dashboard updates

kibana/dashboards/4f6f3440-6d62-11e7-8ddb-e71eb260f4a3.json

@@ -4,7 +4,7 @@
     {
       "id": "4f6f3440-6d62-11e7-8ddb-e71eb260f4a3",
       "type": "dashboard",
-      "version": 2,
+      "version": 3,
       "attributes": {
         "hits": 0,
         "timeRestore": false,

kibana/dashboards/AV6-POJSDwoBUzALqKAg.json

@@ -4,12 +4,12 @@
     {
       "id": "AV6-PHKnDwoBUzALqJ_c",
       "type": "visualization",
-      "version": 2,
+      "version": 8,
       "attributes": {
-        "visState": "{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"markdown\":\"Hello, and welcome to Security Onion on the Elastic stack!  \\n\\nAs you may have experienced, when logging into Kibana, you are automatically placed into the Overview dashboard, where you will see links to other dashboards.  These dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\nAs you search through the data in Kibana, you should see Bro logs, syslog, and Snort alerts.  Logstash should have parsed out most fields in most Bro logs and Snort alerts.\\n\\nNotice that the source_ip and destination_ip fields are hyperlinked.  These hyperlinks will take you to a dashboard that will help you analyze the traffic relating to that particular IP address (Indicator).\\n\\nUID fields are also hyperlinked.  This hyperlink will start a new Kibana search for that particular UID.  In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an _id field that is hyperlinked.  This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type!  This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log.  CapMe should try to do the following:\\n* retrieve the _id from Elasticsearch\\n* parse out timestamp\\n* if Bro log, parse out the CID, otherwise parse out src IP, src port, dst IP, and dst port\\n* query Elasticsearch for those terms and try to find the corresponding bro_conn log\\n* parse out sensor name (hostname-interface)\\n* send a request to sguild to request pcap from that sensor name\\n\\n\\nPreviously, in Squert, you could pivot from an IP address to ELSA.  That pivot has been removed and replaced with a pivot to Kibana.\\n\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/wiki/Elastic\\n\\nAlso, please feel free to post any questions or concerns on our mailing list:\\n\\nhttps://securityonion.net/wiki/MailingLists#mailing-lists\"},\"aggs\":[],\"listeners\":{}}",
-        "description": "",
         "title": "Help",
+        "visState": "{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack!  This is our implementation of the Elastic Stack on Security Onion.  The Elastic Stack consists of three primary components:\\n- Elasticsearch\\n- Logstash\\n- Kibana\\n\\nElasticsearch is the database that stores the logs, Logstash is used to collect and enrich logs before storing them in Elasticsearch, and Kibana is the web interface for visualizing those logs that you're looking at right now.\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar.  This contains links such as:\\n- Discover\\n- Visualize\\n- Dashboard\\n- Timelion\\n- Dev Tools\\n- Management\\n- Squert\\n- Logout\\n\\nThe first six of those links are within Kibana itself.  If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert.  You will not be required to authenticate to Squert since you have already authenticated to Apache.\\n\\nClicking the `Logout` link in Squert or Kibana will log you out of your Apache session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as NIDS Alerts, Bro HTTP logs, Syslog, etc.\\n\\n## Dashboards\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors.  Clicking one of the links in the Navigation Panel will take you to another dashboard with information relating to that particular log type.  These dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n## Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked.  These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked.  This hyperlink will start a new Kibana search for that particular UID.  In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked.  This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type.  This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log.  \\n\\nPreviously, in Squert, you could pivot from an IP address to ELSA.  That pivot has been removed and replaced with a pivot to Kibana.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/wiki/Elastic\",\"type\":\"markdown\"},\"aggs\":[],\"listeners\":{}}",
         "uiStateJSON": "{}",
+        "description": "",
         "version": 1,
         "kibanaSavedObjectMeta": {
           "searchSourceJSON": "{\"query\":{\"match_all\":{}},\"filter\":[]}"
@@ -19,17 +19,17 @@
       "panelIndex": 1,
       "row": 1,
       "size_x": 10,
-      "size_y": 11
+      "size_y": 22
     },
     {
       "id": "b3b449d0-3429-11e7-9d52-4f090484f59e",
       "type": "visualization",
-      "version": 2,
+      "version": 162,
       "attributes": {
-        "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e)   \\n[Help](/app/kibana#/dashboard/AV6-POJSDwoBUzALqKAg)   \\n\\n**Alert Data:**\\n\\n[Bro Notices](/app/kibana#/dashboard/01600fb0-34e4-11e7-9669-7f1d3242b798)   \\n[ElastAlert](/app/kibana#/dashboard/1d98d620-7dce-11e7-846a-150cdcaf3374)   \\n[HIDS](/app/kibana#/dashboard/0de7a390-3644-11e7-a6f7-4f44d7bf1c33)   \\n[NIDS](/app/kibana#/dashboard/7f27a830-34e5-11e7-9669-7f1d3242b798)      \\n\\n**Bro Hunting:**   \\n\\n   [Connections](/app/kibana#/dashboard/e0a34b90-34e6-11e7-9118-45bd317f0ca4)   \\n[DCE/RPC](/app/kibana#/dashboard/46582d50-3af2-11e7-a83b-b1b4da7d15f4)   \\n[DHCP](/app/kibana#/dashboard/85348270-357b-11e7-ac34-8965f6420c51)  \\n[DNP3](/app/kibana#/dashboard/2fdf5bf0-3581-11e7-98ef-19df58fe538b)  \\n[DNS](/app/kibana#/dashboard/ebf5ec90-34bf-11e7-9b32-bb903919ead9)  \\n[Files](/app/kibana#/dashboard/2d315d80-3582-11e7-98ef-19df58fe538b)    \\n[FTP](/app/kibana#/dashboard/27f3b380-3583-11e7-a588-05992195c551)   \\n[HTTP](/app/kibana#/dashboard/230134a0-34c6-11e7-8360-0b86c90983fd)  \\n[Intel](/app/kibana#/dashboard/468022c0-3583-11e7-a588-05992195c551)  \\n[IRC](/app/kibana#/dashboard/56a34ce0-3583-11e7-a588-05992195c551)  \\n[Kerberos](/app/kibana#/dashboard/6b0d4870-3583-11e7-a588-05992195c551)  \\n[Modbus](/app/kibana#/dashboard/70c005f0-3583-11e7-a588-05992195c551)  \\n[MySQL](/app/kibana#/dashboard/7929f430-3583-11e7-a588-05992195c551)  \\n[NTLM](/app/kibana#/dashboard/022713e0-3ab0-11e7-a83b-b1b4da7d15f4)   \\n[PE](/app/kibana#/dashboard/8a10e380-3583-11e7-a588-05992195c551)  \\n[RADIUS](/app/kibana#/dashboard/90b246c0-3583-11e7-a588-05992195c551)  \\n[RDP](/app/kibana#/dashboard/97f8c3a0-3583-11e7-a588-05992195c551)  \\n[RFB](/app/kibana#/dashboard/9ef20ae0-3583-11e7-a588-05992195c551)  \\n[SIP](/app/kibana#/dashboard/ad3c0830-\\n3583-11e7-a588-05992195c551)   \\n[SMB](/app/kibana#/dashboard/b3a53710-3aaa-11e7-8b17-0d8709b02c80)     \\n[SMTP](/app/kibana#/dashboard/b10a9c60-3583-11e7-a588-05992195c551)  \\n[SNMP](/app/kibana#/dashboard/b65c2710-3583-11e7-a588-05992195c551)  \\n[Software](/app/kibana#/dashboard/c2c99c30-3583-11e7-a588-05992195c551)  \\n[SSH](/app/kibana#/dashboard/c6ccfc00-3583-11e7-a588-05992195c551)  \\n[SSL](/app/kibana#/dashboard/cca67b60-3583-11e7-a588-05992195c551)  \\n[Syslog](/app/kibana#/dashboard/c4bbe040-76b3-11e7-ba96-cba76a1e264d)   \\n[Tunnels](/app/kibana#/dashboard/d7b54ae0-3583-11e7-a588-05992195c551)  \\n[Weird](/app/kibana#/dashboard/de2da250-3583-11e7-a588-05992195c551)  \\n[X.509](/app/kibana#/dashboard/e5aa7170-3583-11e7-a588-05992195c551)  \\n\\n**Host Hunting:**   \\n\\n[Autoruns](/app/kibana#/dashboard/61d43810-6d62-11e7-8ddb-e71eb260f4a3)   \\n[OSSEC](/app/kibana#/dashboard/3a457d70-3583-11e7-a588-05992195c551)    \\n[Sysmon](/app/kibana#/dashboard/6d189680-6d62-11e7-8ddb-e71eb260f4a3)      \\n\\n**Other:**   \\n   \\n[Firewall](/app/kibana#/dashboard/50173bd0-3582-11e7-98ef-19df58fe538b)   \\n[Stats](/app/kibana#/dashboard/130017f0-46ce-11e7-946f-1bfb1be7c36b)   \\n[Syslog](/app/kibana#/dashboard/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\"},\"aggs\":[],\"listeners\":{}}",
-        "description": "",
         "title": "Navigation",
+        "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/app/kibana#/dashboard/94b52620-342a-11e7-9d52-4f090484f59e)   \\n[Help](/app/kibana#/dashboard/AV6-POJSDwoBUzALqKAg)   \\n\\n**Alert Data:**\\n\\n[Bro Notices](/app/kibana#/dashboard/01600fb0-34e4-11e7-9669-7f1d3242b798)   \\n[ElastAlert](/app/kibana#/dashboard/1d98d620-7dce-11e7-846a-150cdcaf3374)   \\n[HIDS](/app/kibana#/dashboard/0de7a390-3644-11e7-a6f7-4f44d7bf1c33)   \\n[NIDS](/app/kibana#/dashboard/7f27a830-34e5-11e7-9669-7f1d3242b798)      \\n\\n**Bro Hunting:**   \\n\\n   [Connections](/app/kibana#/dashboard/e0a34b90-34e6-11e7-9118-45bd317f0ca4)   \\n[DCE/RPC](/app/kibana#/dashboard/46582d50-3af2-11e7-a83b-b1b4da7d15f4)   \\n[DHCP](/app/kibana#/dashboard/85348270-357b-11e7-ac34-8965f6420c51)  \\n[DNP3](/app/kibana#/dashboard/2fdf5bf0-3581-11e7-98ef-19df58fe538b)  \\n[DNS](/app/kibana#/dashboard/ebf5ec90-34bf-11e7-9b32-bb903919ead9)  \\n[Files](/app/kibana#/dashboard/2d315d80-3582-11e7-98ef-19df58fe538b)    \\n[FTP](/app/kibana#/dashboard/27f3b380-3583-11e7-a588-05992195c551)   \\n[HTTP](/app/kibana#/dashboard/230134a0-34c6-11e7-8360-0b86c90983fd)  \\n[Intel](/app/kibana#/dashboard/468022c0-3583-11e7-a588-05992195c551)  \\n[IRC](/app/kibana#/dashboard/56a34ce0-3583-11e7-a588-05992195c551)  \\n[Kerberos](/app/kibana#/dashboard/6b0d4870-3583-11e7-a588-05992195c551)  \\n[Modbus](/app/kibana#/dashboard/70c005f0-3583-11e7-a588-05992195c551)  \\n[MySQL](/app/kibana#/dashboard/7929f430-3583-11e7-a588-05992195c551)  \\n[NTLM](/app/kibana#/dashboard/022713e0-3ab0-11e7-a83b-b1b4da7d15f4)   \\n[PE](/app/kibana#/dashboard/8a10e380-3583-11e7-a588-05992195c551)  \\n[RADIUS](/app/kibana#/dashboard/90b246c0-3583-11e7-a588-05992195c551)  \\n[RDP](/app/kibana#/dashboard/97f8c3a0-3583-11e7-a588-05992195c551)  \\n[RFB](/app/kibana#/dashboard/9ef20ae0-3583-11e7-a588-05992195c551)  \\n[SIP](/app/kibana#/dashboard/ad3c0830-\\n3583-11e7-a588-05992195c551)   \\n[SMB](/app/kibana#/dashboard/b3a53710-3aaa-11e7-8b17-0d8709b02c80)     \\n[SMTP](/app/kibana#/dashboard/b10a9c60-3583-11e7-a588-05992195c551)  \\n[SNMP](/app/kibana#/dashboard/b65c2710-3583-11e7-a588-05992195c551)  \\n[Software](/app/kibana#/dashboard/c2c99c30-3583-11e7-a588-05992195c551)  \\n[SSH](/app/kibana#/dashboard/c6ccfc00-3583-11e7-a588-05992195c551)  \\n[SSL](/app/kibana#/dashboard/cca67b60-3583-11e7-a588-05992195c551)  \\n[Syslog](/app/kibana#/dashboard/c4bbe040-76b3-11e7-ba96-cba76a1e264d)   \\n[Tunnels](/app/kibana#/dashboard/d7b54ae0-3583-11e7-a588-05992195c551)  \\n[Weird](/app/kibana#/dashboard/de2da250-3583-11e7-a588-05992195c551)  \\n[X.509](/app/kibana#/dashboard/e5aa7170-3583-11e7-a588-05992195c551)  \\n\\n**Host Hunting:**   \\n\\n[Autoruns](/app/kibana#/dashboard/61d43810-6d62-11e7-8ddb-e71eb260f4a3)   \\n[OSSEC](/app/kibana#/dashboard/3a457d70-3583-11e7-a588-05992195c551)    \\n[Sysmon](/app/kibana#/dashboard/6d189680-6d62-11e7-8ddb-e71eb260f4a3)      \\n\\n**Other:**   \\n   \\n[Domain Stats](/app/kibana#/dashboard/AWAi6wvxAvKNGEbUWO_j)  \\n[Firewall](/app/kibana#/dashboard/50173bd0-3582-11e7-98ef-19df58fe538b)   \\n[Frequency](/app/kibana#/dashboard/AWAi5k4jAvKNGEbUWFis)  \\n[Stats](/app/kibana#/dashboard/130017f0-46ce-11e7-946f-1bfb1be7c36b)   \\n[Syslog](/app/kibana#/dashboard/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\"},\"aggs\":[],\"listeners\":{}}",
         "uiStateJSON": "{}",
+        "description": "",
         "version": 1,
         "kibanaSavedObjectMeta": {
           "searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\"}},\"filter\":[]}"
@@ -44,16 +44,16 @@
     {
       "id": "AV6-POJSDwoBUzALqKAg",
       "type": "dashboard",
-      "version": 2,
+      "version": 3,
       "attributes": {
+        "title": "Help",
         "hits": 0,
-        "timeRestore": false,
         "description": "",
-        "title": "Help",
-        "uiStateJSON": "{}",
-        "panelsJSON": "[{\"col\":3,\"id\":\"AV6-PHKnDwoBUzALqJ_c\",\"panelIndex\":1,\"row\":1,\"size_x\":10,\"size_y\":11,\"type\":\"visualization\"},{\"col\":1,\"id\":\"b3b449d0-3429-11e7-9d52-4f090484f59e\",\"panelIndex\":2,\"row\":1,\"size_x\":2,\"size_y\":11,\"type\":\"visualization\"}]",
+        "panelsJSON": "[{\"col\":3,\"id\":\"AV6-PHKnDwoBUzALqJ_c\",\"panelIndex\":1,\"row\":1,\"size_x\":10,\"size_y\":22,\"type\":\"visualization\"},{\"col\":1,\"id\":\"b3b449d0-3429-11e7-9d52-4f090484f59e\",\"panelIndex\":2,\"row\":1,\"size_x\":2,\"size_y\":11,\"type\":\"visualization\"}]",
         "optionsJSON": "{\"darkTheme\":true}",
+        "uiStateJSON": "{}",
         "version": 1,
+        "timeRestore": false,
         "kibanaSavedObjectMeta": {
           "searchSourceJSON": "{\"filter\":[{\"query\":{\"match_all\":{}}}],\"highlightAll\":true,\"version\":true}"
         }