Created by Evgeniy Sokolov last modified 2016-10-07

02-wazuh.conf

      # 02-wazuh.conf Logstash config for Wazuh OSSEC & Suricata. Place into /etc/logstash/config.d
# ESGuardian: esguardian@outlook.com v 1.0.0

input {
  lumberjack {
    port => 5043
    tags => ["wazuh"]
    ssl_certificate => "/etc/logstash/logstash-forwarder.crt"
    ssl_key => "/etc/logstash/logstash-forwarder.key"
    codec => json {charset => "Windows-1251"}
    
   }
}
filter {
    if "wazuh" in [tags] {
        if [type] == "ossec-alerts" {
            geoip {
              source => "srcip"
              target => "geoip"
              database => "/etc/logstash/GeoLiteCity.dat"
            }
            date {
                match => ["timestamp", "YYYY MMM dd HH:mm:ss"]
                target => "@timestamp"
            }
            mutate {
              rename => [ "hostname", "AgentName" ]
              rename => [ "geoip", "GeoLocation" ]
              rename => [ "file", "AlertsFile" ]
              rename => [ "agentip", "AgentIP" ]
              rename => [ "[rule][comment]", "[rule][description]" ]
              rename => [ "[rule][level]", "[rule][AlertLevel]" ]
              remove_field => [ "timestamp" ]
              
            }
        }
        
    }
}

output {
  if "wazuh" in [tags] {
    #stdout { codec => rubydebug }
    if [type] == "ossec-alerts" {
        elasticsearch {        
             hosts => ["127.0.0.1:9200"]
             index => "ossec-%{+YYYY.MM.dd}"
             document_type => "ossec"
             template => "/etc/logstash/elastic-ossec-template.json"
             template_name => "ossec"
             template_overwrite => true
        }
    }
    if [type] == "suricata-alerts" {
        elasticsearch {        
             hosts => ["127.0.0.1:9200"]
             index => "suricata-%{+YYYY.MM.dd}"
             document_type => "suricata"
             template => "/etc/logstash/elastic-suricata-template.json"
             template_name => "suricata"
             template_overwrite => true

        }
    
    }
  } 
  
}

    

elastic-ossec-template.json

Raw

      {
  "order": 0,
  "template": "ossec*",
  "settings": {
    "index.refresh_interval": "5s"
  },
  "mappings": {
    "ossec": {
      "dynamic_templates": [
        {
          "notanalyzed": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            }
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date",
          "format": "dateOptionalTime",
          "index": "not_analyzed"
        },
        "@version": {
          "type": "string"
        },
        "AgentIP": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "AgentID": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "dstuser": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "AlertsFile": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "full_log": {
          "type": "string"
        },
        "GeoLocation": {
          "properties": {
            "area_code": {
              "type": "long"
            },
            "city_name": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "continent_code": {
              "type": "string"
            },
            "coordinates": {
              "type": "double"
            },
            "country_code2": {
              "type": "string"
            },
            "country_code3": {
              "type": "string"
            },
            "country_name": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "dma_code": {
              "type": "long"
            },
            "ip": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "latitude": {
              "type": "double"
            },
            "location": {
              "type": "geo_point"
            },
            "longitude": {
              "type": "double"
            },
            "postal_code": {
              "type": "string"
            },
            "real_region_name": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "region_name": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "timezone": {
              "type": "string"
            }
          }
        },
        "host": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "AgentName": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "SyscheckFile": {
          "properties": {
            "path": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "sha1_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "sha1_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "owner_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "owner_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "gowner_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "gowner_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "perm_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "perm_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "md5_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "md5_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "gname_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "gname_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "inode_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "inode_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "mtime_after": {
              "type": "date",
              "format": "dateOptionalTime",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "mtime_before": {
              "type": "date",
              "format": "dateOptionalTime",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "uname_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "uname_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "size_before": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "size_after": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "perm_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "perm_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "owner_before": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "owner_after": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
          },
            "diff": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            }
          }
        },
        "location": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "message": {
          "type": "string"
        },
        "offset": {
          "type": "string"
        },
        "rule": {
          "properties": {
            "description": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "groups": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "AlertLevel": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "sidid": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "cve": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "info": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "frequency": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "firedtimes": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "CIS": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "PCI_DSS": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            }
          }
        },
        "decoder": {
          "properties": {
            "parent": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "name": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "ftscomment": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "fts": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            },
            "accumulate": {
              "type": "long",
              "index": "not_analyzed",
              "doc_values": "true"
            }
          }
        },
        "srcip": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "protocol": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "action": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "dstip": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "dstport": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "dstuser": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "srcuser": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "program_name": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "id": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "status": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "command": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "url": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "data": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "systemname": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "type": {
          "type": "string"
        },
        "score": {
          "type": "double",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "max_score": {
          "type": "double",
          "index": "not_analyzed",
          "doc_values": "true"
        }
      }
    }
  }
}


    

elastic-suricata-template.json

Raw

      {
  "order": 0,
  "template": "suricata*",
  "settings": {
    "index.refresh_interval": "5s"
  },
  "mappings": {
    "suricata": {
      "dynamic_templates": [
        {
          "notanalyzed": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed",
              "doc_values": "true"
            }
          }
        }
      ],
      "properties": {
        "dns": {
            "properties": {
                "type": {
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "rdata":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "rname":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "rrtype":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "id":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "ttl":{
                    "type": "long"
                }
                
            }
        }, 
        "alert": {
            "properties": {
                "category": {
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "signature":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "action":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "signature_id":{
                    "type": "string",
                    "index": "not_analyzed",
                    "doc_values": "true"
                },
                "rev":{
                    "type": "long"
                },
                "gid":{
                    "type": "long"
                },
                "severity":{
                    "type": "long"
                }
                
            }
        },
        "type": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "tags": {
          "type": "string"
        },
        "src_ip": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "dest_ip": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "event_type": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "file": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "host": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "dest_port": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "src_port": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "proto": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "timestamp": {
          "type": "date",
          "format": "dateOptionalTime",
          "index": "not_analyzed"
        },
        "offset": {
          "type": "string",
          "index": "not_analyzed",
          "doc_values": "true"
        },
        "@timestamp": {
          "type": "date",
          "format": "dateOptionalTime",
          "index": "not_analyzed"
        },
        "@version": {
          "type": "string"
        }
      }
    }
  }
}


    

kibana-ossecwazuh-dashboards.json

Raw

      [
  {
    "_id": "CIS-Compliance",
    "_type": "dashboard",
    "_source": {
      "title": "CIS Compliance",
      "hits": 0,
      "description": "",
      "panelsJSON": "[{\"col\":1,\"id\":\"CIS:-Requirements-by-time\",\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"CIS:-Last-Alerts\",\"row\":10,\"size_x\":12,\"size_y\":4,\"type\":\"search\",\"columns\":[\"AgentName\",\"rule.AlertLevel\",\"rule.CIS\",\"full_log\"],\"sort\":[\"@timestamp\",\"desc\"]},{\"col\":5,\"id\":\"CIS:-Evolution-by-agent\",\"row\":4,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"CIS:-Security-breaches-by-agent\",\"row\":7,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"CIS:-Sections\",\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Top-CIS-Breaches\",\"row\":7,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"Groups-and-Benchmarks\",\"type\":\"visualization\",\"size_x\":4,\"size_y\":3,\"col\":1,\"row\":4},{\"id\":\"Agents-and-Benchmarks\",\"type\":\"visualization\",\"size_x\":6,\"size_y\":3,\"col\":1,\"row\":7}]",
      "version": 1,
      "timeRestore": false,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"
      }
    }
  },
  {
    "_id": "OSSEC-Alerts",
    "_type": "dashboard",
    "_source": {
      "title": "OSSEC Alerts",
      "hits": 0,
      "description": "",
      "panelsJSON": "[{\"col\":10,\"id\":\"Agents-total-alerts\",\"row\":8,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Alerts:-Geolocation\",\"row\":1,\"size_x\":6,\"size_y\":4,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Alerts-level-greater-than-9\",\"row\":11,\"size_x\":6,\"size_y\":3,\"type\":\"search\"},{\"col\":1,\"id\":\"Last-alerts\",\"row\":14,\"size_x\":12,\"size_y\":5,\"type\":\"search\"},{\"col\":7,\"id\":\"Total-Alerts-Time-Bar\",\"row\":3,\"size_x\":6,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Location-Bar-Alerts\",\"row\":8,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"Alerts:-Top-5-Groups\",\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Signature:-Area-Chart\",\"row\":5,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"Pie-Chart:-Signature\",\"row\":8,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Alerts:-By-country\",\"row\":1,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Stacked-Groups\",\"row\":5,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Alert-level-evolution\",\"row\":8,\"size_x\":3,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Signature-counts\",\"row\":11,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"}]",
      "version": 1,
      "timeRestore": false,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"
      }
    }
  },
  {
    "_id": "PCI-Compliance",
    "_type": "dashboard",
    "_source": {
      "title": "PCI Compliance",
      "hits": 0,
      "description": "",
      "panelsJSON": "[{\"col\":7,\"id\":\"PCIDSS:-By-section\",\"row\":4,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Requirements-by-agent\",\"row\":19,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"PCI-DSS:-Requirement-11.4\",\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"High-Risk-Alerts-slash-PCI-DSS\",\"row\":8,\"size_x\":12,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"PCI-DSS:-Signature-Area-Chart\",\"row\":10,\"size_x\":12,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"PCI-Requirements-by-time\",\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":7,\"id\":\"Requirements-slash-Groups\",\"row\":1,\"size_x\":6,\"size_y\":3,\"type\":\"visualization\"},{\"col\":10,\"id\":\"PCI-Requirements-slash-Agent\",\"row\":4,\"size_x\":3,\"size_y\":4,\"type\":\"visualization\"},{\"col\":1,\"id\":\"Integrity-checksum-changed\",\"row\":13,\"size_x\":5,\"size_y\":3,\"type\":\"visualization\"},{\"col\":6,\"id\":\"File-table-integrity-checksum-changed\",\"row\":13,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":4,\"id\":\"PCI-DSS:-Requirement-10.2.2\",\"row\":4,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":1,\"id\":\"PCI-DSS:-Requirement-10.2.5\",\"row\":6,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"col\":4,\"id\":\"PCI-DSS:-Requirement-10.6.1\",\"row\":6,\"size_x\":3,\"size_y\":2,\"type\":\"visualization\"},{\"id\":\"Last-Alerts\",\"type\":\"search\",\"size_x\":12,\"size_y\":3,\"col\":1,\"row\":16,\"columns\":[\"AgentName\",\"rule.AlertLevel\",\"rule.PCI_DSS\",\"rule.description\"],\"sort\":[\"rule.groups\",\"desc\"]}]",
      "version": 1,
      "timeRestore": false,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"
      }
    }
  },
  {
    "_id": "Last-alerts",
    "_type": "search",
    "_source": {
      "title": "Last alerts",
      "description": "",
      "hits": 0,
      "columns": [
        "AgentName",
        "AgentIP",
        "rule.sidid",
        "rule.AlertLevel",
        "rule.description",
        "full_log"
      ],
      "sort": [
        "@timestamp",
        "desc"
      ],
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Alerts-level-greater-than-9",
    "_type": "search",
    "_source": {
      "title": "Alerts level greater than 9",
      "description": "",
      "hits": 0,
      "columns": [
        "AgentName",
        "rule.AlertLevel",
        "rule.description"
      ],
      "sort": [
        "@timestamp",
        "desc"
      ],
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"rule.AlertLevel: [9 TO *]\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Last-Alerts",
    "_type": "search",
    "_source": {
      "title": "PCI: Last Alerts",
      "description": "",
      "hits": 0,
      "columns": [
        "AgentName",
        "rule.AlertLevel",
        "rule.PCI_DSS",
        "rule.description"
      ],
      "sort": [
        "rule.groups",
        "desc"
      ],
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"_exists_:rule.PCI_DSS\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-Last-Alerts",
    "_type": "search",
    "_source": {
      "title": "CIS: Last Alerts",
      "description": "",
      "hits": 0,
      "columns": [
        "AgentName",
        "rule.AlertLevel",
        "rule.CIS",
        "full_log"
      ],
      "sort": [
        "@timestamp",
        "desc"
      ],
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"_exists_:rule.CIS\",\"analyze_wildcard\":true}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCIDSS:-By-section",
    "_type": "visualization",
    "_source": {
      "title": "Requirements",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.PCI_DSS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "File-table-integrity-checksum-changed",
    "_type": "visualization",
    "_source": {
      "title": "File table integrity checksum changed",
      "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SyscheckFile.path\",\"exclude\":{\"pattern\":\"etc\"},\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SyscheckFile.md5_before\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"SyscheckFile.md5_after\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.PCI_DSS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-10.6",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 10.6",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"10.6\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Alert-level-evolution",
    "_type": "visualization",
    "_source": {
      "title": "Alert level evolution",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.AlertLevel\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-Requirements-by-time",
    "_type": "visualization",
    "_source": {
      "title": "PCI Requirements by time",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.PCI_DSS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Signature-counts",
    "_type": "visualization",
    "_source": {
      "title": "Signature counts",
      "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Agents-total-alerts",
    "_type": "visualization",
    "_source": {
      "title": "Agents total alerts",
      "visState": "{\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"shareYAxis\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Alerts:-Geolocation",
    "_type": "visualization",
    "_source": {
      "title": "Alerts: Geolocation",
      "visState": "{\"type\":\"tile_map\",\"params\":{\"mapType\":\"Shaded Circle Markers\",\"isDesaturated\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"GeoLocation.location\",\"precision\":3}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-6.4",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 6.4",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"6.4\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-By-section",
    "_type": "visualization",
    "_source": {
      "title": "CIS: Sections",
      "visState": "{\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":false,\"shareYAxis\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-Sections",
    "_type": "visualization",
    "_source": {
      "title": "CIS: Sections",
      "visState": "{\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"shareYAxis\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-10.2.5",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 10.2.5",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"10.2.5\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Stacked-Groups",
    "_type": "visualization",
    "_source": {
      "title": "Stacked Groups",
      "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.groups\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Total-Alerts-Time-Bar",
    "_type": "visualization",
    "_source": {
      "title": "Total Alerts Time Bar",
      "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"minute\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Location-Bar-Alerts",
    "_type": "visualization",
    "_source": {
      "title": "Location Bar Alerts",
      "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"location\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Alerts:-Top-5-Groups",
    "_type": "visualization",
    "_source": {
      "title": "Alerts: Top 5 Groups",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.groups\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-Evolution-by-agent",
    "_type": "visualization",
    "_source": {
      "title": "CIS: Evolution by agent",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"row\":true}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-10.5",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 10.5",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"10.5\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-Requirements-slash-Agent",
    "_type": "visualization",
    "_source": {
      "title": "PCI Requirements / Agent",
      "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"grouped\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.PCI_DSS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-Requirements-by-agent",
    "_type": "visualization",
    "_source": {
      "title": "CIS: Requirements by agent",
      "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"6\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Integrity-checksum-changed",
    "_type": "visualization",
    "_source": {
      "title": "Integrity checksum changed",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"SyscheckFile.path\",\"exclude\":{\"pattern\":\"etc\"},\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Groups-and-Benchmarks",
    "_type": "visualization",
    "_source": {
      "title": "Groups and Benchmarks",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.groups\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Pie-Chart:-Signature",
    "_type": "visualization",
    "_source": {
      "title": "Pie Chart: Signature",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.description\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Agents-and-Benchmarks",
    "_type": "visualization",
    "_source": {
      "title": "Agents and Benchmarks",
      "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Signature:-Area-Chart",
    "_type": "visualization",
    "_source": {
      "title": "Signature: Area Chart",
      "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":false,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.description\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"h\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Alerts:-By-country",
    "_type": "visualization",
    "_source": {
      "title": "Alerts: By country",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"GeoLocation.country_name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Top-CIS-Breaches",
    "_type": "visualization",
    "_source": {
      "title": "Top CIS Breaches",
      "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"json\":\"\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-11.4",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 11.4",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"11.4\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Requirements-slash-Groups",
    "_type": "visualization",
    "_source": {
      "title": "Requirements / Groups",
      "visState": "{\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.PCI_DSS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rule.groups\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "Requirements-by-agent",
    "_type": "visualization",
    "_source": {
      "title": "Requirements by agent",
      "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"5\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.PCI_DSS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"6\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-Requirements-by-time",
    "_type": "visualization",
    "_source": {
      "title": "CIS: Requirements by time",
      "visState": "{\"type\":\"area\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"mode\":\"stacked\",\"defaultYExtents\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.CIS\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"hour\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-10.2.2",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 10.2.2",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"10.2.2\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Requirement-10.6.1",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Requirement 10.6.1",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"defaultYExtents\":false,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.PCI_DSS: \\\"10.6.1\\\"\",\"analyze_wildcard\":true}}}}],\"row\":true}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "High-Risk-Alerts-slash-PCI-DSS",
    "_type": "visualization",
    "_source": {
      "title": "High Risk Alerts / PCI DSS",
      "visState": "{\"type\":\"line\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"defaultYExtents\":false,\"showCircles\":true,\"smoothLines\":false,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"rule.AlertLevel > 10\",\"analyze_wildcard\":true}}}},{\"input\":{\"query\":{\"query_string\":{\"query\":\"_exists_:rule.PCI_DSS\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "PCI-DSS:-Signature-Area-Chart",
    "_type": "visualization",
    "_source": {
      "title": "PCI DSS: Signature Area Chart",
      "visState": "{\"type\":\"area\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"defaultYExtents\":false,\"mode\":\"stacked\",\"shareYAxis\":true,\"smoothLines\":false,\"scale\":\"linear\",\"interpolate\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"type\":\"filters\",\"schema\":\"split\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"_exists_:rule.PCI_DSS\",\"analyze_wildcard\":true}}}}],\"row\":true}},{\"id\":\"3\",\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"rule.description\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"_exists_:rule.PCI_DSS\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-Security-breaches-by-agent",
    "_type": "visualization",
    "_source": {
      "title": "CIS: Security breaches by agent",
      "visState": "{\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"AgentName\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"_exists_:rule.CIS\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "CIS:-By-time",
    "_type": "visualization",
    "_source": {
      "title": "CIS: By time",
      "visState": "{\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":false,\"mode\":\"stacked\",\"defaultYExtents\":false,\"scale\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"type\":\"filters\",\"schema\":\"group\",\"params\":{\"filters\":[{\"input\":{\"query\":{\"query_string\":{\"query\":\"_exists_:rule.CIS\",\"analyze_wildcard\":true}}}}]}}],\"listeners\":{}}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"ossec-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  }
]

    

kibana-suricata-dashboards.json

Raw

      [
  {
    "_id": "Suricata-dash",
    "_type": "dashboard",
    "_source": {
      "title": "Suricata-dash",
      "hits": 0,
      "description": "",
      "panelsJSON": "[{\"col\":1,\"columns\":[\"alert.signature\",\"alert.severity\",\"src_ip\",\"src_port\",\"dest_ip\",\"dest_port\"],\"id\":\"Suricata-log\",\"panelIndex\":1,\"row\":4,\"size_x\":12,\"size_y\":6,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"col\":5,\"id\":\"Suricata-alerts-by-time\",\"panelIndex\":2,\"row\":1,\"size_x\":8,\"size_y\":3,\"type\":\"visualization\"},{\"id\":\"SG-signature\",\"type\":\"visualization\",\"panelIndex\":3,\"size_x\":4,\"size_y\":3,\"col\":1,\"row\":1}]",
      "optionsJSON": "{\"darkTheme\":false}",
      "uiStateJSON": "{\"P-2\":{\"vis\":{\"colors\":{\"Count\":\"#1F78C1\"},\"legendOpen\":false}}}",
      "version": 1,
      "timeRestore": false,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"filter\":[{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}}}]}"
      }
    }
  },
  {
    "_id": "Suricata-log",
    "_type": "search",
    "_source": {
      "title": "Suricata-log",
      "description": "",
      "hits": 0,
      "columns": [
        "alert.signature",
        "alert.severity",
        "src_ip",
        "src_port",
        "dest_ip",
        "dest_port"
      ],
      "sort": [
        "@timestamp",
        "desc"
      ],
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"suricata-*\",\"query\":{\"query_string\":{\"query\":\"NOT (alert.signature_id:2200003 OR alert.signature_id:2200074)\",\"analyze_wildcard\":true}},\"filter\":[],\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"require_field_match\":false,\"fragment_size\":2147483647}}"
      }
    }
  },
  {
    "_id": "Suricata-alerts-by-time",
    "_type": "visualization",
    "_source": {
      "title": "Suricata-alerts-by-time",
      "visState": "{\"title\":\"Suricata-alerts-by-time\",\"type\":\"histogram\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"scale\":\"linear\",\"mode\":\"stacked\",\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false,\"yAxis\":{}},\"aggs\":[{\"id\":\"3\",\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"2\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}",
      "uiStateJSON": "{}",
      "description": "",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"index\":\"suricata-*\",\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[]}"
      }
    }
  },
  {
    "_id": "SG-signature",
    "_type": "visualization",
    "_source": {
      "title": "SG-signature",
      "visState": "{\"title\":\"New Visualization\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.signature\",\"size\":300,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "uiStateJSON": "{}",
      "description": "",
      "savedSearchId": "Suricata-log",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"filter\":[]}"
      }
    }
  },
  {
    "_id": "SC-Signatures",
    "_type": "visualization",
    "_source": {
      "title": "SC-Signatures",
      "visState": "{\"title\":\"SC-Signatures\",\"type\":\"pie\",\"params\":{\"shareYAxis\":true,\"addTooltip\":true,\"addLegend\":true,\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert.signature\",\"size\":200,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}",
      "uiStateJSON": "{}",
      "description": "",
      "savedSearchId": "Suricata-log",
      "version": 1,
      "kibanaSavedObjectMeta": {
        "searchSourceJSON": "{\"filter\":[]}"
      }
    }
  }  
]

    

Comments (0)

HTTPS

SSH

You can clone a snippet to your computer for local editing. Learn more.

Snippets

Evgeniy Sokolov ELK OSSEC & Suricata v 1.0.0

Comments (0)