327c3681e8b665e960b5c8a" + }, + { + "name": "44a27bab-bbb8-4243-9d16-49405521e466", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\nsecurity_result.summary !=\"\"\r\n$inference_name=if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\nif(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\nif(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\nif(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\nif(security_result.summary = \"Server Banner\", \"BAN\",\r\nif(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\nif(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\nif(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\nif(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\nif(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\nif(security_result.summary = \"Keystrokes\", \"KS\",\r\nif(security_result.summary = \"Large Client File Download\", \"LFD\",\r\nif(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\nif(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\nif(security_result.summary = \"None Authentication\", \"NA\",\r\nif(security_result.summary = \"No Remote Command\", \"NRC\",\r\nif(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\nif(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\nif(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\nif(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\nif(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\nif(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\nif(security_result.summary = \"Authentication Scanning\", \"SA\",\r\nif(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\nif(security_result.summary = \"Small Client File Download\", \"SFD\",\r\nif(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\nif(security_result.summary = \"Other Scanning\", \"SP\",\r\nif(security_result.summary = \"Version Scanning\", \"SV\",\r\nif(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n)))))))))))))))))))))))))))))\r\n$host_key=if(security_result.detection_fields.key = \"host_key\", security_result.detection_fields[\"host_key\"], network.tls.server.certificate.sha256)\r\n$host_key!=\"\"\r\nmatch:\r\n principal.ip, target.ip\r\noutcome:\r\n $host_keys=array_distinct($host_key)\r\n $inferences=array_distinct(strings.concat($inference_name, \" : \", security_result.summary))\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "2e281a1c4fe4acb04597ce2d3689c23bc8dbe9ce716f04323a93381cf9325fb3" + }, + { + "name": "294ccf3c-a1a0-4d6f-ad75-18d3a3b58ddd", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\nsecurity_result.summary !=\"\"\r\n$inference_name=if(security_result.summary = \"Client Authentication Bypass\", \"ABP\",\r\nif(security_result.summary = \"SSH Agent Forwarding Requested\", \"AFR\",\r\nif(security_result.summary = \"Automated Password Authentication\", \"APWA\",\r\nif(security_result.summary = \"Automated Interaction\", \"AUTO\",\r\nif(security_result.summary = \"Server Banner\", \"BAN\",\r\nif(security_result.summary = \"Client Brute Force Guessing\", \"BF\",\r\nif(security_result.summary = \"Client Brute Force Success\", \"BFS\",\r\nif(security_result.summary = \"Client Trusted Server\", \"CTS\",\r\nif(security_result.summary = \"Client Untrusted Server\", \"CUS\",\r\nif(security_result.summary = \"Interactive Password Authentication\", \"IPWA\",\r\nif(security_result.summary = \"Keystrokes\", \"KS\",\r\nif(security_result.summary = \"Large Client File Download\", \"LFD\",\r\nif(security_result.summary = \"Large Client File Upload\", \"LFU\",\r\nif(security_result.summary = \"Multifactor Authentication\", \"MFA\",\r\nif(security_result.summary = \"None Authentication\", \"NA\",\r\nif(security_result.summary = \"No Remote Command\", \"NRC\",\r\nif(security_result.summary = \"Public Key Authentication\", \"PKA\",\r\nif(security_result.summary = \"Reverse SSH Initiated\", \"RSI\",\r\nif(security_result.summary = \"Reverse SSH Initiated Automate\", \"RSIA\",\r\nif(security_result.summary = \"Reverse SSH Keystrokes\", \"RSK\",\r\nif(security_result.summary = \"Reverse SSH Logged In\", \"RSL\",\r\nif(security_result.summary = \"Reverse SSH Provisioned\", \"RSP\",\r\nif(security_result.summary = \"Authentication Scanning\", \"SA\",\r\nif(security_result.summary = \"Capabilities Scanning\", \"SC\",\r\nif(security_result.summary = \"Small Client File Download\", \"SFD\",\r\nif(security_result.summary = \"Small Client File Upload\", \"SFU\",\r\nif(security_result.summary = \"Other Scanning\", \"SP\",\r\nif(security_result.summary = \"Version Scanning\", \"SV\",\r\nif(security_result.summary = \"Unknown Authentication\", \"UA\", \"Unknown\"\r\n)))))))))))))))))))))))))))))\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\nmatch:\r\n $time, principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct($inference_name)\r\norder:\r\n $time desc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "d5b3e91831b6cb909b143b24eafb2340abc14a0a62883773eaa24ca9b18bcffa" + }, + { + "name": "f12849d9-0c48-451f-9517-5dbfee319e1b", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inferences=security_result.summary\r\n$inferences!=\"\"\r\nmatch:\r\n $inferences\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "a84c8b720854234a952b12716e450a5e099f91d27fd95b5e58d8b0b8fde00d5d" + }, + { + "name": "e0563f4c-607b-4ddf-ba8f-64fa9d4a179f", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n\r\n$date=timestamp.get_date(metadata.event_timestamp.seconds)\r\n$hassh=if(principal.labels[\"hassh\"]!=\"\", principal.labels[\"hassh\"], \"Unknown\")\r\n$hassh_server=if(target.labels[\"hassh_server\"]!=\"\", target.labels[\"hassh_server\"], \"Unknown\")\r\n$principal_ip=if(principal.ip!=\"\", principal.ip, \"Unknown\")\r\n$target_ip=if(target.ip!=\"\", target.ip, \"Unknown\")\r\n\r\nmatch:\r\n $principal_ip, $hassh, $target_ip, $hassh_server\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 5", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "3f7b3e549eb377e36814d41ffd7d9d04a941d4c9deefc65125da3cf16bb5fd1a" + }, + { + "name": "0d30ffc7-6197-42eb-b09e-ec411aaf1b2e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"ssh\"\r\n$inferences=security_result.summary\r\n$inferences!=\"\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $inferences\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc\r\n\r\n", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "5046c72f6b89d2002387b16f24a9250f66412804b83002896014ccb0c988fa47" + } + ] + } + ] } \ No newline at end of file diff --git a/dashboards/Security Workflows/VPN Insights.json b/dashboards/Security Workflows/VPN Insights.json index 132ea7a..2d443f9 100644 --- a/dashboards/Security Workflows/VPN Insights.json +++ b/dashboards/Security Workflows/VPN Insights.json @@ -1,657 +1,657 @@ -{ - "dashboards": [ - { - "dashboard": { - "name": "84a62531-ebbd-4c3d-b81f-9d16e764fb75", - "displayName": "Corelight → Security Workflows → VPN Insights", - "definition": { - "filters": [ - { - "id": "GlobalTimeFilter", - "dataSource": "GLOBAL", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "PAST", - "fieldValues": [ - "1", - "DAY" - ] - } - ], - "displayName": "Global Time Filter", - "chartIds": [ - "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", - "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", - "96d4c412-8b64-48bb-8a9d-91bc04955834", - "62d8bec5-c2c9-41da-9024-c1a08716387f", - "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", - "5f5468aa-314c-4e19-baf7-adac4c1a3f96", - "3d6e2632-df27-4fe4-9a5a-f6da726e06e2" - ], - "isStandardTimeRangeFilter": true, - "isStandardTimeRangeFilterEnabled": true - }, - { - "id": "287c764f-5f47-48e0-8a46-6881be80634f", - "dataSource": "UDM", - "fieldPath": "observer.hostname", - "filterOperatorAndFieldValues": [ - { - "filterOperator": "EQUAL", - "fieldValues": [ - "" - ] - } - ], - "displayName": "Corelight Sensor", - "chartIds": [ - "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", - "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", - "96d4c412-8b64-48bb-8a9d-91bc04955834", - "62d8bec5-c2c9-41da-9024-c1a08716387f", - "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", - "5f5468aa-314c-4e19-baf7-adac4c1a3f96", - "3d6e2632-df27-4fe4-9a5a-f6da726e06e2" - ] - } - ], - "charts": [ - { - "dashboardChart": "3d6e2632-df27-4fe4-9a5a-f6da726e06e2", - "chartLayout": { - "startX": 0, - "spanX": 32, - "startY": 0, - "spanY": 25 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - }, - { - "dashboardChart": "62d8bec5-c2c9-41da-9024-c1a08716387f", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 25, - "spanY": 26 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - }, - { - "dashboardChart": "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", - "chartLayout": { - "startX": 32, - "spanX": 32, - "startY": 0, - "spanY": 25 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - }, - { - "dashboardChart": "5f5468aa-314c-4e19-baf7-adac4c1a3f96", - "chartLayout": { - "startX": 64, - "spanX": 32, - "startY": 0, - "spanY": 25 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - }, - { - "dashboardChart": "96d4c412-8b64-48bb-8a9d-91bc04955834", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 103, - "spanY": 28 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - }, - { - "dashboardChart": "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 77, - "spanY": 26 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - }, - { - "dashboardChart": "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", - "chartLayout": { - "startX": 0, - "spanX": 96, - "startY": 51, - "spanY": 26 - }, - "filtersIds": [ - "GlobalTimeFilter", - "287c764f-5f47-48e0-8a46-6881be80634f" - ] - } - ] - }, - "type": "CUSTOM", - "etag": "1597fbd97e5185a2d26b0d3517abbfe25b52b1077121c0ef3cf21e652e128261", - "access": "DASHBOARD_PRIVATE" - }, - "dashboardCharts": [ - { - "name": "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", - "displayName": "VPN JA3 Finger Prints", - "chartDatasource": { - "dashboardQuery": "ac2a6c62-9e8e-4c1e-9efa-86e994c9e963", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "network.tls.client.ja3", - "header": "ja3" - }, - { - "field": "network.tls.server.ja3s", - "header": "ja3s" - }, - { - "field": "count", - "header": "Count" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "1e332558eee46607fcbd1604ec9e6ca97efa507d9646ca34cef27e94d4b82c25" - }, - { - "name": "62d8bec5-c2c9-41da-9024-c1a08716387f", - "displayName": "Inferences Over Time", - "chartDatasource": { - "dashboardQuery": "7dd0e755-e913-4f0b-bbc5-5b5e9ae0a5ef", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesName": "NSP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "NSP", - "areaStyle": {} - }, - { - "seriesName": "RSI", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "RSI", - "areaStyle": {} - }, - { - "seriesName": "COM", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "COM", - "areaStyle": {} - }, - { - "seriesName": "SK", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "SK", - "areaStyle": {} - }, - { - "seriesName": "RW", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "count" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "RW", - "areaStyle": {} - } - ], - "xAxes": [ - { - "axisType": "CATEGORY", - "displayName": "Time" - } - ], - "yAxes": [ - { - "axisType": "VALUE", - "displayName": "Count" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "seriesColumn": [ - "inference" - ], - "groupingType": "Stacked" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "fe94e3af5f5a2890108ffd2cd667efe7c0b272f5bc31481c6e96aab251aef649" - }, - { - "name": "5f5468aa-314c-4e19-baf7-adac4c1a3f96", - "displayName": "VPN Type", - "chartDatasource": { - "dashboardQuery": "ef390c10-e16c-4077-87a7-854be7f53c0b", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "vpn_type" - }, - "dataLabel": {}, - "radius": [ - "0%", - "70%" - ] - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "5199f3845f135ef789341ce441fc040081e501392458e8236daa3fef905398eb" - }, - { - "name": "96d4c412-8b64-48bb-8a9d-91bc04955834", - "displayName": "VPN Inference Log Data", - "chartDatasource": { - "dashboardQuery": "068479ea-fbaa-4209-b0fc-53d45e90dcc1", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "time", - "header": "Time" - }, - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "inferences", - "header": "Inferences" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "39d870dbf2acaf331f9293ae236090c66045943f0277b53510de9bfef81f5f29" - }, - { - "name": "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", - "displayName": "Top VPN Users", - "chartDatasource": { - "dashboardQuery": "08e6ce44-2800-445a-a8a6-f0b2191b9952", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "principal.ip" - }, - "dataLabel": {}, - "radius": [ - "0%", - "70%" - ], - "itemStyle": { - "color": "undefined" - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6fa86db235553bdf11f9892cbb26c017f83e210e1702d06284bcdfb3c71cd020" - }, - { - "name": "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", - "displayName": "Largest Transfers Between Host Pairs Over VPN", - "chartDatasource": { - "dashboardQuery": "24fcd942-dc70-4bce-8b55-733d74517a01", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "legendOrient": "HORIZONTAL" - } - ], - "columnDefs": [ - { - "field": "principal.ip", - "header": "Source IP" - }, - { - "field": "target.ip", - "header": "Destination IP" - }, - { - "field": "target.port", - "header": "Destination Port" - }, - { - "field": "protocol_string", - "header": "Protocol" - }, - { - "field": "target.ip_geo_artifact.location.country_or_region", - "header": "Destination Country" - }, - { - "field": "target.application", - "header": "Service" - }, - { - "field": "resp_bytes_sum", - "header": "Sum of Destination Bytes" - }, - { - "field": "orig_bytes_sum", - "header": "Sum of Source Bytes" - }, - { - "field": "giga_bytes", - "header": "Gigabytes" - }, - { - "field": "count", - "header": "Number of Connections" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "9f13e3898d9b2c4c89386156d0e290915aeefb1d9f35f41b139b0db2b71d0b48" - }, - { - "name": "3d6e2632-df27-4fe4-9a5a-f6da726e06e2", - "displayName": "Inference Type", - "chartDatasource": { - "dashboardQuery": "ddc6b2f0-3ce3-47dd-9fae-60658d98abd1", - "dataSources": [ - "UDM" - ] - }, - "visualization": { - "series": [ - { - "seriesType": "PIE", - "encode": { - "value": "count", - "itemName": "about.labels.value" - }, - "dataLabel": {}, - "radius": [ - "0%", - "70%" - ], - "itemStyle": { - "color": "undefined" - } - } - ], - "xAxes": [ - { - "axisType": "VALUE" - } - ], - "yAxes": [ - { - "axisType": "VALUE" - } - ], - "legends": [ - { - "bottom": 12, - "legendOrient": "HORIZONTAL" - } - ], - "groupingType": "Off" - }, - "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f61d4b658a10ab8edc0f999d68fd9b7a5c91358892aeaa0ca57e22e1c6f9e18e" - } - ], - "dashboardQueries": [ - { - "name": "24fcd942-dc70-4bce-8b55-733d74517a01", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\ntarget.application= /^spicy/\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\nmatch:\r\n principal.ip, target.ip, target.port, $protocol_string, target.ip_geo_artifact.location.country_or_region, target.application\r\noutcome:\r\n $resp_bytes_sum=sum(network.received_bytes)\r\n $orig_bytes_sum=sum(network.sent_bytes)\r\n $giga_bytes=(sum(network.received_bytes) + sum(network.sent_bytes)) / (1024 * 1024 * 1024)\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $giga_bytes desc \r\nlimit:\r\n 20", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "2dac6449b908548859665382fd8a4ec9d3a01b0022689e6d1a31ec75e749d365" - }, - { - "name": "ddc6b2f0-3ce3-47dd-9fae-60658d98abd1", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value!=\"\"\r\nmatch:\r\n about.labels.value\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 50", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "593342f77bd404fbe1c15500989c847542f44799a675cbff689a822f681d8362" - }, - { - "name": "ac2a6c62-9e8e-4c1e-9efa-86e994c9e963", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\nnetwork.tls.client.ja3!=\"\"\r\nnetwork.tls.server.ja3s!=\"\"\r\nmatch:\r\n network.tls.client.ja3, network.tls.server.ja3s\r\noutcome:\r\n $count=count_distinct(metadata.id)", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "d3536a47119ebed8ab2a8928fc24bedd63912605c736349c45c67b6be2cba63f" - }, - { - "name": "7dd0e755-e913-4f0b-bbc5-5b5e9ae0a5ef", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\nmatch:\r\n $date_hour, $inference\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "2d660fc896d34bf61414b15b993cbe643f38f0bf5bcd8153c9f79ac7becb0364" - }, - { - "name": "ef390c10-e16c-4077-87a7-854be7f53c0b", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\nmatch:\r\n $vpn_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 50", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "7a2fc494b5c966157bbcbef9e10bc248ee33dd7159b2da2bb6b63f7676f1db6e" - }, - { - "name": "068479ea-fbaa-4209-b0fc-53d45e90dcc1", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\nabout.labels.key=\"inference\"\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\nabout.labels.value!=\"\"\r\n$vpn_type!=\"\"\r\nmatch:\r\n $time, principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct(about.labels.value)\r\norder:\r\n $time asc", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "665d1102d608dada2551cdb46da5c39378c2fde08209a6788014f950a4906a9c" - }, - { - "name": "08e6ce44-2800-445a-a8a6-f0b2191b9952", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\n$combined_fields=strings.concat(principal.ip, about.labels[\"vpn_type\"], target.location.country_or_region)\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", - "input": { - "relativeTime": { - "timeUnit": "DAY", - "startTimeVal": "1" - } - }, - "etag": "db9f119f12400787bb8d28dcd0750d6cfbc6c09494a320db3098ce09c3ced3d2" - } - ] - } - ] +{ + "dashboards": [ + { + "dashboard": { + "name": "84a62531-ebbd-4c3d-b81f-9d16e764fb75", + "displayName": "Corelight → Security Workflows → VPN Insights", + "definition": { + "filters": [ + { + "id": "GlobalTimeFilter", + "dataSource": "GLOBAL", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "PAST", + "fieldValues": [ + "1", + "DAY" + ] + } + ], + "displayName": "Global Time Filter", + "chartIds": [ + "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", + "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", + "96d4c412-8b64-48bb-8a9d-91bc04955834", + "62d8bec5-c2c9-41da-9024-c1a08716387f", + "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", + "5f5468aa-314c-4e19-baf7-adac4c1a3f96", + "3d6e2632-df27-4fe4-9a5a-f6da726e06e2" + ], + "isStandardTimeRangeFilter": true, + "isStandardTimeRangeFilterEnabled": true + }, + { + "id": "287c764f-5f47-48e0-8a46-6881be80634f", + "dataSource": "UDM", + "fieldPath": "observer.hostname", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Corelight Sensor", + "chartIds": [ + "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", + "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", + "96d4c412-8b64-48bb-8a9d-91bc04955834", + "62d8bec5-c2c9-41da-9024-c1a08716387f", + "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", + "5f5468aa-314c-4e19-baf7-adac4c1a3f96", + "3d6e2632-df27-4fe4-9a5a-f6da726e06e2" + ] + } + ], + "charts": [ + { + "dashboardChart": "3d6e2632-df27-4fe4-9a5a-f6da726e06e2", + "chartLayout": { + "startX": 0, + "spanX": 32, + "startY": 0, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + }, + { + "dashboardChart": "62d8bec5-c2c9-41da-9024-c1a08716387f", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 25, + "spanY": 26 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + }, + { + "dashboardChart": "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", + "chartLayout": { + "startX": 32, + "spanX": 32, + "startY": 0, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + }, + { + "dashboardChart": "5f5468aa-314c-4e19-baf7-adac4c1a3f96", + "chartLayout": { + "startX": 64, + "spanX": 32, + "startY": 0, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + }, + { + "dashboardChart": "96d4c412-8b64-48bb-8a9d-91bc04955834", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 103, + "spanY": 28 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + }, + { + "dashboardChart": "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 77, + "spanY": 26 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + }, + { + "dashboardChart": "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 51, + "spanY": 26 + }, + "filtersIds": [ + "GlobalTimeFilter", + "287c764f-5f47-48e0-8a46-6881be80634f" + ] + } + ] + }, + "type": "CUSTOM", + "etag": "1597fbd97e5185a2d26b0d3517abbfe25b52b1077121c0ef3cf21e652e128261", + "access": "DASHBOARD_PRIVATE" + }, + "dashboardCharts": [ + { + "name": "1fe77fe6-4fc3-4dfb-b8ed-331ee4f79cf8", + "displayName": "VPN JA3 Finger Prints", + "chartDatasource": { + "dashboardQuery": "ac2a6c62-9e8e-4c1e-9efa-86e994c9e963", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "network.tls.client.ja3", + "header": "ja3" + }, + { + "field": "network.tls.server.ja3s", + "header": "ja3s" + }, + { + "field": "count", + "header": "Count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "1e332558eee46607fcbd1604ec9e6ca97efa507d9646ca34cef27e94d4b82c25" + }, + { + "name": "62d8bec5-c2c9-41da-9024-c1a08716387f", + "displayName": "Inferences Over Time", + "chartDatasource": { + "dashboardQuery": "7dd0e755-e913-4f0b-bbc5-5b5e9ae0a5ef", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesName": "NSP", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "NSP", + "areaStyle": {} + }, + { + "seriesName": "RSI", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "RSI", + "areaStyle": {} + }, + { + "seriesName": "COM", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "COM", + "areaStyle": {} + }, + { + "seriesName": "SK", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#d15f6b" + }, + "seriesUniqueValue": "SK", + "areaStyle": {} + }, + { + "seriesName": "RW", + "stack": "stack", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#e51f8f" + }, + "seriesUniqueValue": "RW", + "areaStyle": {} + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Time" + } + ], + "yAxes": [ + { + "axisType": "VALUE", + "displayName": "Count" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "seriesColumn": [ + "inference" + ], + "groupingType": "Stacked" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "fe94e3af5f5a2890108ffd2cd667efe7c0b272f5bc31481c6e96aab251aef649" + }, + { + "name": "5f5468aa-314c-4e19-baf7-adac4c1a3f96", + "displayName": "VPN Type", + "chartDatasource": { + "dashboardQuery": "ef390c10-e16c-4077-87a7-854be7f53c0b", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "vpn_type" + }, + "dataLabel": {}, + "radius": [ + "0%", + "70%" + ] + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "5199f3845f135ef789341ce441fc040081e501392458e8236daa3fef905398eb" + }, + { + "name": "96d4c412-8b64-48bb-8a9d-91bc04955834", + "displayName": "VPN Inference Log Data", + "chartDatasource": { + "dashboardQuery": "068479ea-fbaa-4209-b0fc-53d45e90dcc1", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "time", + "header": "Time" + }, + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "inferences", + "header": "Inferences" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "39d870dbf2acaf331f9293ae236090c66045943f0277b53510de9bfef81f5f29" + }, + { + "name": "81fbe454-2072-41d3-a1bb-43a8d3ebfa40", + "displayName": "Top VPN Users", + "chartDatasource": { + "dashboardQuery": "08e6ce44-2800-445a-a8a6-f0b2191b9952", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "principal.ip" + }, + "dataLabel": {}, + "radius": [ + "0%", + "70%" + ], + "itemStyle": { + "color": "undefined" + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "6fa86db235553bdf11f9892cbb26c017f83e210e1702d06284bcdfb3c71cd020" + }, + { + "name": "f2d5bc8e-0f38-4f8a-9b27-48c6b0dbc658", + "displayName": "Largest Transfers Between Host Pairs Over VPN", + "chartDatasource": { + "dashboardQuery": "24fcd942-dc70-4bce-8b55-733d74517a01", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "principal.ip", + "header": "Source IP" + }, + { + "field": "target.ip", + "header": "Destination IP" + }, + { + "field": "target.port", + "header": "Destination Port" + }, + { + "field": "protocol_string", + "header": "Protocol" + }, + { + "field": "target.ip_geo_artifact.location.country_or_region", + "header": "Destination Country" + }, + { + "field": "target.application", + "header": "Service" + }, + { + "field": "resp_bytes_sum", + "header": "Sum of Destination Bytes" + }, + { + "field": "orig_bytes_sum", + "header": "Sum of Source Bytes" + }, + { + "field": "giga_bytes", + "header": "Gigabytes" + }, + { + "field": "count", + "header": "Number of Connections" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "9f13e3898d9b2c4c89386156d0e290915aeefb1d9f35f41b139b0db2b71d0b48" + }, + { + "name": "3d6e2632-df27-4fe4-9a5a-f6da726e06e2", + "displayName": "Inference Type", + "chartDatasource": { + "dashboardQuery": "ddc6b2f0-3ce3-47dd-9fae-60658d98abd1", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "about.labels.value" + }, + "dataLabel": {}, + "radius": [ + "0%", + "70%" + ], + "itemStyle": { + "color": "undefined" + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "bottom": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "f61d4b658a10ab8edc0f999d68fd9b7a5c91358892aeaa0ca57e22e1c6f9e18e" + } + ], + "dashboardQueries": [ + { + "name": "24fcd942-dc70-4bce-8b55-733d74517a01", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\ntarget.application= /^spicy/\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\n$protocol_string=if(network.ip_protocol=88, \"EIGRP\",\r\nif(network.ip_protocol=50, \"ESP\",\r\nif(network.ip_protocol=97, \"ETHERIP\",\r\nif(network.ip_protocol=47, \"GRE\",\r\nif(network.ip_protocol=1, \"ICMP\",\r\nif(network.ip_protocol=58, \"ICMP6\",\r\nif(network.ip_protocol=2, \"IGMP\",\r\nif(network.ip_protocol=41, \"IP6IN4\",\r\nif(network.ip_protocol=103, \"PIM\",\r\nif(network.ip_protocol=132, \"SCTP\",\r\nif(network.ip_protocol=6, \"TCP\",\r\nif(network.ip_protocol=17, \"UDP\",\r\nif(network.ip_protocol=0, \"UNKNOWN_IP_PROTOCOL\",\r\nif(network.ip_protocol=112, \"VRRP\", \"UNKNOWN_IP_PROTOCOL\"))))))))))))))\r\nmatch:\r\n principal.ip, target.ip, target.port, $protocol_string, target.ip_geo_artifact.location.country_or_region, target.application\r\noutcome:\r\n $resp_bytes_sum=sum(network.received_bytes)\r\n $orig_bytes_sum=sum(network.sent_bytes)\r\n $giga_bytes=(sum(network.received_bytes) + sum(network.sent_bytes)) / (1024 * 1024 * 1024)\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $giga_bytes desc \r\nlimit:\r\n 20", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "2dac6449b908548859665382fd8a4ec9d3a01b0022689e6d1a31ec75e749d365" + }, + { + "name": "ddc6b2f0-3ce3-47dd-9fae-60658d98abd1", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\nabout.labels.key=\"inference\"\r\nabout.labels.value!=\"\"\r\nmatch:\r\n about.labels.value\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc \r\nlimit:\r\n 50", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "593342f77bd404fbe1c15500989c847542f44799a675cbff689a822f681d8362" + }, + { + "name": "ac2a6c62-9e8e-4c1e-9efa-86e994c9e963", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\nnetwork.tls.client.ja3!=\"\"\r\nnetwork.tls.server.ja3s!=\"\"\r\nmatch:\r\n network.tls.client.ja3, network.tls.server.ja3s\r\noutcome:\r\n $count=count_distinct(metadata.id)", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "d3536a47119ebed8ab2a8928fc24bedd63912605c736349c45c67b6be2cba63f" + }, + { + "name": "7dd0e755-e913-4f0b-bbc5-5b5e9ae0a5ef", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\nmatch:\r\n $date_hour, $inference\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $date_hour asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "2d660fc896d34bf61414b15b993cbe643f38f0bf5bcd8153c9f79ac7becb0364" + }, + { + "name": "ef390c10-e16c-4077-87a7-854be7f53c0b", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\nmatch:\r\n $vpn_type\r\noutcome:\r\n $count=count_distinct(metadata.id)\r\norder:\r\n $count desc\r\nlimit:\r\n 50", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "7a2fc494b5c966157bbcbef9e10bc248ee33dd7159b2da2bb6b63f7676f1db6e" + }, + { + "name": "068479ea-fbaa-4209-b0fc-53d45e90dcc1", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\nabout.labels.key=\"inference\"\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$time=timestamp.get_timestamp(metadata.event_timestamp.seconds)\r\nabout.labels.value!=\"\"\r\n$vpn_type!=\"\"\r\nmatch:\r\n $time, principal.ip, target.ip\r\noutcome:\r\n $inferences=array_distinct(about.labels.value)\r\norder:\r\n $time asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "665d1102d608dada2551cdb46da5c39378c2fde08209a6788014f950a4906a9c" + }, + { + "name": "08e6ce44-2800-445a-a8a6-f0b2191b9952", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"vpn\"\r\n$inference=about.labels[\"inference\"]\r\n$vpn_type=about.labels[\"vpn_type\"]\r\n$inference!=\"\"\r\n$vpn_type!=\"\"\r\n$combined_fields=strings.concat(principal.ip, about.labels[\"vpn_type\"], target.location.country_or_region)\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $count=count_distinct($combined_fields)\r\norder:\r\n $count desc\r\nlimit:\r\n 20", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "db9f119f12400787bb8d28dcd0750d6cfbc6c09494a320db3098ce09c3ced3d2" + } + ] + } + ] } \ No newline at end of file diff --git a/dashboards/Sensor Overview/Rates.json b/dashboards/Sensor Overview/Rates.json index ae66ae3..c257216 100644 --- a/dashboards/Sensor Overview/Rates.json +++ b/dashboards/Sensor Overview/Rates.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "05c96840-ffbb-49c4-a382-02759271b8f4", + "name": "6aa6a3d2-7fe8-4551-b214-b22940b04793", "displayName": "Corelight → Sensor Overview → Rates", "definition": { "filters": [ @@ -20,13 +20,13 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "6a000861-484d-41d3-a64e-78481e1c2bdb", - "4eeeea31-3021-4151-9788-96f5e3076670", - "706dde23-0dae-424a-aaff-94a34168c954", - "fde7ba24-4a0a-4a48-8c69-cef8954b5953", - "3057432d-faa9-434c-a482-060b0cd6ae8e", - "867c5fdf-da3c-409d-9c28-9c9767144022", - "d189cb88-ca86-4b08-aca2-88f696f9edda" + "0d1f47bb-ae29-4485-b4b9-255acd9bf88a", + "db09d752-7b13-419a-812b-59283a7e68fa", + "8f34259e-4041-469c-ab14-5c4df9234ecf", + "6fb81d0c-a3dc-4765-8c96-796d20e29992", + "f1d6a426-b707-459a-98d0-8f55616f1e3d", + "47cc07be-0e03-4f5b-95e2-f5bfda9753ac", + "40f57305-daff-4de1-8f87-7eec0928f257" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -45,19 +45,19 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "6a000861-484d-41d3-a64e-78481e1c2bdb", - "4eeeea31-3021-4151-9788-96f5e3076670", - "706dde23-0dae-424a-aaff-94a34168c954", - "3057432d-faa9-434c-a482-060b0cd6ae8e", - "fde7ba24-4a0a-4a48-8c69-cef8954b5953", - "867c5fdf-da3c-409d-9c28-9c9767144022", - "d189cb88-ca86-4b08-aca2-88f696f9edda" + "0d1f47bb-ae29-4485-b4b9-255acd9bf88a", + "db09d752-7b13-419a-812b-59283a7e68fa", + "8f34259e-4041-469c-ab14-5c4df9234ecf", + "f1d6a426-b707-459a-98d0-8f55616f1e3d", + "6fb81d0c-a3dc-4765-8c96-796d20e29992", + "47cc07be-0e03-4f5b-95e2-f5bfda9753ac", + "40f57305-daff-4de1-8f87-7eec0928f257" ] } ], "charts": [ { - "dashboardChart": "d189cb88-ca86-4b08-aca2-88f696f9edda", + "dashboardChart": "40f57305-daff-4de1-8f87-7eec0928f257", "chartLayout": { "startX": 0, "spanX": 96, @@ -70,7 +70,7 @@ ] }, { - "dashboardChart": "6a000861-484d-41d3-a64e-78481e1c2bdb", + "dashboardChart": "0d1f47bb-ae29-4485-b4b9-255acd9bf88a", "chartLayout": { "startX": 0, "spanX": 47, @@ -83,7 +83,7 @@ ] }, { - "dashboardChart": "867c5fdf-da3c-409d-9c28-9c9767144022", + "dashboardChart": "47cc07be-0e03-4f5b-95e2-f5bfda9753ac", "chartLayout": { "startX": 0, "spanX": 47, @@ -96,7 +96,7 @@ ] }, { - "dashboardChart": "706dde23-0dae-424a-aaff-94a34168c954", + "dashboardChart": "8f34259e-4041-469c-ab14-5c4df9234ecf", "chartLayout": { "startX": 47, "spanX": 49, @@ -109,7 +109,7 @@ ] }, { - "dashboardChart": "fde7ba24-4a0a-4a48-8c69-cef8954b5953", + "dashboardChart": "6fb81d0c-a3dc-4765-8c96-796d20e29992", "chartLayout": { "startX": 0, "spanX": 47, @@ -122,7 +122,7 @@ ] }, { - "dashboardChart": "4eeeea31-3021-4151-9788-96f5e3076670", + "dashboardChart": "db09d752-7b13-419a-812b-59283a7e68fa", "chartLayout": { "startX": 47, "spanX": 49, @@ -135,7 +135,7 @@ ] }, { - "dashboardChart": "3057432d-faa9-434c-a482-060b0cd6ae8e", + "dashboardChart": "f1d6a426-b707-459a-98d0-8f55616f1e3d", "chartLayout": { "startX": 47, "spanX": 49, @@ -150,34 +150,21 @@ ] }, "type": "CUSTOM", - "etag": "8317e89345fc9832824c7cab8e8a89bf7fbcf6f76bc2ed3e1983e825a2f2f6db", + "etag": "f8a5819cff988abff078d20db1102279f1ba36f01f579c12b602c4ac665928cf", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "706dde23-0dae-424a-aaff-94a34168c954", + "name": "8f34259e-4041-469c-ab14-5c4df9234ecf", "displayName": "Traffic Volume - Management Interface - Packets", "chartDatasource": { - "dashboardQuery": "35a5ef85-aa0c-4c34-89df-b64542e85fc4", + "dashboardQuery": "5af85e84-50c9-456e-9f8a-64286cf742b6", "dataSources": [ "UDM" ] }, "visualization": { "series": [ - { - "seriesName": "Outbound Traffic Packet Rate", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg_rate" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "Outbound Traffic Packet Rate" - }, { "seriesName": "Inbound Traffic Packet Rate", "seriesType": "LINE", @@ -187,7 +174,7 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#eb730a" + "color": "#1a73e8" }, "seriesUniqueValue": "Inbound Traffic Packet Rate" } @@ -206,42 +193,30 @@ ], "legends": [ { - "bottom": 12, + "top": 12, "legendOrient": "HORIZONTAL" } ], "seriesColumn": [ "rate_name" ], - "groupingType": "Off" + "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ca02a47f41dbf08a18652191f2350fd1549c2b3a4a73e79435caede5ab3439f5" + "etag": "6f5076d3e45fd29a6e036fc2853f233998c20773193407a9575f104d74f2d39d", + "drillDownConfig": {} }, { - "name": "867c5fdf-da3c-409d-9c28-9c9767144022", + "name": "47cc07be-0e03-4f5b-95e2-f5bfda9753ac", "displayName": "Traffic Volume - Management Interface", "chartDatasource": { - "dashboardQuery": "1ff793e2-3cc6-43b3-b9a2-25cde3906556", + "dashboardQuery": "23ec5a50-0bc9-4977-91f8-d87fa71af946", "dataSources": [ "UDM" ] }, "visualization": { "series": [ - { - "seriesName": "Outbound Traffic Rate", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg_rate" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "Outbound Traffic Rate" - }, { "seriesName": "Inbound Traffic Rate", "seriesType": "LINE", @@ -251,7 +226,7 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#eb730a" + "color": "#1a73e8" }, "seriesUniqueValue": "Inbound Traffic Rate" } @@ -280,13 +255,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "3d3da0ee82813f12ed7163b68086586dd67ac601aa9638aef8abe94ad4d16a5e" + "etag": "e98949177e1b9aceb70b75dedb00d045f64062f7508e548b115dfac8ccc0fb13", + "drillDownConfig": {} }, { - "name": "3057432d-faa9-434c-a482-060b0cd6ae8e", + "name": "f1d6a426-b707-459a-98d0-8f55616f1e3d", "displayName": "Combined Traffic Volume - Monitor Interfaces - Packets", "chartDatasource": { - "dashboardQuery": "ac54c3a8-de83-4482-817a-98ea2757496a", + "dashboardQuery": "4c94d20c-78b1-4eda-bdea-d0bd9f4e3006", "dataSources": [ "UDM" ] @@ -305,19 +281,6 @@ "color": "#1a73e8" }, "seriesUniqueValue": "Monitor Traffic Packet Rate" - }, - { - "seriesName": "Monitor Traffic Drop Rate", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "rate" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "Monitor Traffic Drop Rate" } ], "xAxes": [ @@ -344,32 +307,20 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "149e8882ef3a3aa404d34677b24df396af044f99ad63941e0937b05dbdbf35d5" + "etag": "f3214eea432aad5e084edaecf63bd64ec4593cb09146a2f3ce2278483ec50e8a", + "drillDownConfig": {} }, { - "name": "fde7ba24-4a0a-4a48-8c69-cef8954b5953", + "name": "6fb81d0c-a3dc-4765-8c96-796d20e29992", "displayName": "File Extraction", "chartDatasource": { - "dashboardQuery": "9eae7924-1fa1-4d40-8b6d-d58641ddfaae", + "dashboardQuery": "1a4e2737-fd64-48d7-b667-67d6c5495147", "dataSources": [ "UDM" ] }, "visualization": { "series": [ - { - "seriesName": "Queued Files for Amazon S3", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "files_avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "Queued Files for Amazon S3" - }, { "seriesName": "Extracted Files", "seriesType": "LINE", @@ -379,22 +330,9 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#eb730a" + "color": "#1a73e8" }, "seriesUniqueValue": "Extracted Files" - }, - { - "seriesName": "Queued Files for SFTP", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "files_avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "Queued Files for SFTP" } ], "xAxes": [ @@ -411,7 +349,7 @@ ], "legends": [ { - "bottom": 12, + "top": 12, "legendOrient": "HORIZONTAL" } ], @@ -421,32 +359,20 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "16be11c1db39bf797e89e6cd8ba17951f5d5eaf1273f0685e3f2f754f5671ee5" + "etag": "803d8dafaa05b8399a621a3966f82bf2d854a1964d2faf573a1d74a4759f4b68", + "drillDownConfig": {} }, { - "name": "4eeeea31-3021-4151-9788-96f5e3076670", + "name": "db09d752-7b13-419a-812b-59283a7e68fa", "displayName": "Log Entries Export Queue", "chartDatasource": { - "dashboardQuery": "2b1ae163-1a05-499c-a29a-eb3dcd0da212", + "dashboardQuery": "3ebe5413-0485-4b73-b4b3-263b10f925da", "dataSources": [ "UDM" ] }, "visualization": { "series": [ - { - "seriesName": "Syslog", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "logs_avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "Syslog" - }, { "seriesName": "Splunk", "seriesType": "LINE", @@ -456,22 +382,9 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#eb730a" + "color": "#1a73e8" }, "seriesUniqueValue": "Splunk" - }, - { - "seriesName": "Investigator", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "logs_avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "Investigator" } ], "xAxes": [ @@ -488,7 +401,7 @@ ], "legends": [ { - "bottom": 12, + "top": 12, "legendOrient": "HORIZONTAL" } ], @@ -498,13 +411,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "02f2fca1fb8451c1689582fe14fef9ef9654ecc8938b58f4b308efb809de257a" + "etag": "aea01957f4b0fb09976a8d2a84ce58f1d45fd9a17dc287d14c95f9f86e76ee37", + "drillDownConfig": {} }, { - "name": "6a000861-484d-41d3-a64e-78481e1c2bdb", + "name": "0d1f47bb-ae29-4485-b4b9-255acd9bf88a", "displayName": "Combined Traffic Volume - Monitor Interfaces", "chartDatasource": { - "dashboardQuery": "8b14de28-ee1e-434d-88c6-f6e24473b4a7", + "dashboardQuery": "0a105356-be79-4b36-86c7-ccb90ebcf966", "dataSources": [ "UDM" ] @@ -540,79 +454,19 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "6367f83a096772cf688514d7c4efac5266cc8b7763a1799f210e83d1a894d86f" + "etag": "69eb0f5378c1989c19dc061183536d4143d0106eeb14522a9b02ddb9627156a8" }, { - "name": "d189cb88-ca86-4b08-aca2-88f696f9edda", + "name": "40f57305-daff-4de1-8f87-7eec0928f257", "displayName": "Log Rates", "chartDatasource": { - "dashboardQuery": "9185ab07-1c2c-41cb-b1b2-76f02b2f3856", + "dashboardQuery": "5924832c-2a5b-43bb-bd84-256bc498e737", "dataSources": [ "UDM" ] }, "visualization": { "series": [ - { - "seriesName": "DNP3", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "DNP3", - "areaStyle": {} - }, - { - "seriesName": "Software", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "Software", - "areaStyle": {} - }, - { - "seriesName": "Weird", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "Weird", - "areaStyle": {} - }, - { - "seriesName": "PE", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "PE", - "areaStyle": {} - }, { "seriesName": "Conn", "stack": "stack", @@ -622,160 +476,10 @@ "y": "avg" }, "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "Conn", - "areaStyle": {} - }, - { - "seriesName": "SMB_Mapping", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "SMB_Mapping", - "areaStyle": {} - }, - { - "seriesName": "Kerberos", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#4aa207" - }, - "seriesUniqueValue": "Kerberos", - "areaStyle": {} - }, - { - "seriesName": "SSL", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#5350fb" - }, - "seriesUniqueValue": "SSL", - "areaStyle": {} - }, - { - "seriesName": "Tunnel", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#009886" - }, - "seriesUniqueValue": "Tunnel", - "areaStyle": {} - }, - { - "seriesName": "SMTP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, "itemStyle": { "color": "#1a73e8" }, - "seriesUniqueValue": "SMTP", - "areaStyle": {} - }, - { - "seriesName": "SIP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "SIP", - "areaStyle": {} - }, - { - "seriesName": "SSH", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "SSH", - "areaStyle": {} - }, - { - "seriesName": "RDP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "RDP", - "areaStyle": {} - }, - { - "seriesName": "IRC", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "IRC", - "areaStyle": {} - }, - { - "seriesName": "SOCKS", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "SOCKS", + "seriesUniqueValue": "Conn", "areaStyle": {} }, { @@ -787,74 +491,14 @@ "y": "avg" }, "dataLabel": {}, - "itemStyle": { - "color": "#4aa207" - }, - "seriesUniqueValue": "DCE_RPC", - "areaStyle": {} - }, - { - "seriesName": "Traceroute", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#5350fb" - }, - "seriesUniqueValue": "Traceroute", - "areaStyle": {} - }, - { - "seriesName": "SNMP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#009886" - }, - "seriesUniqueValue": "SNMP", - "areaStyle": {} - }, - { - "seriesName": "FTP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#1a73e8" - }, - "seriesUniqueValue": "FTP", - "areaStyle": {} - }, - { - "seriesName": "SMB_Files", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, "itemStyle": { "color": "#eb730a" }, - "seriesUniqueValue": "SMB_Files", + "seriesUniqueValue": "DCE_RPC", "areaStyle": {} }, { - "seriesName": "Syslog", + "seriesName": "DNP3", "stack": "stack", "seriesType": "LINE", "encode": { @@ -865,52 +509,7 @@ "itemStyle": { "color": "#10a3b7" }, - "seriesUniqueValue": "Syslog", - "areaStyle": {} - }, - { - "seriesName": "NTLM", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "NTLM", - "areaStyle": {} - }, - { - "seriesName": "HTTP", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#e51f8f" - }, - "seriesUniqueValue": "HTTP", - "areaStyle": {} - }, - { - "seriesName": "RFB", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#923ef9" - }, - "seriesUniqueValue": "RFB", + "seriesUniqueValue": "DNP3", "areaStyle": {} }, { @@ -923,28 +522,13 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#4aa207" + "color": "#ec453b" }, "seriesUniqueValue": "DNS", "areaStyle": {} }, { - "seriesName": "Radius", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#5350fb" - }, - "seriesUniqueValue": "Radius", - "areaStyle": {} - }, - { - "seriesName": "Modbus", + "seriesName": "Kerberos", "stack": "stack", "seriesType": "LINE", "encode": { @@ -953,9 +537,9 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#009886" + "color": "#e51f8f" }, - "seriesUniqueValue": "Modbus", + "seriesUniqueValue": "Kerberos", "areaStyle": {} }, { @@ -968,55 +552,10 @@ }, "dataLabel": {}, "itemStyle": { - "color": "#1a73e8" + "color": "#923ef9" }, "seriesUniqueValue": "DPD", "areaStyle": {} - }, - { - "seriesName": "X509", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#eb730a" - }, - "seriesUniqueValue": "X509", - "areaStyle": {} - }, - { - "seriesName": "MYSQL", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#10a3b7" - }, - "seriesUniqueValue": "MYSQL", - "areaStyle": {} - }, - { - "seriesName": "Files", - "stack": "stack", - "seriesType": "LINE", - "encode": { - "x": "date_hour", - "y": "avg" - }, - "dataLabel": {}, - "itemStyle": { - "color": "#d15f6b" - }, - "seriesUniqueValue": "Files", - "areaStyle": {} } ], "xAxes": [ @@ -1043,78 +582,79 @@ "groupingType": "Stacked" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "8d5e441780f026431e9dfb0736857c4a001e6d4d3d4d65a3c88a515df695129f" + "etag": "8a6714346615d7cd573bd090d79cb90dbaa69da573c9fe0edfd976f756a54c76", + "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "9185ab07-1c2c-41cb-b1b2-76f02b2f3856", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$logs=if(about.labels.key=\"logs_conn_entries_per_second\", \"Conn\", \r\n if(about.labels.key=\"logs_dce_rpc_entries_per_second\",\"DCE_RPC\",\r\n if(about.labels.key=\"logs_DHCP_entries_per_second\",\"DHCP\",\r\n if(about.labels.key=\"logs_dnp3_entries_per_second\",\"DNP3\",\r\n if(about.labels.key=\"logs_dns_entries_per_second\",\"DNS\",\r\n if(about.labels.key=\"logs_dpd_entries_per_second\",\"DPD\",\r\n if(about.labels.key=\"logs_files_entries_per_second\",\"Files\",\r\n if(about.labels.key=\"logs_ftp_entries_per_second\",\"FTP\",\r\n if(about.labels.key=\"logs_http_entries_per_second\",\"HTTP\",\r\n if(about.labels.key=\"logs_irc_entries_per_second\",\"IRC\",\r\n if(about.labels.key=\"logs_kerberos_entries_per_second\",\"Kerberos\",\r\n if(about.labels.key=\"logs_modbus_entries_per_second\",\"Modbus\",\r\n if(about.labels.key=\"logs_mysql_entries_per_second\",\"MYSQL\",\r\n if(about.labels.key=\"logs_ntlm_entries_per_second\",\"NTLM\",\r\n if(about.labels.key=\"logs_pe_entries_per_second\",\"PE\",\r\n if(about.labels.key=\"logs_radius_entries_per_second\",\"Radius\",\r\n if(about.labels.key=\"logs_rdp_entries_per_second\",\"RDP\",\r\n if(about.labels.key=\"logs_rfb_entries_per_second\",\"RFB\",\r\n if(about.labels.key=\"logs_sip_entries_per_second\",\"SIP\",\r\n if(about.labels.key=\"logs_smb_files_entries_per_second\",\"SMB_Files\",\r\n if(about.labels.key=\"logs_smb_mapping_entries_per_second\",\"SMB_Mapping\",\r\n if(about.labels.key=\"logs_smtp_entries_per_second\",\"SMTP\",\r\n if(about.labels.key=\"logs_snmp_entries_per_second\",\"SNMP\",\r\n if(about.labels.key=\"logs_socks_entries_per_second\",\"SOCKS\",\r\n if(about.labels.key=\"logs_software_entries_per_second\",\"Software\",\r\n if(about.labels.key=\"logs_ssh_entries_per_second\",\"SSH\",\r\n if(about.labels.key=\"logs_ssl_entries_per_second\",\"SSL\",\r\n if(about.labels.key=\"logs_syslog_entries_per_second\",\"Syslog\",\r\n if(about.labels.key=\"logs_traceroute_entries_per_second\",\"Traceroute\",\r\n if(about.labels.key=\"logs_tunnel_entries_per_second\",\"Tunnel\",\r\n if(about.labels.key=\"logs_weird_entries_per_second\",\"Weird\",\r\n if(about.labels.key=\"logs_x509_entries_per_second\",\"X509\", \"Unknown\"\r\n ))))))))))))))))))))))))))))))))\r\n$logs != \"Unknown\"\r\nmatch:\r\n $date_hour, $logs\r\noutcome:\r\n $avg=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder: \r\n $date_hour asc", + "name": "5924832c-2a5b-43bb-bd84-256bc498e737", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n(about.labels.key=\"logs_conn_entries_per_second\" OR about.labels.key=\"logs_dce_rpc_entries_per_second\" OR about.labels.key=\"logs_DHCP_entries_per_second\" OR about.labels.key=\"logs_dnp3_entries_per_second\" OR about.labels.key=\"logs_dns_entries_per_second\" OR about.labels.key=\"logs_dpd_entries_per_second\" OR about.labels.key=\"logs_files_entries_per_second\" OR about.labels.key=\"logs_ftp_entries_per_second\" OR about.labels.key=\"logs_http_entries_per_second\" OR about.labels.key=\"logs_irc_entries_per_second\" OR about.labels.key=\"logs_kerberos_entries_per_second\" OR about.labels.key=\"logs_modbus_entries_per_second\" OR about.labels.key=\"logs_mysql_entries_per_second\" OR about.labels.key=\"logs_ntlm_entries_per_second\" OR about.labels.key=\"logs_pe_entries_per_second\" OR about.labels.key=\"logs_radius_entries_per_second\" OR about.labels.key=\"logs_rdp_entries_per_second\" OR about.labels.key=\"logs_rfb_entries_per_second\" OR about.labels.key=\"logs_sip_entries_per_second\" OR about.labels.key=\"logs_smb_files_entries_per_second\" OR about.labels.key=\"logs_smb_mapping_entries_per_second\" OR about.labels.key=\"logs_smtp_entries_per_second\" OR about.labels.key=\"logs_snmp_entries_per_second\" OR about.labels.key=\"logs_socks_entries_per_second\" OR about.labels.key=\"logs_software_entries_per_second\" OR about.labels.key=\"logs_ssh_entries_per_second\" OR about.labels.key=\"logs_ssl_entries_per_second\" OR about.labels.key=\"logs_syslog_entries_per_second\" OR about.labels.key=\"logs_traceroute_entries_per_second\" OR about.labels.key=\"logs_tunnel_entries_per_second\" OR about.labels.key=\"logs_weird_entries_per_second\" OR about.labels.key=\"logs_x509_entries_per_second\")\r\n$logs=if(about.labels.key=\"logs_conn_entries_per_second\", \"Conn\", \r\n if(about.labels.key=\"logs_dce_rpc_entries_per_second\",\"DCE_RPC\",\r\n if(about.labels.key=\"logs_DHCP_entries_per_second\",\"DHCP\",\r\n if(about.labels.key=\"logs_dnp3_entries_per_second\",\"DNP3\",\r\n if(about.labels.key=\"logs_dns_entries_per_second\",\"DNS\",\r\n if(about.labels.key=\"logs_dpd_entries_per_second\",\"DPD\",\r\n if(about.labels.key=\"logs_files_entries_per_second\",\"Files\",\r\n if(about.labels.key=\"logs_ftp_entries_per_second\",\"FTP\",\r\n if(about.labels.key=\"logs_http_entries_per_second\",\"HTTP\",\r\n if(about.labels.key=\"logs_irc_entries_per_second\",\"IRC\",\r\n if(about.labels.key=\"logs_kerberos_entries_per_second\",\"Kerberos\",\r\n if(about.labels.key=\"logs_modbus_entries_per_second\",\"Modbus\",\r\n if(about.labels.key=\"logs_mysql_entries_per_second\",\"MYSQL\",\r\n if(about.labels.key=\"logs_ntlm_entries_per_second\",\"NTLM\",\r\n if(about.labels.key=\"logs_pe_entries_per_second\",\"PE\",\r\n if(about.labels.key=\"logs_radius_entries_per_second\",\"Radius\",\r\n if(about.labels.key=\"logs_rdp_entries_per_second\",\"RDP\",\r\n if(about.labels.key=\"logs_rfb_entries_per_second\",\"RFB\",\r\n if(about.labels.key=\"logs_sip_entries_per_second\",\"SIP\",\r\n if(about.labels.key=\"logs_smb_files_entries_per_second\",\"SMB_Files\",\r\n if(about.labels.key=\"logs_smb_mapping_entries_per_second\",\"SMB_Mapping\",\r\n if(about.labels.key=\"logs_smtp_entries_per_second\",\"SMTP\",\r\n if(about.labels.key=\"logs_snmp_entries_per_second\",\"SNMP\",\r\n if(about.labels.key=\"logs_socks_entries_per_second\",\"SOCKS\",\r\n if(about.labels.key=\"logs_software_entries_per_second\",\"Software\",\r\n if(about.labels.key=\"logs_ssh_entries_per_second\",\"SSH\",\r\n if(about.labels.key=\"logs_ssl_entries_per_second\",\"SSL\",\r\n if(about.labels.key=\"logs_syslog_entries_per_second\",\"Syslog\",\r\n if(about.labels.key=\"logs_traceroute_entries_per_second\",\"Traceroute\",\r\n if(about.labels.key=\"logs_tunnel_entries_per_second\",\"Tunnel\",\r\n if(about.labels.key=\"logs_weird_entries_per_second\",\"Weird\",\r\n if(about.labels.key=\"logs_x509_entries_per_second\",\"X509\", \"Unknown\"\r\n ))))))))))))))))))))))))))))))))\r\nmatch:\r\n $date_hour, $logs\r\noutcome:\r\n $avg=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder: \r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "d39bf5b8fc65ca0bb27b3e0ed56ab6a0efdf697d713ff8f0af481b0708ffba05" + "etag": "db53f8612b2fba968ab79a8576489bbc7af81cd4acce08a195c9cc98008eea83" }, { - "name": "35a5ef85-aa0c-4c34-89df-b64542e85fc4", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$rate_name=if(about.labels.key=\"mgmt_in_packets_kpps\", \"Inbound Traffic Packet Rate\", \r\n if(about.labels.key=\"mgmt_out_packets_kpps\", \"Outbound Traffic Packet Rate\", \"Unknown\"))\r\n$rate_name!=\"Unknown\"\r\nmatch:\r\n $date_hour, $rate_name\r\noutcome:\r\n $avg_rate=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc ", + "name": "5af85e84-50c9-456e-9f8a-64286cf742b6", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n(about.labels.key=\"mgmt_in_packets_kpps\" OR about.labels.key=\"mgmt_out_packets_kpps\")\r\n$rate_name=if(about.labels.key=\"mgmt_in_packets_kpps\", \"Inbound Traffic Packet Rate\", \r\n if(about.labels.key=\"mgmt_out_packets_kpps\", \"Outbound Traffic Packet Rate\", \"Unknown\"))\r\nmatch:\r\n $date_hour, $rate_name\r\noutcome:\r\n $avg_rate=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc ", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "2d495dfdf4428e5e8ddca50854499766266c9d311b997c55ce2e27da2573cf2b" + "etag": "1bfeba0aaf3ac16b64fdab9848cfe6a0618416b3589042992f5bc9a542f787bd" }, { - "name": "1ff793e2-3cc6-43b3-b9a2-25cde3906556", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$rate_name=if(about.labels.key=\"mgmt_in_bytes_mbps\", \"Inbound Traffic Rate\", \r\n if(about.labels.key=\"mgmt_out_bytes_mbps\", \"Outbound Traffic Rate\", \"Unknown\"))\r\n$rate_name!=\"Unknown\"\r\nmatch:\r\n $date_hour, $rate_name\r\noutcome:\r\n $avg_rate=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", + "name": "23ec5a50-0bc9-4977-91f8-d87fa71af946", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n(about.labels.key=\"mgmt_in_bytes_mbps\" OR about.labels.key=\"mgmt_out_bytes_mbps\")\r\n$rate_name=if(about.labels.key=\"mgmt_in_bytes_mbps\", \"Inbound Traffic Rate\", \r\n if(about.labels.key=\"mgmt_out_bytes_mbps\", \"Outbound Traffic Rate\", \"Unknown\"))\r\nmatch:\r\n $date_hour, $rate_name\r\noutcome:\r\n $avg_rate=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "e554253076b405376528034800b0c24ed89c7bc00dc7f1d8290f3ba4f5aa3948" + "etag": "35e89399dc4ab825f3f69e60d9af9481ad9ae6539faecd27524d12977db72d79" }, { - "name": "ac54c3a8-de83-4482-817a-98ea2757496a", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$kpps=if(about.labels.key=\"monitor_total_kpps\", \"Monitor Traffic Packet Rate\", \r\n if(about.labels.key=\"monitor_total_drops_kpps\", \"Monitor Traffic Drop Rate\", \"Unknown\"))\r\n$kpps!=\"Unknown\"\r\nmatch:\r\n $date_hour, $kpps\r\noutcome:\r\n $rate=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", + "name": "4c94d20c-78b1-4eda-bdea-d0bd9f4e3006", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n(about.labels.key=\"monitor_total_kpps\" OR about.labels.key=\"monitor_total_drops_kpps\")\r\n$kpps=if(about.labels.key=\"monitor_total_kpps\", \"Monitor Traffic Packet Rate\", \r\n if(about.labels.key=\"monitor_total_drops_kpps\", \"Monitor Traffic Drop Rate\", \"Unknown\"))\r\nmatch:\r\n $date_hour, $kpps\r\noutcome:\r\n $rate=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "b92436c216338eab50a0b78f1931406f63f713706a45271b604c1534150b8a5a" + "etag": "85bc5c1e0671ab0b2033091d42a4be99e5f4c7d04f34bb68dbfc37b0b4cfbbc9" }, { - "name": "9eae7924-1fa1-4d40-8b6d-d58641ddfaae", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$files=if(about.labels.key=\"files_total\", \"Extracted Files\", \r\n if(about.labels.key=\"files_queued_sftp\", \"Queued Files for SFTP\", \r\n if(about.labels.key=\"files_queued_s3\", \"Queued Files for Amazon S3\", \"Unknown\")))\r\n$files!=\"Unknown\"\r\nmatch:\r\n $date_hour, $files\r\noutcome:\r\n $files_avg=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", + "name": "1a4e2737-fd64-48d7-b667-67d6c5495147", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n(about.labels.key=\"files_total\" OR about.labels.key=\"files_queued_sftp\" OR about.labels.key=\"files_queued_s3\")\r\n$files=if(about.labels.key=\"files_total\", \"Extracted Files\", \r\n if(about.labels.key=\"files_queued_sftp\", \"Queued Files for SFTP\", \r\n if(about.labels.key=\"files_queued_s3\", \"Queued Files for Amazon S3\", \"Unknown\")))\r\nmatch:\r\n $date_hour, $files\r\noutcome:\r\n $files_avg=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "8e14216a64df3a4e965b02d22a5cd5e9de1ae77f936481bdcebb960ac90a9c74" + "etag": "3db237243ffb7d42b8718908ea5e6150d6638c3816a41bda5ab38a8b8ec7a688" }, { - "name": "2b1ae163-1a05-499c-a29a-eb3dcd0da212", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$logs=if(about.labels.key=\"logs_splunk_export_lag\", \"Splunk\", \r\n if(about.labels.key=\"logs_syslog_export_lag\", \"Syslog\", \r\n if(about.labels.key=\"logs_json_export_lag\", \"JSON\",\r\n if(about.labels.key=\"logs_kafka_export_lag\", \"Kafka\",\r\n if(about.labels.key=\"logs_investigator_export_lag\", \"Investigator\",\r\n if(about.labels.key=\"logs_kinesis_export_lag\", \"Kinesis\",\r\n if(about.labels.key=\"logs_hec_export_lag\", \"HEC\",\r\n if(about.labels.key=\"logs_elasticsearch_export_lag\", \"Elastic Search\",\r\n \"Unknown\"))))))))\r\n$logs!=\"Unknown\"\r\nmatch:\r\n $date_hour, $logs\r\noutcome:\r\n $logs_avg=math.round(avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc\r\n", + "name": "3ebe5413-0485-4b73-b4b3-263b10f925da", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n(about.labels.key=\"logs_splunk_export_lag\" OR about.labels.key=\"logs_syslog_export_lag\" OR about.labels.key=\"logs_json_export_lag\" OR about.labels.key=\"logs_kafka_export_lag\" OR about.labels.key=\"logs_investigator_export_lag\" OR about.labels.key=\"logs_kinesis_export_lag\" OR about.labels.key=\"logs_hec_export_lag\" OR about.labels.key=\"logs_elasticsearch_export_lag\")\r\n$logs=if(about.labels.key=\"logs_splunk_export_lag\", \"Splunk\", \r\n if(about.labels.key=\"logs_syslog_export_lag\", \"Syslog\", \r\n if(about.labels.key=\"logs_json_export_lag\", \"JSON\",\r\n if(about.labels.key=\"logs_kafka_export_lag\", \"Kafka\",\r\n if(about.labels.key=\"logs_investigator_export_lag\", \"Investigator\",\r\n if(about.labels.key=\"logs_kinesis_export_lag\", \"Kinesis\",\r\n if(about.labels.key=\"logs_hec_export_lag\", \"HEC\",\r\n if(about.labels.key=\"logs_elasticsearch_export_lag\", \"Elastic Search\",\r\n \"Unknown\"))))))))\r\nmatch:\r\n $date_hour, $logs\r\noutcome:\r\n $logs_avg=math.round(avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "ae2f4f4f61e47f25d0bb65c11ca7255e7b92dfb83f323fd9200b267efe431e58" + "etag": "92dbae2ba46ba87bca0f75d7ac7f99031ce1256171080ef4d7b2edc9a33a40a9" }, { - "name": "8b14de28-ee1e-434d-88c6-f6e24473b4a7", + "name": "0a105356-be79-4b36-86c7-ccb90ebcf966", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"corelight_metrics_iface\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $monitor_traffic_rate=math.round(window.avg(cast.as_float(about.labels[\"monitor_total_mbps\"])), 3)\r\norder:\r\n $date_hour asc\r\n", "input": { "relativeTime": { @@ -1122,7 +662,7 @@ "startTimeVal": "1" } }, - "etag": "8155168e1b4dfdc21669139f2fc20de38688d0b1ed6af52f9945f43bec089a9f" + "etag": "dbed81aaef744f8cc8ace411b7f45ef5736f6e63aaba007b493f7ba7689bcf34" } ] } diff --git a/dashboards/Sensor Overview/System.json b/dashboards/Sensor Overview/System.json index 8458350..2be9ae6 100644 --- a/dashboards/Sensor Overview/System.json +++ b/dashboards/Sensor Overview/System.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "aa842855-77e3-41c3-89f1-33a296879371", + "name": "94d5ba97-18f9-4e8a-87f9-42fdf7770824", "displayName": "Corelight → Sensor Overview → System", "definition": { "filters": [ @@ -20,10 +20,10 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "2f648bd2-763d-4237-aea3-aa1a3ab083aa", - "dfba9696-6c08-411b-adfd-1b5d4bccb033", - "73c9c120-4d8a-4e5a-9e88-270252930d40", - "b287eacd-dd3b-4d12-ba8e-4cc6d3c93e98" + "5aae700e-707a-4058-9dbf-20ab9e0ddc4d", + "bef422fa-c37b-4058-8d28-67111dcfb2b1", + "21994019-243c-4bb8-a313-907e2857faf8", + "764d3844-1817-470e-9692-1da981deeac0" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -42,16 +42,16 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "2f648bd2-763d-4237-aea3-aa1a3ab083aa", - "dfba9696-6c08-411b-adfd-1b5d4bccb033", - "73c9c120-4d8a-4e5a-9e88-270252930d40", - "b287eacd-dd3b-4d12-ba8e-4cc6d3c93e98" + "5aae700e-707a-4058-9dbf-20ab9e0ddc4d", + "bef422fa-c37b-4058-8d28-67111dcfb2b1", + "21994019-243c-4bb8-a313-907e2857faf8", + "764d3844-1817-470e-9692-1da981deeac0" ] } ], "charts": [ { - "dashboardChart": "dfba9696-6c08-411b-adfd-1b5d4bccb033", + "dashboardChart": "bef422fa-c37b-4058-8d28-67111dcfb2b1", "chartLayout": { "startX": 0, "spanX": 48, @@ -64,7 +64,7 @@ ] }, { - "dashboardChart": "b287eacd-dd3b-4d12-ba8e-4cc6d3c93e98", + "dashboardChart": "764d3844-1817-470e-9692-1da981deeac0", "chartLayout": { "startX": 48, "spanX": 48, @@ -77,7 +77,7 @@ ] }, { - "dashboardChart": "73c9c120-4d8a-4e5a-9e88-270252930d40", + "dashboardChart": "21994019-243c-4bb8-a313-907e2857faf8", "chartLayout": { "startX": 0, "spanX": 48, @@ -90,7 +90,7 @@ ] }, { - "dashboardChart": "2f648bd2-763d-4237-aea3-aa1a3ab083aa", + "dashboardChart": "5aae700e-707a-4058-9dbf-20ab9e0ddc4d", "chartLayout": { "startX": 48, "spanX": 48, @@ -105,15 +105,15 @@ ] }, "type": "CUSTOM", - "etag": "28e113939d631db0987b3764e133719f45554a744a3cd011057a9c15eb140a15", + "etag": "bbf854cd373e79dc621c2dd47195feebd5c848b904749f6dc86b26fe65662265", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "2f648bd2-763d-4237-aea3-aa1a3ab083aa", + "name": "5aae700e-707a-4058-9dbf-20ab9e0ddc4d", "displayName": "Disk Usage", "chartDatasource": { - "dashboardQuery": "0a294f59-141c-4261-b856-2238a3c74eed", + "dashboardQuery": "a699c160-e3fc-42e3-b169-a2ca7c5425d8", "dataSources": [ "UDM" ] @@ -171,13 +171,14 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "23bda24739e36f8dcaaaa662bb707c43ee5e0bd045df97ba3df67015a556994b" + "etag": "38e56797ba5547b57b9854c2aacfeecf84a5e9c5cd6ea3edf1ec4fff7d3be19c", + "drillDownConfig": {} }, { - "name": "73c9c120-4d8a-4e5a-9e88-270252930d40", + "name": "21994019-243c-4bb8-a313-907e2857faf8", "displayName": "System Temperature", "chartDatasource": { - "dashboardQuery": "02f04c3c-2bc3-444a-95f4-79ade4f45d90", + "dashboardQuery": "b5d3769b-b0cb-4e27-ad81-4898602fb3da", "dataSources": [ "UDM" ] @@ -218,13 +219,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ac59be0b73e3fad9be2f76395b70384df31594b69e04076ecc70e916c86afa9b" + "etag": "8a533b8a671662755b8a57aa219a4d999db70b9640ffc0ac20accb2eac6da3ad" }, { - "name": "dfba9696-6c08-411b-adfd-1b5d4bccb033", + "name": "bef422fa-c37b-4058-8d28-67111dcfb2b1", "displayName": "Memory Usage", "chartDatasource": { - "dashboardQuery": "6a015c3f-25ac-4296-bab9-26699eb30903", + "dashboardQuery": "7dfa807f-6c1f-47a4-a8cb-2632d2609c56", "dataSources": [ "UDM" ] @@ -265,13 +266,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "e62132d6c9927701c4914863f6f6b48e7de44d268ea72e31699ddbad52f370e7" + "etag": "c91b8a312413cdf9a5b2869bf83b7ef6665b1d4ae8e4951ea316ab27e13d621a" }, { - "name": "b287eacd-dd3b-4d12-ba8e-4cc6d3c93e98", + "name": "764d3844-1817-470e-9692-1da981deeac0", "displayName": "Bro CPU Usage", "chartDatasource": { - "dashboardQuery": "693e61bb-5e2c-4026-a9f0-81a0e89e40a4", + "dashboardQuery": "988a1810-f632-4885-ac97-5a39d1916f80", "dataSources": [ "UDM" ] @@ -312,12 +313,12 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "c9b013a11b9f88f649ea770b7d7092bab0f135e4e6eb5be5f36cf69c0aa39e96" + "etag": "28ba050f2892f8801fc25e87da30a7822cc23edc34548eee0146aa6e043c69fc" } ], "dashboardQueries": [ { - "name": "693e61bb-5e2c-4026-a9f0-81a0e89e40a4", + "name": "988a1810-f632-4885-ac97-5a39d1916f80", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"corelight_metrics_bro\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $avg_bro_cpu_usage=math.round(window.avg(cast.as_float(about.labels[\"cpu\"])), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -325,21 +326,21 @@ "startTimeVal": "1" } }, - "etag": "bd171b403f04f1815ad372f8d75d883dc5675c04378754c12f594a2d94e38532" + "etag": "46f49608c31a408a2f6aeb1c1261408b29cb9665597e2972df90c5cc53cba0e9" }, { - "name": "0a294f59-141c-4261-b856-2238a3c74eed", - "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"corelight_metrics_disk\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$disk_usage=if(about.labels.key=\"usage_data\", \"Disk Usage Data Avg\", \r\n if(about.labels.key=\"usage_os\", \"Disk Usage OS Avg\", \r\n \"Unknown\"))\r\n$disk_usage!=\"Unknown\"\r\nmatch:\r\n $date_hour, $disk_usage\r\noutcome:\r\n $avg_disk_usage=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", + "name": "a699c160-e3fc-42e3-b169-a2ca7c5425d8", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"corelight_metrics_disk\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$disk_usage=if(about.labels.key=\"usage_data\", \"Disk Usage Data Avg\", \r\n if(about.labels.key=\"usage_os\", \"Disk Usage OS Avg\", \r\n \"Unknown\"))\r\nabout.labels.key=\"usage_data\" OR about.labels.key=\"usage_os\"\r\nmatch:\r\n $date_hour, $disk_usage\r\noutcome:\r\n $avg_disk_usage=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "2cedb86ce9e7afb08e0da96c448ed15e0397348e6818a038a1f702b13cd27e99" + "etag": "dba1dda789b0a70dbe03737cc014ce13c1f853632f0826cc7843b9a0da780699" }, { - "name": "02f04c3c-2bc3-444a-95f4-79ade4f45d90", + "name": "b5d3769b-b0cb-4e27-ad81-4898602fb3da", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"corelight_metrics_system\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nabout.labels.key=\"cpu_1_temperature\"\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $avg_bro_cpu_usage=math.round(window.avg(cast.as_float(about.labels.value)), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -347,10 +348,10 @@ "startTimeVal": "1" } }, - "etag": "03d556c8b97fa29bfcc2ed31451a29b1655445492e5538404f7a4474085b78e8" + "etag": "dbaf87210e92e8bc62774358138b8cbe6db2007421e9878a4c04dd7f3d2c7263" }, { - "name": "6a015c3f-25ac-4296-bab9-26699eb30903", + "name": "7dfa807f-6c1f-47a4-a8cb-2632d2609c56", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type=\"corelight_metrics_memory\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour\r\noutcome:\r\n $avg_tcp_retransmission=math.round(window.avg(cast.as_float(about.labels[\"usage\"])), 3)\r\norder:\r\n $date_hour asc", "input": { "relativeTime": { @@ -358,7 +359,7 @@ "startTimeVal": "1" } }, - "etag": "0de8775d92a42e05e83ba28cd16d25a2cec3668f283d2b0842a265323a3257ec" + "etag": "8daac67a98ff92aa578a487bd6b10a61120e41d6baf1e101aaeabaa5e44f9ede" } ] }