Skip to content

Instantly share code, notes, and snippets.

@evoxco

evoxco/BroIDS-Kibana-Dashboard

Last active January 18, 2019 14:03
Show Gist options
  • Save evoxco/ce8d89538d9a69d79cb2 to your computer and use it in GitHub Desktop.
Save evoxco/ce8d89538d9a69d79cb2 to your computer and use it in GitHub Desktop.
Download ZIP
Bro ids Kibana Dashboard [Part 1]
Raw
BroIDS-Kibana-Dashboard
{
"title": "Broids",
"services": {
"query": {
"list": {
"0": {
"id": 0,
"color": "#7EB26D",
"alias": "All Connections",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"conn\""
},
"1": {
"id": 1,
"color": "#EAB839",
"alias": "HTTP",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"http\""
},
"2": {
"id": 2,
"color": "#6ED0E0",
"alias": "Software",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"software\""
},
"3": {
"id": 3,
"color": "#EF843C",
"alias": "Nprobe",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_index:\"nprobe*\""
},
"4": {
"id": 4,
"color": "#E24D42",
"alias": "Apps",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"app_stats\""
},
"5": {
"id": 5,
"color": "#1F78C1",
"alias": "Intel",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"intel\""
},
"6": {
"id": 6,
"color": "#BA43A9",
"alias": "S0 connections",
"pin": true,
"type": "lucene",
"enable": true,
"query": "proto:\"tcp\" AND conn_state:\"S0\""
},
"7": {
"id": 7,
"color": "#052B51",
"alias": "SSL",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"ssl\""
},
"8": {
"id": 8,
"color": "#82B5D8",
"alias": "Conn",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"conn\""
},
"9": {
"id": 9,
"color": "#BF1B00",
"alias": "Files",
"pin": true,
"type": "lucene",
"enable": true,
"query": "_type:\"files\""
},
"10": {
"id": 10,
"color": "#447EBC",
"alias": "File Connections",
"pin": true,
"type": "lucene",
"enable": false,
"query": "uid:\"CagDkn3al5MODvVZX\" OR conn_uids:\"CagDkn3al5MODvVZX\" OR appldnld.apple.com"
}
},
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10
]
},
"filter": {
"list": {
"0": {
"type": "time",
"field": "ts",
"from": "now-12h",
"to": "now",
"mandate": "must",
"active": true,
"alias": "",
"id": 0
},
"1": {
"type": "field",
"field": "id.resp_h",
"query": "\"37.99.196.24\"",
"mandate": "must",
"active": false,
"alias": "",
"id": 1
},
"2": {
"type": "field",
"field": "conn_state",
"query": "\"S0\"",
"mandate": "must",
"active": false,
"alias": "",
"id": 2
},
"3": {
"type": "terms",
"field": "_type",
"value": "http",
"mandate": "must",
"active": false,
"alias": "",
"id": 3
},
"4": {
"type": "field",
"field": "proto",
"query": "\"tcp\"",
"mandate": "must",
"active": false,
"alias": "",
"id": 4
}
},
"ids": [
0,
1,
2,
3,
4
]
}
},
"rows": [
{
"title": "Time Events",
"height": "300px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"span": 12,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "count",
"time_field": "ts",
"value_field": null,
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
0
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": false,
"resolution": 100,
"interval": "1m",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": true,
"fill": 0,
"linewidth": 2,
"points": false,
"pointradius": 5,
"bars": false,
"stack": true,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "Bro Events",
"scaleSeconds": false
}
],
"notice": false
},
{
"title": "Network Statistics",
"height": "350px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 3,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "proto",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
0
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Top Protocols",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 5,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "id.orig_h",
"exclude": [],
"missing": false,
"other": false,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "bar",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
0
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Top 10 talkers",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "host",
"exclude": [],
"missing": false,
"other": false,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "bar",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
1
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Top 10 HTTP hosts",
"tsums": false,
"dtype": ""
}
],
"notice": false
},
{
"title": "Graph",
"height": "250px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 3,
"editable": true,
"group": [
"default"
],
"type": "terms",
"queries": {
"mode": "selected",
"ids": [
0
]
},
"field": "id.resp_p",
"exclude": [],
"missing": false,
"other": false,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "none",
"title": "Top 10 Destination Ports",
"spyable": true,
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 2,
"editable": true,
"type": "stats",
"loadingEditor": false,
"queries": {
"mode": "selected",
"ids": [
0
]
},
"style": {
"font-size": "24pt"
},
"format": "bytes",
"mode": "total",
"display_breakdown": "yes",
"sort_field": "",
"sort_reverse": false,
"label_name": "Query",
"value_name": "Value",
"spyable": true,
"show": {
"count": false,
"min": false,
"max": true,
"mean": true,
"std_deviation": false,
"sum_of_squares": false,
"total": true,
"variance": false
},
"title": "Download Network Bandwidth Stats",
"field": [
"resp_ip_bytes"
],
"unit": "Bytes"
},
{
"error": false,
"span": 2,
"editable": true,
"type": "stats",
"loadingEditor": false,
"queries": {
"mode": "selected",
"ids": [
0
]
},
"style": {
"font-size": "24pt"
},
"format": "bytes",
"mode": "total",
"display_breakdown": "yes",
"sort_field": "",
"sort_reverse": false,
"label_name": "Query",
"value_name": "Value",
"spyable": true,
"show": {
"count": false,
"min": false,
"max": true,
"mean": true,
"std_deviation": false,
"sum_of_squares": false,
"total": true,
"variance": false
},
"title": "Upload Network Bandwidth Stats",
"field": [
"orig_ip_bytes"
],
"unit": "Bytes"
},
{
"error": false,
"span": 3,
"editable": true,
"group": [
"default"
],
"type": "terms",
"queries": {
"mode": "all",
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9
]
},
"field": "_type",
"exclude": [],
"missing": false,
"other": true,
"size": 15,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"title": "Bro Logs",
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 3,
"editable": true,
"group": [
"default"
],
"type": "terms",
"queries": {
"mode": "selected",
"ids": [
9
]
},
"field": "mime_type",
"exclude": [],
"missing": false,
"other": true,
"size": 15,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"title": "Bro File Types",
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 3,
"editable": true,
"group": [
"default"
],
"type": "terms",
"queries": {
"mode": "all",
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9
]
},
"field": "method",
"exclude": [],
"missing": false,
"other": true,
"size": 5,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"title": "HTTP methods",
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"tsums": false,
"dtype": ""
}
],
"notice": false
},
{
"title": "Software",
"height": "250px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "name",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
2
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Software",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "software_type",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
2
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Software types",
"tsums": false,
"dtype": ""
},
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "app",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
4
]
},
"tmode": "terms",
"tstat": "total",
"valuefield": "",
"title": "Web apps",
"tsums": false,
"dtype": ""
}
],
"notice": false
},
{
"title": "Scanning",
"height": "250px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 2,
"editable": true,
"type": "stats",
"loadingEditor": false,
"queries": {
"mode": "selected",
"ids": [
6
]
},
"style": {
"font-size": "20pt"
},
"format": "number",
"mode": "count",
"display_breakdown": "yes",
"field": [
"orig_ip_bytes",
"resp_ip_bytes"
],
"sort_field": "",
"sort_reverse": false,
"label_name": "Query",
"value_name": "Value",
"spyable": true,
"show": {
"count": true,
"min": false,
"max": false,
"mean": true,
"std_deviation": true,
"sum_of_squares": false,
"total": false,
"variance": false
},
"title": "Conn Stats",
"unit": "Bytes"
},
{
"span": 2,
"editable": true,
"type": "trends",
"loadingEditor": false,
"ago": "2m",
"arrangement": "vertical",
"reverse": false,
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
6
]
},
"style": {
"font-size": "14pt"
},
"title": "scan"
},
{
"span": 3,
"editable": true,
"type": "histogram",
"loadingEditor": false,
"mode": "count",
"time_field": "ts",
"value_field": null,
"x-axis": true,
"y-axis": true,
"scale": 1,
"y_format": "none",
"grid": {
"max": null,
"min": 0
},
"queries": {
"mode": "selected",
"ids": [
6
]
},
"annotate": {
"enable": false,
"query": "*",
"size": 20,
"field": "_type",
"sort": [
"_score",
"desc"
]
},
"auto_int": false,
"resolution": 100,
"interval": "1s",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1y"
],
"lines": false,
"fill": 0,
"linewidth": 3,
"points": false,
"pointradius": 5,
"bars": true,
"stack": true,
"spyable": true,
"zoomlinks": true,
"options": true,
"legend": true,
"show_query": true,
"interactive": true,
"legend_counts": true,
"timezone": "browser",
"percentage": false,
"zerofill": true,
"derivative": false,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": true
},
"title": "Scan histogram"
},
{
"error": false,
"span": 3,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "id.orig_h",
"exclude": [],
"missing": true,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
6
]
},
"tmode": "terms",
"tsums": false,
"dtype": "",
"tstat": "total",
"valuefield": [],
"title": "Hosts"
}
],
"notice": false
},
{
"title": "Destination Domains",
"height": "350px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "server_name",
"exclude": [],
"missing": false,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "table",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
7
]
},
"tmode": "terms",
"tsums": false,
"dtype": "",
"tstat": "total",
"valuefield": [],
"title": "SSL Hosts"
},
{
"error": false,
"span": 6,
"editable": true,
"type": "map",
"loadingEditor": false,
"map": "world",
"colors": [
"#A0E2E2",
"#265656"
],
"size": 100,
"exclude": [],
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
8
]
},
"field": "resp_cc",
"title": "Geo"
}
],
"notice": false
},
{
"title": "Flow To Country",
"height": "300px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 6,
"editable": true,
"type": "flows",
"loadingEditor": false,
"spyable": true,
"size": 20,
"exclude": [],
"tmode": "terms",
"chart": "flows",
"style": {
"font-size": "16pt"
},
"queries": {
"mode": "selected",
"ids": [
8
]
},
"src_field": "id.orig_h",
"dst_field": "resp_cc",
"title": "Geo Flow"
},
{
"error": false,
"span": 6,
"editable": true,
"type": "force",
"loadingEditor": false,
"spyable": true,
"size": 100,
"queries": {
"mode": "selected",
"ids": [
8
]
},
"src_field": "id.orig_h",
"dst_field": "resp_cc",
"title": "Geo Force"
},
{
"error": false,
"span": 6,
"editable": true,
"type": "force",
"loadingEditor": false,
"spyable": true,
"size": 100,
"queries": {
"mode": "all",
"ids": [
0,
1,
2,
3,
4,
5,
6,
7,
8,
9
]
},
"src_field": "id.orig_h",
"dst_field": "host",
"title": "DNS Flow"
},
{
"error": false,
"span": 6,
"editable": true,
"type": "flows",
"loadingEditor": false,
"spyable": true,
"size": 10,
"exclude": [],
"tmode": "terms",
"chart": "edges",
"style": {
"font-size": "16pt"
},
"queries": {
"mode": "selected",
"ids": []
},
"src_field": "id.orig_h",
"dst_field": "id.resp_h"
}
],
"notice": false
},
{
"title": "Intel",
"height": "350px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 4,
"editable": true,
"type": "terms",
"loadingEditor": false,
"field": "sources",
"exclude": [],
"missing": true,
"other": true,
"size": 10,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": false,
"tilt": false,
"labels": true,
"arrangement": "horizontal",
"chart": "bar",
"counter_pos": "above",
"spyable": true,
"queries": {
"mode": "selected",
"ids": [
5
]
},
"tmode": "terms",
"tsums": false,
"dtype": "",
"tstat": "total",
"valuefield": [],
"title": "Top Source Hits"
},
{
"error": false,
"span": 8,
"editable": true,
"type": "flows",
"loadingEditor": false,
"spyable": true,
"size": 20,
"exclude": [],
"tmode": "terms",
"chart": "flows",
"style": {
"font-size": "16pt"
},
"queries": {
"mode": "selected",
"ids": [
5
]
},
"src_field": "id.orig_h",
"dst_field": "id.resp_h",
"title": "Suspicious"
}
],
"notice": false
},
{
"title": "Events",
"height": "650px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"error": false,
"span": 12,
"editable": true,
"group": [
"default"
],
"type": "table",
"size": 100,
"pages": 5,
"offset": 0,
"sort": [
"ts",
"desc"
],
"style": {
"font-size": "9pt"
},
"overflow": "min-height",
"fields": [
"id.orig_h",
"id.orig_p",
"id.resp_h",
"id.resp_p",
"proto",
"_type",
"uri",
"user_agent",
"ts",
"L7_PROTO_NAME"
],
"highlight": [],
"sortable": true,
"header": true,
"paging": true,
"spyable": true,
"queries": {
"mode": "unpinned",
"ids": []
},
"field_list": true,
"status": "Stable",
"trimFactor": 300,
"normTimes": true,
"title": "Documents",
"all_fields": true,
"localTime": false,
"timeField": "@timestamp"
}
],
"notice": false
}
],
"editable": true,
"index": {
"interval": "hour",
"pattern": "[bro-]YYYYMMDDHHmm",
"default": "bro-*",
"warm_fields": true
},
"style": "light",
"failover": true,
"panel_hints": true,
"loader": {
"save_gist": false,
"save_elasticsearch": true,
"save_local": true,
"save_default": true,
"save_temp": true,
"save_temp_ttl_enable": true,
"save_temp_ttl": "30d",
"load_gist": true,
"load_elasticsearch": true,
"load_elasticsearch_size": 20,
"load_local": true,
"hide": false
},
"pulldowns": [
{
"type": "query",
"collapse": false,
"notice": false,
"query": "*",
"pinned": true,
"history": [
"uid:\"CagDkn3al5MODvVZX\" OR conn_uids:\"CagDkn3al5MODvVZX\" OR appldnld.apple.com",
"_type:\"files\"",
"_type:\"conn\"",
"_type:\"ssl\"",
"proto:\"tcp\" AND conn_state:\"S0\"",
"_type:\"intel\"",
"_type:\"app_stats\"",
"_index:\"nprobe*\"",
"_type:\"software\"",
"_type:\"http\""
],
"remember": 10,
"enable": true
},
{
"type": "filtering",
"collapse": true,
"notice": true,
"enable": true
}
],
"nav": [
{
"type": "timepicker",
"collapse": false,
"notice": false,
"status": "Stable",
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
],
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
],
"timefield": "ts",
"enable": true,
"now": true,
"filter_id": 0
}
],
"refresh": false
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment