From 56b9f9b2e4eadcd951781df48a4abde158055cbc Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jun 2024 08:09:51 -0600 Subject: [PATCH 01/65] Restore some files that got deleted in the merge --- .github/workflows/issues-to-dev-project.yml | 18 ++++++++++++++++++ .../workflows/issues-to-training-project.yml | 18 ++++++++++++++++++ README.md | 2 ++ _config.yml | 4 ++-- 4 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/issues-to-dev-project.yml create mode 100644 .github/workflows/issues-to-training-project.yml diff --git a/.github/workflows/issues-to-dev-project.yml b/.github/workflows/issues-to-dev-project.yml new file mode 100644 index 000000000..a38a870a9 --- /dev/null +++ b/.github/workflows/issues-to-dev-project.yml @@ -0,0 +1,18 @@ +name: Adds all issues that include the 'training' label to Malcolm Training project board + +on: + issues: + types: + - opened + +jobs: + add-to-project: + name: Add issue to project + runs-on: ubuntu-latest + steps: + - uses: actions/add-to-project@v0.5.0 + with: + project-url: https://github.com/orgs/idaholab/projects/24 + github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} + labeled: training + label-operator: OR diff --git a/.github/workflows/issues-to-training-project.yml b/.github/workflows/issues-to-training-project.yml new file mode 100644 index 000000000..f44eb0cf5 --- /dev/null +++ b/.github/workflows/issues-to-training-project.yml @@ -0,0 +1,18 @@ +name: Adds all issues that don't include the 'training' label to Malcolm project board + +on: + issues: + types: + - opened + +jobs: + add-to-project: + name: Add issue to project + runs-on: ubuntu-latest + steps: + - uses: actions/add-to-project@v0.5.0 + with: + project-url: https://github.com/orgs/idaholab/projects/1 + github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} + labeled: training + label-operator: NOT diff --git a/README.md b/README.md index f8dde1e6a..883ffdfe7 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +### [Click here](https://github.com/cisagov/Malcolm/wiki/Mal.Con-'24-Announcement) for information on the first-ever Malcolm community conference, Mal.Con '24! + # Malcolm ![](./docs/images/logo/Malcolm_outline_banner_dark.png) diff --git a/_config.yml b/_config.yml index 41ff84c2f..a07a0eac5 100644 --- a/_config.yml +++ b/_config.yml @@ -5,8 +5,8 @@ logo: docs/images/logo/Malcolm_outline_banner_dark.png remote_theme: pages-themes/minimal@v0.2.0 youtube_url: https://www.youtube.com/@MalcolmNetworkTrafficAnalysis mastodon: - id: malcolm@malcolm.fyi - url: https://infosec.exchange/@mmguero + id: + url: docs_uri: docs/ alerting_docs_uri: docs/alerting.html anomaly_detection_docs_uri: docs/anomaly-detection.html From 7c7298bf45efe820b3485308add7db440d2f5212 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jun 2024 08:11:02 -0600 Subject: [PATCH 02/65] Restore some files that got deleted in the merge --- .github/ISSUE_TEMPLATE/bug_report.md | 39 +++++++++++++++++++ .../feature-enhancement-request.md | 21 ++++++++++ .github/ISSUE_TEMPLATE/training.md | 20 ++++++++++ 3 files changed, 80 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-enhancement-request.md create mode 100644 .github/ISSUE_TEMPLATE/training.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 000000000..1e7bfe0ed --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,39 @@ +--- +name: Bug report +projects: 'idaholab/1' +about: Something isn't working correctly +title: '' +labels: bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots and/or Logs ** +If applicable, attach screenshots or container logs (e.g., the relevant bits of `./scripts/logs`) to help explain your problem. + +**Malcolm Version:** + - Version [e.g. v24.01.0] + +**How are you running Malcolm?** +- [ ] [ISO installed](https://idaholab.github.io/Malcolm/docs/malcolm-hedgehog-e2e-iso-install.html#InstallationExample) (on VM or dedicated hardware) +- [ ] via [Docker](https://idaholab.github.io/Malcolm/docs/malcolm-hedgehog-e2e-iso-install.html#InstallationExample) on [Linux](https://idaholab.github.io/Malcolm/docs/host-config-linux.html#HostSystemConfigLinux) +- [ ] via Docker on [Microsoft Windows](https://idaholab.github.io/Malcolm/docs/host-config-windows.html#HostSystemConfigWindows) +- [ ] via Docker on [macOS](https://idaholab.github.io/Malcolm/docs/host-config-macos.html#HostSystemConfigMac) +- [ ] via [Kubernetes](https://idaholab.github.io/Malcolm/docs/kubernetes.html#Kubernetes) (please provide platform details: e.g., on-prem K3s, Amazon AWS EKS, Microsoft Azure AKS, etc.) +- [ ] other (please describe) + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature-enhancement-request.md b/.github/ISSUE_TEMPLATE/feature-enhancement-request.md new file mode 100644 index 000000000..fe26bb3b1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-enhancement-request.md @@ -0,0 +1,21 @@ +--- +name: Feature/enhancement request +projects: 'idaholab/1' +about: Suggest an idea for Malcolm +title: '' +labels: enhancement +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/ISSUE_TEMPLATE/training.md b/.github/ISSUE_TEMPLATE/training.md new file mode 100644 index 000000000..a41fc6812 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/training.md @@ -0,0 +1,20 @@ +--- +name: Training +projects: 'idaholab/24' +about: Propose a subject for training topics +title: '' +labels: training +assignees: '' + +--- + +**For what topic would you like to see training developed?** +Provide a brief description of the topic to be covered in the training module. + +**What format would be best suited for this training?** +E.g., a video on the [YouTube channel](https://www.youtube.com/c/MalcolmNetworkTrafficAnalysisToolSuite), a section added to the documentation, slides, a document, etc. + +**Is there existing [Malcolm documentation](https://idaholab.github.io/Malcolm/) that could be improved by including this topic?** + +**Additional context** +Add any other context or screenshots about the feature request here. From 26d9a04cee3802f86f631f4747039a0bb299856f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 29 Jul 2024 10:38:54 -0600 Subject: [PATCH 03/65] update README for malcon --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 883ffdfe7..8caa6ec96 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -### [Click here](https://github.com/cisagov/Malcolm/wiki/Mal.Con-'24-Announcement) for information on the first-ever Malcolm community conference, Mal.Con '24! +### [Click here](https://github.com/cisagov/Malcolm/wiki/Mal.Con-'24-Announcement) for information & [register](https://forms.office.com/Pages/ResponsePage.aspx?id=bOfNPG2UEkq7evydCEI1Ss88WRPn8NRIuiwTHruDKhdUMVdZU0pBNFBKQjVCWU9RODI2SEJMUE0yMi4u) the first-ever Malcolm community conference, Mal.Con '24! # Malcolm From 8e6531af9c3f3d1af18a2d3d5ac15d61cf4cfaaf Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 27 Aug 2024 08:19:24 -0600 Subject: [PATCH 04/65] fix python watchdog package at 4.0.2 for now --- Dockerfiles/arkime.Dockerfile | 2 +- Dockerfiles/file-monitor.Dockerfile | 2 +- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/pcap-monitor.Dockerfile | 2 +- Dockerfiles/suricata.Dockerfile | 2 +- hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index d2a6413d2..a6e573a78 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -148,7 +148,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ mkdir -p "${ARKIME_DIR}"/plugins && \ curl -fsSL -o "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" "$(echo "${ARKIME_JA4_SO_URL}" | sed "s/XXX/${DEBARCH}/g")" && \ chmod 755 "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" && \ - python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog && \ + python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog==4.0.2 && \ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \ ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \ ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \ diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index fd56e1291..caa686704 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -159,7 +159,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') python-magic \ stream-zip \ supervisor \ - watchdog \ + watchdog==4.0.2 \ yara-python && \ curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \ chmod +x /usr/local/bin/supercronic && \ diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index 2df341307..25272e5a3 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -101,7 +101,7 @@ RUN export EVTXARCH=$(uname -m | sed 's/arm64/aarch64/') && \ unar \ unzip \ xz-utils && \ - python3 -m pip install --no-compile --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog && \ + python3 -m pip install --no-compile --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog==4.0.2 && \ curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \ chmod +x /usr/local/bin/supercronic && \ curl -fsSL -o /usr/local/bin/yq "${YQ_URL}${BINARCH}" && \ diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index 9efa4aabb..b710fcb23 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -68,7 +68,7 @@ RUN apt-get -q update && \ python-magic \ pyzmq \ requests \ - watchdog && \ + watchdog==4.0.2 && \ groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index 50ae17df7..d2872cac8 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -108,7 +108,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') apt-get install -q -y --no-install-recommends -t bookworm-backports \ suricata=${SURICATA_VERSION_PATTERN} \ suricata-update && \ - python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog && \ + python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog==4.0.2 && \ curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \ chmod +x /usr/local/bin/supercronic && \ curl -fsSL -o /usr/bin/yq "${YQ_URL}${BINARCH}" && \ diff --git a/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 981f3ffcb..0667b4b72 100755 --- a/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -20,4 +20,4 @@ pip3 install --break-system-packages --no-compile --no-cache-dir --force-reinsta stix2 \ stream-zip \ taxii2-client \ - watchdog + watchdog==4.0.2 From c559998fd768f2f39429ae99d97201c7ff24826e Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 28 Aug 2024 15:56:15 -0600 Subject: [PATCH 05/65] fix viddy download for virter image --- .../virter/malcolm-setup-01-external-tools.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml index 229af538e..25d5ac511 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml @@ -26,7 +26,7 @@ if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then "https://github.com/FiloSottile/age|^age-v.+-linux-amd64\.tar\.gz$|/tmp/age.tar.gz" "https://github.com/neilotoole/sq|^sq-.+amd64-amd64\.tar\.gz$|/tmp/sq.tar.gz" "https://github.com/peco/peco|^peco_linux_amd64\.tar\.gz$|/tmp/peco.tar.gz" - "https://github.com/sachaos/viddy|^viddy_Linux_x86_64\.tar\.gz$|/tmp/viddy.tar.gz" + "https://github.com/sachaos/viddy|^viddy-.+-linux-x86_64\.tar\.gz$|/tmp/viddy.tar.gz" "https://github.com/schollz/croc|^croc_.+_Linux-64bit\.tar\.gz$|/tmp/croc.tar.gz" "https://github.com/schollz/hostyoself|^hostyoself_.+_Linux-64bit\.tar\.gz$|/tmp/hostyoself.tar.gz" "https://github.com/smallstep/cli|^step_linux_.+_amd64\.tar\.gz$|/tmp/step.tar.gz" From d6d355fe220420c2144bf8afb4369b0d0e57f090 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 29 Aug 2024 09:07:34 -0600 Subject: [PATCH 06/65] Fix link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 476ce3b64..23adfc8ea 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -### [Click here](https://github.com/cisagov/Malcolm/wiki/Mal.Con-'24-Announcement) for information & [register](https://forms.office.com/Pages/ResponsePage.aspx?id=bOfNPG2UEkq7evydCEI1Ss88WRPn8NRIuiwTHruDKhdUMVdZU0pBNFBKQjVCWU9RODI2SEJMUE0yMi4u) the first-ever Malcolm community conference, Mal.Con '24! +### [Click here](https://github.com/cisagov/Malcolm/wiki/Mal.Con24-Announcement) for information & [register](https://forms.office.com/Pages/ResponsePage.aspx?id=bOfNPG2UEkq7evydCEI1Ss88WRPn8NRIuiwTHruDKhdUMVdZU0pBNFBKQjVCWU9RODI2SEJMUE0yMi4u) the first-ever Malcolm community conference, Mal.Con '24! # Malcolm From 1b5e003023aa0b876dc100f8def0645ada8283c2 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 10 Sep 2024 11:03:15 -0600 Subject: [PATCH 07/65] remove MalCon reference from readme --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 23adfc8ea..e29837f74 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -### [Click here](https://github.com/cisagov/Malcolm/wiki/Mal.Con24-Announcement) for information & [register](https://forms.office.com/Pages/ResponsePage.aspx?id=bOfNPG2UEkq7evydCEI1Ss88WRPn8NRIuiwTHruDKhdUMVdZU0pBNFBKQjVCWU9RODI2SEJMUE0yMi4u) the first-ever Malcolm community conference, Mal.Con '24! - # Malcolm ![](./docs/images/logo/Malcolm_outline_banner_dark.png) From 36ef9d7f724452e142df85f49c219e99a0f2e174 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 17 Sep 2024 13:50:11 -0600 Subject: [PATCH 08/65] Add opensearch api call to create indices --- dashboards/scripts/shared-object-creation.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/dashboards/scripts/shared-object-creation.sh b/dashboards/scripts/shared-object-creation.sh index 8abf9b6cd..8f150b5da 100755 --- a/dashboards/scripts/shared-object-creation.sh +++ b/dashboards/scripts/shared-object-creation.sh @@ -425,6 +425,17 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then # end OpenSearch Tweaks ############################################################################################################################# + + # OpenSearch Create Initial Indices + + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPUT "$OPENSEARCH_URL_TO_USE/${MALCOLM_NETWORK_INDEX_PATTERN%?}initial" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPUT "$OPENSEARCH_URL_TO_USE/${MALCOLM_OTHER_INDEX_PATTERN%?}initial" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + # before we go on to create the anomaly detectors, we need to wait for actual network log documents /data/opensearch_status.sh -w >/dev/null 2>&1 sleep 60 From 3bf882d115bf27775e618705b1f27b8587dca116 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 24 Sep 2024 18:20:29 -0600 Subject: [PATCH 09/65] Add ssh optionn to local.zeek. Use JA4 fork --- .../includes.chroot/usr/local/etc/zeek/local.zeek | 1 + shared/bin/zeek_install_plugins.sh | 2 +- zeek/config/local.zeek | 10 ++++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index a2794d2fe..7ba132d05 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -277,6 +277,7 @@ event zeek_init() &priority=-5 { redef LDAP::default_capture_password = T; @endif +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index ab535b333..3b7a269f2 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -103,7 +103,7 @@ ZKG_GITHUB_URLS=( "https://github.com/corelight/zeek-xor-exe-plugin|master" "https://github.com/corelight/zerologon" "https://github.com/cybera/zeek-sniffpass" - "https://github.com/FoxIO-LLC/ja4" + "https://github.com/piercema/ja4" "https://github.com/mmguero-dev/bzar" "https://github.com/ncsa/bro-is-darknet" "https://github.com/ncsa/bro-simple-scan" diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 7de26a3c7..9182c67f8 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -5,6 +5,7 @@ ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; +global global disable_stats = (getenv("ZEEK_DISABLE_STATS") == true_regex) ? T : F; global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == true_regex) ? T : F; @@ -16,6 +17,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global enip_ports_str = getenv("ZEEK_ENIP_PORTS"); +global zeek_ja4_ssh_packet_count = getenv("ZEEK_JA4SSH_PACKET_COUNT") global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS"); global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F; @@ -42,6 +44,7 @@ global disable_ics_profinet_io_cm = (getenv("ZEEK_DISABLE_ICS_PROFINET_IO_CM") = global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == true_regex) ? T : F; global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == true_regex) ? T : F; + redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @@ -276,7 +279,14 @@ event zeek_init() &priority=-5 { redef SNIFFPASS::log_password_plaintext = T; redef LDAP::default_capture_password = T; @endif +@if (is_num(zeek_ja4_ssh_packet_count)) + redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; +@else + redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = 200; +@endif + +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; From 51b1c2fb9ec3f6a8847d775e523a4821c03353ea Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 7 Oct 2024 12:59:49 -0600 Subject: [PATCH 10/65] Fix the bad dashboards that got into v24.09.0, see idaholab/Malcolm#588 --- dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json | 2 +- dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json | 2 +- dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json | 2 +- dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json | 2 +- dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json | 2 +- dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json | 2 +- dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json | 2 +- dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json | 2 +- dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json | 2 +- dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json | 2 +- dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json | 2 +- dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json | 2 +- dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json | 2 +- dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index 1d7a8e0f5..e434649ee 100644 --- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index 60b26113a..27db8f8a9 100644 --- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index ce72bd1fd..a6fd63905 100644 --- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index 64827ff48..2e2f64890 100644 --- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 21df165ed..6750c90bd 100644 --- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index 69031e2b0..23bd223d4 100644 --- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index 919af2e88..a48786060 100644 --- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index 2d3d8d0b0..d5fd80bc8 100644 --- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index d4a74ebf5..5f4c65802 100644 --- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index b1b74ea1c..462e488b4 100644 --- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index a9076e452..374bb560d 100644 --- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index c604ca109..2a94b378b 100644 --- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json index bfc03d799..bdafb1f1e 100644 --- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json +++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index b28cef539..84da7d3be 100644 --- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ From dac4dad9098953462353e52a954fe31fc416cf2a Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 9 Oct 2024 16:35:00 -0600 Subject: [PATCH 11/65] update versions for demo prep script --- scripts/demo/amazon_linux_2_malcolm_demo_setup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh index 02d93d4fd..9f6f86a32 100755 --- a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh +++ b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh @@ -304,7 +304,7 @@ function InstallCommonPackages { # cmake if ! type cmake >/dev/null 2>&1; then - CMAKE_VERSION=3.26.4 + CMAKE_VERSION=3.30.5 curl -sSL -O -J "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz" tar xvf cmake-"${CMAKE_VERSION}".tar.gz pushd cmake-"${CMAKE_VERSION}" >/dev/null 2>&1 @@ -315,8 +315,8 @@ function InstallCommonPackages { fi # wireshark - WIRESHARK_VERSION=3.6.14 - curl -sSL -O -J "https://2.na.dl.wireshark.org/src/wireshark-${WIRESHARK_VERSION}.tar.xz" + WIRESHARK_VERSION=3.6.24 + curl -sSL -O -J "https://1.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz" tar xvf wireshark-"${WIRESHARK_VERSION}".tar.xz pushd wireshark-"${WIRESHARK_VERSION}" >/dev/null 2>&1 mkdir -p build From 408dd700e87058457abe440f951d3d506875545f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 10 Oct 2024 09:22:03 -0600 Subject: [PATCH 12/65] demo script fixes --- scripts/demo/Vagrantfile | 58 ++-- ...> amazon_linux_2023_malcolm_demo_setup.sh} | 257 ++++++------------ 2 files changed, 112 insertions(+), 203 deletions(-) rename scripts/demo/{amazon_linux_2_malcolm_demo_setup.sh => amazon_linux_2023_malcolm_demo_setup.sh} (72%) diff --git a/scripts/demo/Vagrantfile b/scripts/demo/Vagrantfile index bf4cfcbbc..6d5d9e480 100644 --- a/scripts/demo/Vagrantfile +++ b/scripts/demo/Vagrantfile @@ -1,29 +1,25 @@ # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. -class VagrantPlugins::ProviderVirtualBox::Action::Network - def dhcp_server_matches_config?(dhcp_server, config) - true - end -end - Vagrant.configure("2") do |config| - config.vm.box = "bento/amazonlinux-2" + config.vm.box = "bento/amazonlinux-2023" config.vm.synced_folder '.', '/vagrant', disabled: false config.vm.network "private_network", type: "dhcp" config.vm.network "forwarded_port", protocol: "tcp", guest: 443, host: 8443, host_ip: "0.0.0.0" - if Vagrant.has_plugin?("vagrant-vbguest") - config.vbguest.auto_update = false - end + # uncomment the section for the provider you're using - config.vm.provider "virtualbox" do |vb| - vb.cpus = 8 - vb.memory = 24576 - config.vm.disk :disk, size: "150G" - end + # if Vagrant.has_plugin?("vagrant-vbguest") + # config.vbguest.auto_update = false + # end + + # config.vm.provider "virtualbox" do |vb| + # vb.cpus = 8 + # vb.memory = 24576 + # config.vm.disk :disk, size: "150GB", name: "vbextra" + # end config.vm.provider "libvirt" do |libvirt| libvirt.cpus = 8 @@ -40,21 +36,20 @@ Vagrant.configure("2") do |config| libvirt.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio' libvirt.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio' libvirt.random :model => 'random' - libvirt.storage :file, :size => '150G' + libvirt.storage :file, :size => '150GB' end + # config.vm.provider "vmware_desktop" do |vd| + # vd.cpus = 8 + # vd.memory = 24576 + # config.vm.disk :disk, size: "150GB", name: "vdextra" + # end - config.vm.provider "vmware_desktop" do |vd| - vd.cpus = 8 - vd.memory = 24576 - config.vm.disk :disk, size: "150G" - end - - config.vm.provider "vmware_fusion" do |vf| - vf.cpus = 8 - vf.memory = 24576 - config.vm.disk :disk, size: "150G" - end + # config.vm.provider "vmware_fusion" do |vf| + # vf.cpus = 8 + # vf.memory = 24576 + # config.vm.disk :disk, size: "150GB", name: "vfextra" + # end config.vm.provision "shell", privileged: true, inline: <<-STEP0 yum install -y btrfs-progs @@ -78,18 +73,13 @@ Vagrant.configure("2") do |config| rmdir /home.old fi cd /tmp - ( uname -r | grep -q "^4" ) && amazon-linux-extras install -y kernel-5.10 STEP0 config.vm.provision :reload - config.vm.provision "shell", privileged: true, inline: <<-STEP1 - package-cleanup -y --oldkernels --count=1 - STEP1 - config.vm.provision "shell", privileged: false, inline: <<-STEP2 mkdir -p ~/.local/bin ~/.config - curl -sSL -o ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh https://raw.githubusercontent.com/idaholab/Malcolm/main/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh - chmod 755 ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh + curl -sSL -o ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh https://raw.githubusercontent.com/idaholab/Malcolm/main/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh + chmod 755 ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh MALCOLM_SETUP_NONINTERACTIVE=1 ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh STEP2 diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh similarity index 72% rename from scripts/demo/amazon_linux_2_malcolm_demo_setup.sh rename to scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh index 9f6f86a32..d8d7e8182 100755 --- a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh +++ b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh @@ -3,12 +3,12 @@ # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################### -# for setting up a Malcolm demo instance on an Amazon Linux 2 instance from scratch +# for setting up a Malcolm demo instance on an Amazon Linux 2023 instance from scratch # -# so far I have had the best luck on c4.4xlarge (16 CPU, 30 GB RAM) and -# t3a.2xlarge (8 CPU, 32 GB RAM) +# I've used: +# - for x86-64 instances `c4.4xlarge`, `t2.2xlarge`, and `t3a.2xlarge` +# - for arm64 instances `m6gd.2xlarge`, `m6g.2xlarge`, `m7g.2xlarge`, and `t4g.2xlarge` # - ################################################################################### # initialize @@ -17,8 +17,8 @@ if [[ -z "$BASH_VERSION" ]]; then exit 1 fi -if ! type amazon-linux-extras >/dev/null 2>&1; then - echo "This command only targets Amazon Linux 2" >&2 +if [[ "$(awk -F= '$1=="PLATFORM_ID" { print $2 ;}' /etc/os-release | tr -d '"')" != "platform:al2023" ]]; then + echo "This command only targets Amazon Linux 2023" >&2 exit 1 fi @@ -39,6 +39,8 @@ else SUDO_CMD="sudo" fi +LINUX_CPU=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') + # default user paths LOCAL_DATA_PATH=${XDG_DATA_HOME:-$HOME/.local/share} LOCAL_BIN_PATH=$HOME/.local/bin @@ -51,10 +53,16 @@ MALCOLM_SETUP_NONINTERACTIVE=${MALCOLM_SETUP_NONINTERACTIVE:-0} # variables for env development environments and tools ENV_LIST=( age + bat + direnv + eza fd + fzf jq - yq + peco ripgrep + viddy + yq ) ################################################################################### @@ -99,7 +107,7 @@ function InstallEssentialPackages { else echo "Installing curl, git, and jq..." >&2 $SUDO_CMD yum update -y >/dev/null 2>&1 && \ - $SUDO_CMD yum install -y curl git jq + $SUDO_CMD yum install -y curl-minimal git jq fi } @@ -198,8 +206,11 @@ function InstallEnvPackages { if python3 -m pip -V >/dev/null 2>&1; then python3 -m pip install --user -U \ dateparser \ + kubernetes \ mmguero \ - requests + python-dotenv \ + requests \ + ruamel-yaml fi fi @@ -207,7 +218,7 @@ function InstallEnvPackages { } ################################################################################ -# InstallDocker - install Docker and enable it as a service, and install docker-compose +# InstallDocker - install Docker and enable it as a service, and install docker compose function InstallDocker { # install docker-ce, if needed @@ -218,7 +229,7 @@ function InstallDocker { InstallEssentialPackages $SUDO_CMD yum update -y >/dev/null 2>&1 && \ - $SUDO_CMD amazon-linux-extras install -y docker + $SUDO_CMD yum install -y docker $SUDO_CMD systemctl enable docker $SUDO_CMD systemctl start docker @@ -253,42 +264,23 @@ function InstallDocker { } ################################################################################ -# InstallCommonPackages - install yum and amazon-linux-extras packages, and build -# the non-GUI version of wireshark from source (for editcap/capinfos/tshark) +# InstallCommonPackages - install packages from yum function InstallCommonPackages { CONFIRMATION=$(_GetConfirmation "Install common packages [Y/n]?" Y) if [[ $CONFIRMATION =~ ^[Yy] ]]; then $SUDO_CMD yum update -y >/dev/null 2>&1 - $SUDO_CMD yum groupinstall -y 'Development Tools' - - PACKAGE_LIST=( - python3.8 - ) - # install the packages from amazon-linux-extras - for i in ${PACKAGE_LIST[@]}; do - $SUDO_CMD amazon-linux-extras install -y "$i" - done - $SUDO_CMD ln -s -r -f /usr/bin/python3.8 /usr/bin/python3 - $SUDO_CMD ln -s -r -f /usr/bin/pip3.8 /usr/bin/pip3 PACKAGE_LIST=( - c-ares-devel - flex - gcc - gcc-c++ - glib2-devel + cronie httpd-tools - libgcrypt-devel - libpcap-devel - lua-devel - make - ninja-build openssl - openssl-devel + python3-pip + python3-setuptools + python3-wheel tmux - zlib-devel + wireshark-cli xz ) # install the packages from yum @@ -296,68 +288,28 @@ function InstallCommonPackages { $SUDO_CMD yum install -y "$i" done - # wireshark (for capinfos/editcap) in repo is FLIPPIN' old, why? - # guess we'll have to build from source - if ! type tshark >/dev/null 2>&1; then - export SOURCE_DIR="$(mktemp -d)" - pushd "$SOURCE_DIR" >/dev/null 2>&1 - - # cmake - if ! type cmake >/dev/null 2>&1; then - CMAKE_VERSION=3.30.5 - curl -sSL -O -J "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz" - tar xvf cmake-"${CMAKE_VERSION}".tar.gz - pushd cmake-"${CMAKE_VERSION}" >/dev/null 2>&1 - ./bootstrap --prefix=/usr - make - $SUDO_CMD make install - popd >/dev/null 2>&1 - fi - - # wireshark - WIRESHARK_VERSION=3.6.24 - curl -sSL -O -J "https://1.na.dl.wireshark.org/src/all-versions/wireshark-${WIRESHARK_VERSION}.tar.xz" - tar xvf wireshark-"${WIRESHARK_VERSION}".tar.xz - pushd wireshark-"${WIRESHARK_VERSION}" >/dev/null 2>&1 - mkdir -p build - pushd "build" >/dev/null 2>&1 - cmake -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_wireshark=OFF -G Ninja .. - ninja-build - $SUDO_CMD ninja-build install - popd >/dev/null 2>&1 - popd >/dev/null 2>&1 - - popd >/dev/null 2>&1 - rm -rf "$SOURCE_DIR" - fi - fi # install common packages confirmation } ################################################################################ # _InstallCroc - schollz/croc: easily and securely send things from one computer to another function _InstallCroc { - mkdir -p "$LOCAL_BIN_PATH" "$LOCAL_DATA_PATH"/bash-completion/completions - - CROC_RELEASE="$(_GitLatestRelease schollz/croc | sed 's/^v//')" - TMP_CLONE_DIR="$(mktemp -d)" - curl -L "https://github.com/schollz/croc/releases/download/v${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-64bit.tar.gz" | tar xvzf - -C "${TMP_CLONE_DIR}" - cp -f "${TMP_CLONE_DIR}"/croc "$LOCAL_BIN_PATH"/croc - cp -f "${TMP_CLONE_DIR}"/bash_autocomplete "$LOCAL_DATA_PATH"/bash-completion/completions/croc.bash - chmod 755 "$LOCAL_BIN_PATH"/croc - rm -rf "$TMP_CLONE_DIR" -} - -################################################################################ -# _InstallBat - sharkdp/bat: a cat(1) clone with wings -function _InstallBat { mkdir -p "$LOCAL_BIN_PATH" - BAT_RELEASE="$(_GitLatestRelease sharkdp/bat)" + CROC_RELEASE="$(_GitLatestRelease schollz/croc)" TMP_CLONE_DIR="$(mktemp -d)" - curl -L "https://github.com/sharkdp/bat/releases/download/${BAT_RELEASE}/bat-${BAT_RELEASE}-x86_64-unknown-linux-musl.tar.gz" | tar xvzf - -C "${TMP_CLONE_DIR}" --strip-components 1 - cp -f "${TMP_CLONE_DIR}"/bat "$LOCAL_BIN_PATH"/bat - chmod 755 "$LOCAL_BIN_PATH"/bat + if [[ "$LINUX_CPU" == "arm64" ]]; then + CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-ARM64.tar.gz" + elif [[ "$LINUX_CPU" == "amd64" ]]; then + CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-64bit.tar.gz" + else + CROC_URL= + fi + if [[ -n "$CROC_URL" ]]; then + curl -sSL "$CROC_URL" | tar xvzf - -C "${TMP_CLONE_DIR}" + cp -f "${TMP_CLONE_DIR}"/croc "$LOCAL_BIN_PATH"/croc + chmod 755 "$LOCAL_BIN_PATH"/croc + fi rm -rf "$TMP_CLONE_DIR" } @@ -367,27 +319,19 @@ function _InstallBoringProxy { mkdir -p "$LOCAL_BIN_PATH" BORING_RELEASE="$(_GitLatestRelease boringproxy/boringproxy)" - curl -L -o "${LOCAL_BIN_PATH}"/boringproxy.new "https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-x86_64" - chmod 755 "${LOCAL_BIN_PATH}"/boringproxy.new - [[ -f "$LOCAL_BIN_PATH"/boringproxy ]] && rm -f "$LOCAL_BIN_PATH"/boringproxy - mv "$LOCAL_BIN_PATH"/boringproxy.new "$LOCAL_BIN_PATH"/boringproxy -} - -################################################################################ -# _InstallNgrok - inconshreveable/ngrok: secure introspectable tunnels to localhost -function _InstallNgrok { - mkdir -p "$LOCAL_BIN_PATH" - - TMP_CLONE_DIR="$(mktemp -d)" - curl -L -o "${TMP_CLONE_DIR}"/ngrok.zip -L "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip" - pushd "$TMP_CLONE_DIR" >/dev/null 2>&1 - unzip ./ngrok.zip - mv ./ngrok "$LOCAL_BIN_PATH"/ngrok.new - chmod 755 "$LOCAL_BIN_PATH"/ngrok.new - [[ -f "$LOCAL_BIN_PATH"/ngrok ]] && rm -f "$LOCAL_BIN_PATH"/ngrok - mv "$LOCAL_BIN_PATH"/ngrok.new "$LOCAL_BIN_PATH"/ngrok - popd >/dev/null 2>&1 - rm -rf "$TMP_CLONE_DIR" + if [[ "$LINUX_CPU" == "arm64" ]]; then + BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-arm64" + elif [[ "$LINUX_CPU" == "amd64" ]]; then + BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-x86_64" + else + BORING_URL= + fi + if [[ -n "$BORING_URL" ]]; then + curl -sSL -o "${LOCAL_BIN_PATH}"/boringproxy.new "$BORING_URL" + chmod 755 "${LOCAL_BIN_PATH}"/boringproxy.new + [[ -f "$LOCAL_BIN_PATH"/boringproxy ]] && rm -f "$LOCAL_BIN_PATH"/boringproxy + mv "$LOCAL_BIN_PATH"/boringproxy.new "$LOCAL_BIN_PATH"/boringproxy + fi } ################################################################################ @@ -396,8 +340,6 @@ function InstallUserLocalBinaries { CONFIRMATION=$(_GetConfirmation "Install user-local binaries/packages [Y/n]?" Y) if [[ $CONFIRMATION =~ ^[Yy] ]]; then [[ ! -f "${LOCAL_BIN_PATH}"/croc ]] && _InstallCroc - [[ ! -f "${LOCAL_BIN_PATH}"/bat ]] && _InstallBat - [[ ! -f "${LOCAL_BIN_PATH}"/ngrok ]] && _InstallNgrok [[ ! -f "${LOCAL_BIN_PATH}"/boringproxy ]] && _InstallBoringProxy fi } @@ -413,8 +355,7 @@ function CreateCommonLinuxConfig { mkdir -p "$HOME/tmp" \ "$HOME/devel" \ - "$LOCAL_BIN_PATH" \ - "$LOCAL_DATA_PATH"/bash-completion/completions + "$LOCAL_BIN_PATH" [[ ! -f ~/.vimrc ]] && echo "set nocompatible" > ~/.vimrc @@ -438,7 +379,7 @@ function SystemConfig { kernel.dmesg_restrict=0 # the maximum number of open file handles -fs.file-max=65536 +fs.file-max=518144 # the maximum number of user inotify watches fs.inotify.max_user_watches=131072 @@ -470,6 +411,8 @@ EOT * hard nofile 65535 * soft memlock unlimited * hard memlock unlimited +* soft nproc 262144 +* hard nproc 524288 EOT fi # limits.conf confirmation fi # limits.conf check @@ -477,7 +420,7 @@ EOT if [[ -f /etc/default/grub ]] && ! grep -q cgroup /etc/default/grub; then CONFIRMATION=$(_GetConfirmation "Tweak kernel parameters in grub (cgroup, etc.) [Y/n]?" Y) if [[ $CONFIRMATION =~ ^[Yy] ]]; then - $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& random.trust_cpu=on cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem/' /etc/default/grub + $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& systemd.unified_cgroup_hierarchy=1 cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem random.trust_cpu=on preempt=voluntary/' /etc/default/grub $SUDO_CMD grub2-mkconfig -o /boot/grub2/grub.cfg fi # grub confirmation fi # grub check @@ -515,9 +458,6 @@ function SGroverDotfiles { [[ -r "$SGROVER_GITHUB_PATH"/git/gitignore_global ]] && rm -vf ~/.gitignore_global && \ ln -vrs "$SGROVER_GITHUB_PATH"/git/gitignore_global ~/.gitignore_global - [[ -r "$SGROVER_GITHUB_PATH"/git/git_clone_all.sh ]] && rm -vf "$LOCAL_BIN_PATH"/git_clone_all.sh && \ - ln -vrs "$SGROVER_GITHUB_PATH"/git/git_clone_all.sh "$LOCAL_BIN_PATH"/git_clone_all.sh - [[ -r "$SGROVER_GITHUB_PATH"/linux/tmux/tmux.conf ]] && rm -vf ~/.tmux.conf && \ ln -vrs "$SGROVER_GITHUB_PATH"/linux/tmux/tmux.conf ~/.tmux.conf @@ -545,46 +485,41 @@ function InstallMalcolm { if [[ $CONFIRMATION =~ ^[Yy] ]]; then if _GitClone https://github.com/idaholab/Malcolm "$MALCOLM_PATH"; then pushd "$MALCOLM_PATH" >/dev/null 2>&1 - python3 ./scripts/install.py -c -d - CONFIG_PAIRS=( - "CAPA_MAX_REQUESTS:2" - "CLAMD_MAX_REQUESTS:4" - "EXTRACTED_FILE_ENABLE_CAPA:'true'" - "EXTRACTED_FILE_ENABLE_CLAMAV:'true'" - "EXTRACTED_FILE_ENABLE_YARA:'true'" - "EXTRACTED_FILE_HTTP_SERVER_ENABLE:'true'" - "EXTRACTED_FILE_IGNORE_EXISTING:'true'" - "EXTRACTED_FILE_PRESERVATION:'all'" - "FREQ_LOOKUP:'true'" - "LOGSTASH_OUI_LOOKUP:'true'" - "LOGSTASH_REVERSE_DNS:'true'" - "LOGSTASH_SEVERITY_SCORING:'true'" - "PCAP_PIPELINE_IGNORE_PREEXISTING:'true'" - "PCAP_PIPELINE_POLLING:'true'" - "YARA_MAX_REQUESTS:4" - "ZEEK_AUTO_ANALYZE_PCAP_FILES:'true'" - "ZEEK_DISABLE_BEST_GUESS_ICS:''" - "ZEEK_EXTRACTOR_MODE:'all'" - # "NGINX_BASIC_AUTH:'no_authentication'" - ) - for i in ${CONFIG_PAIRS[@]}; do - KEY="$(echo "$i" | cut -d':' -f1)" - VALUE="$(echo "$i" | cut -d':' -f2)" - for CONFIG in docker-compose-dev.yml docker-compose.yml; do - sed -i "s/\(^[[:space:]]*$KEY[[:space:]]*:[[:space:]]*\).*/\1$VALUE/g" "$CONFIG" - done - done - mkdir -p ./config - touch ./config/auth.env + python3 ./scripts/configure \ + --defaults \ + --runtime docker + --malcolm-profile \ + --restart-malcolm \ + --auto-arkime \ + --auto-suricata \ + --auto-zeek \ + --zeek-ics \ + --zeek-ics-best-guess \ + --auto-oui \ + --auto-freq \ + --file-extraction notcommtxt \ + --file-preservation quarantined \ + --extracted-file-server \ + --extracted-file-server-password infected \ + --extracted-file-server-zip \ + --extracted-file-capa \ + --extracted-file-clamav \ + --extracted-file-yara \ + --netbox \ + --netbox-enrich \ + --netbox-autopopulate \ + --netbox-auto-prefixes \ + --netbox-site-name "$(hostname -s)" + grep image: docker-compose.yml | awk '{print $2}' | sort -u | xargs -l -r $SUDO_CMD docker pull echo "Please run $MALCOLM_PATH/scripts/auth_setup to complete configuration" >&2 popd >/dev/null 2>&1 fi pushd "$LOCAL_BIN_PATH" >/dev/null 2>&1 - curl -sSL -J -O https://raw.githubusercontent.com/idaholab/Malcolm/main/scripts/demo/reset_and_auto_populate.sh + ln -f -s -r "$MALCOLM_PATH"/scripts/demo/reset_and_auto_populate.sh ./reset_and_auto_populate.sh curl -sSL -J -O https://raw.githubusercontent.com/mmguero-dev/Malcolm-PCAP/main/tools/pcap_time_shift.py - chmod 755 reset_and_auto_populate.sh pcap_time_shift.py + chmod 755 pcap_time_shift.py popd >/dev/null 2>&1 CONFIRMATION=$(_GetConfirmation "Set up crontab for starting/resetting Malcolm? [y/N]?" N) @@ -624,22 +559,6 @@ function SetupConnectivity { fi fi - # ngrok - if ! ( crontab -l | grep -q ngrok ); then - CONFIRMATION=$(_GetConfirmation "Configure ngrok [y/N]?" N) - if [[ $CONFIRMATION =~ ^[Yy] ]]; then - [[ ! -f "${LOCAL_BIN_PATH}"/ngrok ]] && _InstallNgrok - TOKEN=$(_GetString "ngrok token:" "") - if [[ -n "$TOKEN" ]]; then - "${LOCAL_BIN_PATH}"/ngrok authtoken "$TOKEN" - ((echo 'SHELL=/bin/bash') ; \ - (( crontab -l | grep . | grep -v ^SHELL= ; \ - echo "@reboot sleep 180 && ( nohup ${LOCAL_BIN_PATH}/ngrok http https://localhost >/dev/null 2>&1 /dev/null 2>&1 /dev/null 2>&1 Date: Thu, 10 Oct 2024 10:13:25 -0600 Subject: [PATCH 13/65] demo/AWS AMI build updates from Amazon Linux 2 to Amazon Linux 2023 --- docs/third-party-envs.md | 14 +-- .../amazon_linux_2023_malcolm_demo_setup.sh | 4 + .../aws/ami/packer_build.json | 4 +- .../aws/ami/scripts/Malcolm_AMI_Setup.sh | 98 +++++++++++++++---- 4 files changed, 94 insertions(+), 26 deletions(-) diff --git a/docs/third-party-envs.md b/docs/third-party-envs.md index 134b9b1ad..b20347f60 100644 --- a/docs/third-party-envs.md +++ b/docs/third-party-envs.md @@ -43,7 +43,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro amazon-ebs: output will be in this color. ==> amazon-ebs: Prevalidating any provided VPC information - ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z + ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.0-x86_64-2024-10-10T15-41-32Z amazon-ebs: Found Image ID: ami-xxxxxxxxxxxxxxxxx ... @@ -54,15 +54,15 @@ The files referenced in this section can be found in [scripts/third-party-enviro ==> amazon-ebs: Tagging snapshot: snap-xxxxxxxxxxxxxxxxx ==> amazon-ebs: Creating AMI tags amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.10.0" - amazon-ebs: Adding tag: "source_ami_name": "amzn2-ami-kernel-5.10-hvm-2.0.20240521.0-arm64-gp2" + amazon-ebs: Adding tag: "source_ami_name": "al2023-ami-ecs-hvm-2023.0.20241003-kernel-6.1-x86_64" ==> amazon-ebs: Creating snapshot tags ==> amazon-ebs: Terminating the source AWS instance... ==> amazon-ebs: Cleaning up any extra volumes... ==> amazon-ebs: No volumes to clean up, skipping ==> amazon-ebs: Deleting temporary keypair... - Build 'amazon-ebs' finished after 23 minutes 58 seconds. + Build 'amazon-ebs' finished after 19 minutes 57 seconds. - ==> Wait completed after 23 minutes 58 seconds + ==> Wait completed after 19 minutes 57 seconds ==> Builds finished. The artifacts of successful builds are: --> amazon-ebs: AMIs were created: @@ -76,7 +76,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro { "Images": [ { - "Architecture": "arm64", + "Architecture": "x86_64", "CreationDate": "2024-05-30T14:02:21.000Z", "ImageId": "ami-xxxxxxxxxxxxxxxxx", "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z", @@ -92,7 +92,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro "Ebs": { "DeleteOnTermination": true, "SnapshotId": "snap-xxxxxxxxxxxxxxxxx", - "VolumeSize": 20, + "VolumeSize": 30, "VolumeType": "gp2", "Encrypted": false } @@ -111,7 +111,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro }, { "Key": "source_ami_name", - "Value": "amzn2-ami-kernel-5.10-hvm-2.0.20240521.0-arm64-gp2" + "Value": "al2023-ami-ecs-hvm-2023.0.20241003-kernel-6.1-x86_64" } ], "VirtualizationType": "hvm", diff --git a/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh index d8d7e8182..01ae3f153 100755 --- a/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh +++ b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh @@ -209,6 +209,7 @@ function InstallEnvPackages { kubernetes \ mmguero \ python-dotenv \ + pythondialog \ requests \ ruamel-yaml fi @@ -274,6 +275,7 @@ function InstallCommonPackages { PACKAGE_LIST=( cronie + dialog httpd-tools openssl python3-pip @@ -413,6 +415,8 @@ EOT * hard memlock unlimited * soft nproc 262144 * hard nproc 524288 +* soft core 0 +* hard core 0 EOT fi # limits.conf confirmation fi # limits.conf check diff --git a/scripts/third-party-environments/aws/ami/packer_build.json b/scripts/third-party-environments/aws/ami/packer_build.json index 2d8f2c0d8..39047f548 100644 --- a/scripts/third-party-environments/aws/ami/packer_build.json +++ b/scripts/third-party-environments/aws/ami/packer_build.json @@ -39,7 +39,7 @@ "filters": { "architecture": "{{user `instance_arch`}}", "virtualization-type": "hvm", - "name": "amzn2-ami-kernel-5.10-hvm-*-{{user `instance_arch`}}-gp2", + "name": "al2023-ami-ecs-hvm-*-kernel-6.1-{{user `instance_arch`}}", "root-device-type": "ebs" }, "owners": [ @@ -56,7 +56,7 @@ { "device_name": "/dev/xvda", "volume_type": "gp2", - "volume_size": 20, + "volume_size": 30, "delete_on_termination": true } ], diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh index efef73f38..770cb8199 100755 --- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh +++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh @@ -2,7 +2,7 @@ # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. -# Configure Amazon Linux 2 and install Malcolm +# Configure Amazon Linux 2023 and install Malcolm ############################################################################### # script options @@ -18,9 +18,9 @@ if [[ -z "$BASH_VERSION" ]]; then exit 1 fi -if ! command -v amazon-linux-extras >/dev/null 2>&1; then - echo "This script only targets Amazon Linux 2" >&2 - exit 1 +if [[ "$(awk -F= '$1=="PLATFORM_ID" { print $2 ;}' /etc/os-release | tr -d '"')" != "platform:al2023" ]]; then + echo "This command only targets Amazon Linux 2023" >&2 + exit 1 fi ############################################################################### @@ -70,6 +70,7 @@ MALCOLM_USER="$(id -nu $MALCOLM_UID)" MALCOLM_USER_GROUP="$(id -gn $MALCOLM_UID)" MALCOLM_USER_HOME="$(getent passwd "$MALCOLM_USER" | cut -d: -f6)" MALCOLM_URL="https://codeload.github.com/$MALCOLM_REPO/tar.gz/$MALCOLM_TAG" +LINUX_CPU=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') IMAGE_ARCH_SUFFIX="$(uname -m | sed 's/^x86_64$//' | sed 's/^arm64$/-arm64/' | sed 's/^aarch64$/-arm64/')" ################################################################################### @@ -79,31 +80,32 @@ function InstallEssentialPackages { # install the package(s) from yum $SUDO_CMD yum install -y \ - curl \ + cronie \ + curl-minimal \ dialog \ + git \ httpd-tools \ make \ openssl \ tmux \ xz - } ################################################################################ # InstallPythonPackages - install specific python packages function InstallPythonPackages { - echo "Installing Python 3.8 and pip packages..." >&2 + echo "Installing Python 3 and pip packages..." >&2 [[ $EUID -eq 0 ]] && USERFLAG="" || USERFLAG="--user" - # install the package(s) from amazon-linux-extras - $SUDO_CMD amazon-linux-extras install -y \ - python3.8 - - $SUDO_CMD ln -s -r -f /usr/bin/python3.8 /usr/bin/python3 - $SUDO_CMD ln -s -r -f /usr/bin/pip3.8 /usr/bin/pip3 + $SUDO_CMD yum install -y \ + python3-pip \ + python3-setuptools \ + python3-wheel - $SUDO_CMD /usr/bin/python3.8 -m pip install $USERFLAG -U \ + $SUDO_CMD /usr/bin/python3 -m pip install $USERFLAG -U \ + dateparser \ + kubernetes \ python-dotenv \ pythondialog \ ruamel.yaml \ @@ -119,7 +121,8 @@ function InstallDocker { # install docker, if needed if ! command -v docker >/dev/null 2>&1 ; then - $SUDO_CMD amazon-linux-extras install -y docker + $SUDO_CMD yum update -y >/dev/null 2>&1 && \ + $SUDO_CMD yum install -y docker $SUDO_CMD systemctl enable docker $SUDO_CMD systemctl start docker @@ -163,7 +166,7 @@ function SystemConfig { kernel.dmesg_restrict=0 # the maximum number of open file handles -fs.file-max=65536 +fs.file-max=518144 # the maximum number of user inotify watches fs.inotify.max_user_watches=131072 @@ -200,11 +203,71 @@ EOT fi # limits.conf check if [[ -f /etc/default/grub ]] && ! grep -q cgroup /etc/default/grub; then - $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& random.trust_cpu=on cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem/' /etc/default/grub + $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& systemd.unified_cgroup_hierarchy=1 cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem random.trust_cpu=on preempt=voluntary/' /etc/default/grub $SUDO_CMD grub2-mkconfig -o /boot/grub2/grub.cfg fi # grub check } +################################################################################### +# _GitLatestRelease - query the latest version from a github project's releases +function _GitLatestRelease { + if [[ -n "$1" ]]; then + (set -o pipefail && curl -sL -f "https://api.github.com/repos/$1/releases/latest" | jq '.tag_name' | sed -e 's/^"//' -e 's/"$//' ) || \ + (set -o pipefail && curl -sL -f "https://api.github.com/repos/$1/releases" | jq '.[0].tag_name' | sed -e 's/^"//' -e 's/"$//' ) || \ + echo unknown + else + echo "unknown">&2 + fi +} + +################################################################################ +# _InstallCroc - schollz/croc: easily and securely send things from one computer to another +function _InstallCroc { + CROC_RELEASE="$(_GitLatestRelease schollz/croc)" + TMP_CLONE_DIR="$(mktemp -d)" + if [[ "$LINUX_CPU" == "arm64" ]]; then + CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-ARM64.tar.gz" + elif [[ "$LINUX_CPU" == "amd64" ]]; then + CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-64bit.tar.gz" + else + CROC_URL= + fi + if [[ -n "$CROC_URL" ]]; then + curl -sSL "$CROC_URL" | tar xvzf - -C "${TMP_CLONE_DIR}" + $SUDO_CMD cp -f "${TMP_CLONE_DIR}"/croc /usr/bin/croc + $SUDO_CMD chmod 755 /usr/bin/croc + $SUDO_CMD chown root:root /usr/bin/croc + fi + rm -rf "$TMP_CLONE_DIR" +} + +################################################################################ +# _InstallBoringProxy - boringproxy/boringproxy: a reverse proxy and tunnel manager +function _InstallBoringProxy { + BORING_RELEASE="$(_GitLatestRelease boringproxy/boringproxy)" + if [[ "$LINUX_CPU" == "arm64" ]]; then + BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-arm64" + elif [[ "$LINUX_CPU" == "amd64" ]]; then + BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-x86_64" + else + BORING_URL= + fi + if [[ -n "$BORING_URL" ]]; then + curl -sSL -o "${LOCAL_BIN_PATH}"/boringproxy.new "$BORING_URL" + chmod 755 "${LOCAL_BIN_PATH}"/boringproxy.new + [[ -f "$LOCAL_BIN_PATH"/boringproxy ]] && $SuDO_CMD rm -f /usr/bin/boringproxy + $SUDO_CMD mv "$LOCAL_BIN_PATH"/boringproxy.new /usr/bin/boringproxy + $SUDO_CMD chown root:root /usr/bin/boringproxy + fi +} + +################################################################################ +# InstallUserLocalBinaries - install various tools to LOCAL_BIN_PATH +function InstallUserLocalBinaries { + [[ ! -f /usr/bin/croc ]] && _InstallCroc + [[ ! -f /usr/bin/boringproxy ]] && _InstallBoringProxy +} + ################################################################################ # InstallMalcolm - clone and configure Malcolm and grab some sample PCAP function InstallMalcolm { @@ -276,6 +339,7 @@ EOF SystemConfig InstallEssentialPackages +InstallUserLocalBinaries InstallPythonPackages InstallDocker InstallMalcolm From 03596a24d9e10aadbf1d68c72ae8fc66d20e2997 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 10 Oct 2024 12:28:02 -0600 Subject: [PATCH 14/65] demo script fixes --- .../amazon_linux_2023_malcolm_demo_setup.sh | 14 ++++++++++---- .../aws/ami/scripts/Malcolm_AMI_Setup.sh | 18 ++++++++++++------ 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh index 01ae3f153..952e7a76f 100755 --- a/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh +++ b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh @@ -39,6 +39,12 @@ else SUDO_CMD="sudo" fi +$SUDO_CMD mkdir -p /etc/sudoers.d/ +echo 'Defaults umask = 0022' | ($SUDO_CMD su -c 'EDITOR="tee" visudo -f /etc/sudoers.d/99-default-umask') +echo 'Defaults umask_override' | ($SUDO_CMD su -c 'EDITOR="tee -a" visudo -f /etc/sudoers.d/99-default-umask') +$SUDO_CMD chmod 440 /etc/sudoers.d/99-default-umask +umask 0022 + LINUX_CPU=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') # default user paths @@ -209,9 +215,7 @@ function InstallEnvPackages { kubernetes \ mmguero \ python-dotenv \ - pythondialog \ - requests \ - ruamel-yaml + pythondialog fi fi @@ -279,6 +283,8 @@ function InstallCommonPackages { httpd-tools openssl python3-pip + python3-requests+security + python3-ruamel-yaml python3-setuptools python3-wheel tmux @@ -491,7 +497,7 @@ function InstallMalcolm { pushd "$MALCOLM_PATH" >/dev/null 2>&1 python3 ./scripts/configure \ --defaults \ - --runtime docker + --runtime docker \ --malcolm-profile \ --restart-malcolm \ --auto-arkime \ diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh index 770cb8199..4594eddce 100755 --- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh +++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh @@ -66,6 +66,13 @@ if [[ $EUID -eq 0 ]]; then else SUDO_CMD="sudo" fi + +$SUDO_CMD mkdir -p /etc/sudoers.d/ +echo 'Defaults umask = 0022' | ($SUDO_CMD su -c 'EDITOR="tee" visudo -f /etc/sudoers.d/99-default-umask') +echo 'Defaults umask_override' | ($SUDO_CMD su -c 'EDITOR="tee -a" visudo -f /etc/sudoers.d/99-default-umask') +$SUDO_CMD chmod 440 /etc/sudoers.d/99-default-umask +umask 0022 + MALCOLM_USER="$(id -nu $MALCOLM_UID)" MALCOLM_USER_GROUP="$(id -gn $MALCOLM_UID)" MALCOLM_USER_HOME="$(getent passwd "$MALCOLM_USER" | cut -d: -f6)" @@ -101,16 +108,15 @@ function InstallPythonPackages { $SUDO_CMD yum install -y \ python3-pip \ python3-setuptools \ - python3-wheel + python3-wheel \ + python3-ruamel-yaml \ + python3-requests+security $SUDO_CMD /usr/bin/python3 -m pip install $USERFLAG -U \ dateparser \ kubernetes \ python-dotenv \ - pythondialog \ - ruamel.yaml \ - requests \ - urllib3==1.26.19 + pythondialog } ################################################################################ @@ -331,7 +337,7 @@ EOT fi EOF - chown -R $MALCOLM_USER:$MALCOLM_USER_GROUP "$MALCOLM_USER_HOME" + $SUDO_CMD chown -R $MALCOLM_USER:$MALCOLM_USER_GROUP "$MALCOLM_USER_HOME" } ################################################################################ From 98b2546e169138a83de29c2798505335f6e47044 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 10 Oct 2024 14:34:46 -0600 Subject: [PATCH 15/65] bump for v24.10.1 --- docker-compose-dev.yml | 46 +++++----- docker-compose.yml | 46 +++++----- docs/api-version.md | 2 +- docs/contributing-github-runners.md | 48 +++++----- docs/contributing-pcap.md | 2 +- docs/hedgehog-iso-build.md | 2 +- docs/kubernetes.md | 88 +++++++++---------- docs/malcolm-iso.md | 2 +- docs/quickstart.md | 38 ++++---- docs/third-party-envs.md | 10 +-- docs/ubuntu-install-example.md | 38 ++++---- kubernetes/03-opensearch.yml | 4 +- kubernetes/04-dashboards.yml | 2 +- kubernetes/05-upload.yml | 4 +- kubernetes/06-pcap-monitor.yml | 4 +- kubernetes/07-arkime.yml | 4 +- kubernetes/08-api.yml | 2 +- kubernetes/09-dashboards-helper.yml | 2 +- kubernetes/10-zeek.yml | 4 +- kubernetes/11-suricata.yml | 4 +- kubernetes/12-file-monitor.yml | 4 +- kubernetes/13-filebeat.yml | 4 +- kubernetes/14-logstash.yml | 4 +- kubernetes/15-netbox-redis.yml | 4 +- kubernetes/16-netbox-redis-cache.yml | 2 +- kubernetes/17-netbox-postgres.yml | 4 +- kubernetes/18-netbox.yml | 4 +- kubernetes/19-htadmin.yml | 4 +- kubernetes/20-pcap-capture.yml | 4 +- kubernetes/21-zeek-live.yml | 4 +- kubernetes/22-suricata-live.yml | 4 +- kubernetes/23-arkime-live.yml | 4 +- kubernetes/24-freq.yml | 2 +- kubernetes/98-nginx-proxy.yml | 4 +- .../aws/ami/packer_vars.json.example | 2 +- .../aws/ami/scripts/Malcolm_AMI_Setup.sh | 2 +- 36 files changed, 204 insertions(+), 204 deletions(-) diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index 845c98cf2..bbdbb2ddd 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -5,7 +5,7 @@ services: build: context: . dockerfile: Dockerfiles/opensearch.Dockerfile - image: ghcr.io/idaholab/malcolm/opensearch:24.10.0 + image: ghcr.io/idaholab/malcolm/opensearch:24.10.1 # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case # OPENSEARCH_PRIMARY will be set to remote, which means the container will # start but not actually run OpenSearch. It's included in both profiles to @@ -83,7 +83,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards-helper.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -137,7 +137,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards:24.10.0 + image: ghcr.io/idaholab/malcolm/dashboards:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -184,7 +184,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -299,7 +299,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -376,7 +376,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:24.10.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -462,7 +462,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:24.10.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -547,7 +547,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:24.10.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -620,7 +620,7 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:24.10.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -685,7 +685,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:24.10.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -745,7 +745,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:24.10.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -803,7 +803,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0 + image: ghcr.io/idaholab/malcolm/file-monitor:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -859,7 +859,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -906,7 +906,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -961,7 +961,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: ghcr.io/idaholab/malcolm/file-upload:24.10.0 + image: ghcr.io/idaholab/malcolm/file-upload:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1003,7 +1003,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:24.10.0 + image: ghcr.io/idaholab/malcolm/htadmin:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1056,7 +1056,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:24.10.0 + image: ghcr.io/idaholab/malcolm/freq:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1094,7 +1094,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:24.10.0 + image: ghcr.io/idaholab/malcolm/netbox:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1161,7 +1161,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:24.10.0 + image: ghcr.io/idaholab/malcolm/postgresql:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1205,7 +1205,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:24.10.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1253,7 +1253,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:24.10.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1296,7 +1296,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:24.10.0 + image: ghcr.io/idaholab/malcolm/api:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1345,7 +1345,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: diff --git a/docker-compose.yml b/docker-compose.yml index b2260d162..b29196f43 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ services: opensearch: - image: ghcr.io/idaholab/malcolm/opensearch:24.10.0 + image: ghcr.io/idaholab/malcolm/opensearch:24.10.1 # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case # OPENSEARCH_PRIMARY will be set to remote, which means the container will # start but not actually run OpenSearch. It's included in both profiles to @@ -77,7 +77,7 @@ services: retries: 3 start_period: 180s dashboards-helper: - image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -128,7 +128,7 @@ services: retries: 3 start_period: 30s dashboards: - image: ghcr.io/idaholab/malcolm/dashboards:24.10.0 + image: ghcr.io/idaholab/malcolm/dashboards:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -172,7 +172,7 @@ services: retries: 3 start_period: 210s logstash: - image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -260,7 +260,7 @@ services: retries: 3 start_period: 600s filebeat: - image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -334,7 +334,7 @@ services: retries: 3 start_period: 60s arkime: - image: ghcr.io/idaholab/malcolm/arkime:24.10.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -399,7 +399,7 @@ services: retries: 3 start_period: 210s arkime-live: - image: ghcr.io/idaholab/malcolm/arkime:24.10.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -463,7 +463,7 @@ services: source: ./pcap target: /data/pcap zeek: - image: ghcr.io/idaholab/malcolm/zeek:24.10.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -527,7 +527,7 @@ services: retries: 3 start_period: 60s zeek-live: - image: ghcr.io/idaholab/malcolm/zeek:24.10.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -583,7 +583,7 @@ services: target: /opt/zeek/share/zeek/site/custom read_only: true suricata: - image: ghcr.io/idaholab/malcolm/suricata:24.10.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -640,7 +640,7 @@ services: retries: 3 start_period: 120s suricata-live: - image: ghcr.io/idaholab/malcolm/suricata:24.10.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -695,7 +695,7 @@ services: target: /opt/suricata/include-configs read_only: true file-monitor: - image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0 + image: ghcr.io/idaholab/malcolm/file-monitor:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -748,7 +748,7 @@ services: retries: 3 start_period: 60s pcap-capture: - image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -792,7 +792,7 @@ services: source: ./pcap/upload target: /pcap pcap-monitor: - image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.1 profiles: ["malcolm", "hedgehog"] userns_mode: keep-id logging: @@ -844,7 +844,7 @@ services: retries: 3 start_period: 90s upload: - image: ghcr.io/idaholab/malcolm/file-upload:24.10.0 + image: ghcr.io/idaholab/malcolm/file-upload:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -886,7 +886,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:24.10.0 + image: ghcr.io/idaholab/malcolm/htadmin:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -936,7 +936,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:24.10.0 + image: ghcr.io/idaholab/malcolm/freq:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -971,7 +971,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:24.10.0 + image: ghcr.io/idaholab/malcolm/netbox:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1035,7 +1035,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:24.10.0 + image: ghcr.io/idaholab/malcolm/postgresql:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1076,7 +1076,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:24.10.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1121,7 +1121,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:24.10.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1161,7 +1161,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:24.10.0 + image: ghcr.io/idaholab/malcolm/api:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: @@ -1204,7 +1204,7 @@ services: retries: 3 start_period: 60s nginx-proxy: - image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.1 profiles: ["malcolm"] userns_mode: keep-id logging: diff --git a/docs/api-version.md b/docs/api-version.md index 0c0fefe76..2ebe0e921 100644 --- a/docs/api-version.md +++ b/docs/api-version.md @@ -49,6 +49,6 @@ Returns version information about Malcolm and version/[health](https://opensearc } }, "sha": "dad18b1", - "version": "24.10.0" + "version": "24.10.1" } ``` diff --git a/docs/contributing-github-runners.md b/docs/contributing-github-runners.md index 256ea8ba9..80a25eea3 100644 --- a/docs/contributing-github-runners.md +++ b/docs/contributing-github-runners.md @@ -104,7 +104,7 @@ Each container build workflow actually runs two paths in parallel: one for build ## Convenience scripts for development -As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern `ghcr.io/username/malcolm/image:branch`. However, note that the `image:` values found in [`docker-compose.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the [Kubernetes](kubernetes.md#Kubernetes) [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like `ghcr.io/idaholab/malcolm/opensearch:24.10.0`, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) to pull the repository images and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`). +As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern `ghcr.io/username/malcolm/image:branch`. However, note that the `image:` values found in [`docker-compose.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the [Kubernetes](kubernetes.md#Kubernetes) [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like `ghcr.io/idaholab/malcolm/opensearch:24.10.1`, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) to pull the repository images and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.1`). Before explaining that script, a discussion of the workflow files for the [Hedgehog Linux](live-analysis.md#Hedgehog) ([hedgehog-iso-build-docker-wrap-push-ghcr.yml ]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml)) and [Malcolm](malcolm-iso.md#ISO) ([malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -141,9 +141,9 @@ These menu options are described below: 3. GithubTriggerPackagesBuild * This option will trigger a [repository dispatch](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch) via the [GitHub API](https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event) using `curl`. In order for this operation to work, an environment variable named `GITHUB_OAUTH_TOKEN` must be defined containing a [personal access token](https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28#basic-authentication) created for your GitHub user account with the "Actions (write)" repository permission. 4. PullAndTagGithubWorkflowImages - * This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`) so that they may be run without modifying the local `docker-compose.yml` file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does **not** extract them from the Malcolm installer ISO wrapper container image. + * This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.1`) so that they may be run without modifying the local `docker-compose.yml` file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does **not** extract them from the Malcolm installer ISO wrapper container image. 5. PullAndTagGithubWorkflowISOImages - * This option will pull latest Malcolm installer ISO wrapper container images from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`). + * This option will pull latest Malcolm installer ISO wrapper container images from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.1`). The script can also be run non-interactively by specifying the option number on the command line (e.g., `./scripts/github_image_helper.sh 4`). @@ -182,7 +182,7 @@ $ ./scripts/github_image_helper.sh 5 PullAndTagGithubWorkflowISOImages Operation:4 PullAndTagGithubWorkflowImages -Pulling images from ghcr.io/romeogdetlevjr (main) and tagging as 24.10.0... +Pulling images from ghcr.io/romeogdetlevjr (main) and tagging as 24.10.1... main: Pulling from romeogdetlevjr/malcolm/api Digest: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Status: Image is up to date for ghcr.io/romeogdetlevjr/malcolm/api:main @@ -196,46 +196,46 @@ ghcr.io/romeogdetlevjr/malcolm/zeek:main xxxxxxxxxxxx: Pull complete ``` -Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g., `ghcr.io/romeogdetlevjr/malcolm/api:main`) and another tagged with `ghcr.io/idaholab` and the Malcolm version (e.g., `ghcr.io/idaholab/malcolm/api:24.10.0`). +Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g., `ghcr.io/romeogdetlevjr/malcolm/api:main`) and another tagged with `ghcr.io/idaholab` and the Malcolm version (e.g., `ghcr.io/idaholab/malcolm/api:24.10.1`). ```bash $ docker images | grep romeogdetlevjr/malcolm -ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 10 minutes ago 1.39GB +ghcr.io/idaholab/malcolm/zeek 24.10.1 xxxxxxxxxxxx 10 minutes ago 1.39GB ghcr.io/romeogdetlevjr/malcolm/zeek main xxxxxxxxxxxx 10 minutes ago 1.39GB -ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 13 minutes ago 1.55GB +ghcr.io/idaholab/malcolm/dashboards 24.10.1 xxxxxxxxxxxx 13 minutes ago 1.55GB ghcr.io/romeogdetlevjr/malcolm/dashboards main xxxxxxxxxxxx 13 minutes ago 1.55GB -ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 14 minutes ago 339MB +ghcr.io/idaholab/malcolm/suricata 24.10.1 xxxxxxxxxxxx 14 minutes ago 339MB ghcr.io/romeogdetlevjr/malcolm/suricata main xxxxxxxxxxxx 14 minutes ago 339MB -ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 15 minutes ago 712MB +ghcr.io/idaholab/malcolm/file-monitor 24.10.1 xxxxxxxxxxxx 15 minutes ago 712MB ghcr.io/romeogdetlevjr/malcolm/file-monitor main xxxxxxxxxxxx 15 minutes ago 712MB -ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 15 minutes ago 55.4MB +ghcr.io/idaholab/malcolm/redis 24.10.1 xxxxxxxxxxxx 15 minutes ago 55.4MB ghcr.io/romeogdetlevjr/malcolm/redis main xxxxxxxxxxxx 15 minutes ago 55.4MB -ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 16 minutes ago 160MB +ghcr.io/idaholab/malcolm/nginx-proxy 24.10.1 xxxxxxxxxxxx 16 minutes ago 160MB ghcr.io/romeogdetlevjr/malcolm/nginx-proxy main xxxxxxxxxxxx 16 minutes ago 160MB -ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 16 minutes ago 137MB +ghcr.io/idaholab/malcolm/pcap-capture 24.10.1 xxxxxxxxxxxx 16 minutes ago 137MB ghcr.io/romeogdetlevjr/malcolm/pcap-capture main xxxxxxxxxxxx 16 minutes ago 137MB -ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 16 minutes ago 246MB +ghcr.io/idaholab/malcolm/htadmin 24.10.1 xxxxxxxxxxxx 16 minutes ago 246MB ghcr.io/romeogdetlevjr/malcolm/htadmin main xxxxxxxxxxxx 16 minutes ago 246MB ghcr.io/romeogdetlevjr/malcolm/file-upload main xxxxxxxxxxxx 16 minutes ago 250MB -ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 16 minutes ago 250MB -ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 16 minutes ago 1.49GB +ghcr.io/idaholab/malcolm/file-upload 24.10.1 xxxxxxxxxxxx 16 minutes ago 250MB +ghcr.io/idaholab/malcolm/logstash-oss 24.10.1 xxxxxxxxxxxx 16 minutes ago 1.49GB ghcr.io/romeogdetlevjr/malcolm/logstash-oss main xxxxxxxxxxxx 16 minutes ago 1.49GB -ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 17 minutes ago 1.66GB +ghcr.io/idaholab/malcolm/netbox 24.10.1 xxxxxxxxxxxx 17 minutes ago 1.66GB ghcr.io/romeogdetlevjr/malcolm/netbox main xxxxxxxxxxxx 17 minutes ago 1.66GB ghcr.io/romeogdetlevjr/malcolm/filebeat-oss main xxxxxxxxxxxx 18 minutes ago 405MB -ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 18 minutes ago 405MB +ghcr.io/idaholab/malcolm/filebeat-oss 24.10.1 xxxxxxxxxxxx 18 minutes ago 405MB ghcr.io/romeogdetlevjr/malcolm/postgresql main xxxxxxxxxxxx 18 minutes ago 303MB -ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 18 minutes ago 303MB -ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 18 minutes ago 802MB +ghcr.io/idaholab/malcolm/postgresql 24.10.1 xxxxxxxxxxxx 18 minutes ago 303MB +ghcr.io/idaholab/malcolm/arkime 24.10.1 xxxxxxxxxxxx 18 minutes ago 802MB ghcr.io/romeogdetlevjr/malcolm/arkime main xxxxxxxxxxxx 18 minutes ago 802MB -ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 18 minutes ago 1.42GB +ghcr.io/idaholab/malcolm/opensearch 24.10.1 xxxxxxxxxxxx 18 minutes ago 1.42GB ghcr.io/romeogdetlevjr/malcolm/opensearch main xxxxxxxxxxxx 18 minutes ago 1.42GB -ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 18 minutes ago 176MB +ghcr.io/idaholab/malcolm/pcap-monitor 24.10.1 xxxxxxxxxxxx 18 minutes ago 176MB ghcr.io/romeogdetlevjr/malcolm/pcap-monitor main xxxxxxxxxxxx 18 minutes ago 176MB -ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 18 minutes ago 233MB +ghcr.io/idaholab/malcolm/dashboards-helper 24.10.1 xxxxxxxxxxxx 18 minutes ago 233MB ghcr.io/romeogdetlevjr/malcolm/dashboards-helpermain xxxxxxxxxxxx 18 minutes ago 233MB -ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 18 minutes ago 153MB +ghcr.io/idaholab/malcolm/freq 24.10.1 xxxxxxxxxxxx 18 minutes ago 153MB ghcr.io/romeogdetlevjr/malcolm/freq main xxxxxxxxxxxx 18 minutes ago 153MB -ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 18 minutes ago 169MB +ghcr.io/idaholab/malcolm/api 24.10.1 xxxxxxxxxxxx 18 minutes ago 169MB ghcr.io/romeogdetlevjr/malcolm/api main xxxxxxxxxxxx 18 minutes ago 169MB ``` diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index c0feeab77..9d473d332 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -1,6 +1,6 @@ # PCAP processors -When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v24.10.0 release]({{ site.github.repository_url }}/releases/tag/v24.10.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: +When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v24.10.1 release]({{ site.github.repository_url }}/releases/tag/v24.10.1)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index 7713cecb2..1ca269878 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -31,7 +31,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-24.10.0.iso" +Finished, created "/sensor-build/hedgehog-24.10.1.iso" … ``` diff --git a/docs/kubernetes.md b/docs/kubernetes.md index 8bb51770b..199dfff6b 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -272,28 +272,28 @@ agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 861.34m | 14.36% | 19.55Gi | 9.29Gi | 61.28Gi | 11 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:24.10.0 | -file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:24.10.0 | -zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:24.10.0 | -dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:24.10.0 | -upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:24.10.0 | -filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:24.10.0 | -zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:24.10.0 | -logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:24.10.0 | -netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:24.10.0 | -suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:24.10.0 | -dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:24.10.0 | -netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:24.10.0 | -suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:24.10.0 | -freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:24.10.0 | -arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:24.10.0 | -pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:24.10.0 | -pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:24.10.0 | -netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:24.10.0 | -htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:24.10.0 | -netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:24.10.0 | -nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:24.10.0 | -opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:24.10.0 | +api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:24.10.1 | +file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:24.10.1 | +zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:24.10.1 | +dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:24.10.1 | +upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:24.10.1 | +filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:24.10.1 | +zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:24.10.1 | +logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:24.10.1 | +netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:24.10.1 | +suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:24.10.1 | +dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:24.10.1 | +netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:24.10.1 | +suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:24.10.1 | +freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:24.10.1 | +arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:24.10.1 | +pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:24.10.1 | +pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:24.10.1 | +netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:24.10.1 | +htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:24.10.1 | +netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:24.10.1 | +nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:24.10.1 | +opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:24.10.1 | ``` The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes. @@ -554,28 +554,28 @@ agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 552.71m | 9.21% | 19.55Gi | 13.27Gi | 61.28Gi | 12 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:24.10.0 | -netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:24.10.0 | -dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:24.10.0 | -freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:24.10.0 | -pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:24.10.0 | -nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:24.10.0 | -htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:24.10.0 | -opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:24.10.0 | -zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:24.10.0 | -dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:24.10.0 | -arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:24.10.0 | -api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:24.10.0 | -netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:24.10.0 | -pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:24.10.0 | -suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:24.10.0 | -suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:24.10.0 | -netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:24.10.0 | -zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:24.10.0 | -filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:24.10.0 | -file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:24.10.0 | -upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:24.10.0 | -logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:24.10.0 | +netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:24.10.1 | +netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:24.10.1 | +dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:24.10.1 | +freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:24.10.1 | +pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:24.10.1 | +nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:24.10.1 | +htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:24.10.1 | +opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:24.10.1 | +zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:24.10.1 | +dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:24.10.1 | +arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:24.10.1 | +api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:24.10.1 | +netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:24.10.1 | +pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:24.10.1 | +suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:24.10.1 | +suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:24.10.1 | +netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:24.10.1 | +zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:24.10.1 | +filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:24.10.1 | +file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:24.10.1 | +upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:24.10.1 | +logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:24.10.1 | ``` View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`): diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index 7406ac341..5f32637b7 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -42,7 +42,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-24.10.0.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-24.10.1.iso" … ``` diff --git a/docs/quickstart.md b/docs/quickstart.md index 33f0a1f46..e83d34cad 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -60,25 +60,25 @@ You can then observe the images have been retrieved by running `docker images`: ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 24.10.1 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 24.10.1 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 24.10.1 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 24.10.1 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 24.10.1 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 24.10.1 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 24.10.1 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 24.10.1 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 24.10.1 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 24.10.1 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 24.10.1 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 24.10.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 24.10.1 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 24.10.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 24.10.1 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 24.10.1 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 24.10.1 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 24.10.1 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 24.10.1 xxxxxxxxxxxx 3 days ago 1GB ``` ### Import from pre-packaged tarballs diff --git a/docs/third-party-envs.md b/docs/third-party-envs.md index b20347f60..de581db19 100644 --- a/docs/third-party-envs.md +++ b/docs/third-party-envs.md @@ -43,7 +43,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro amazon-ebs: output will be in this color. ==> amazon-ebs: Prevalidating any provided VPC information - ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.0-x86_64-2024-10-10T15-41-32Z + ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.1-x86_64-2024-10-10T15-41-32Z amazon-ebs: Found Image ID: ami-xxxxxxxxxxxxxxxxx ... @@ -53,7 +53,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro ==> amazon-ebs: Adding tags to AMI (ami-xxxxxxxxxxxxxxxxx)... ==> amazon-ebs: Tagging snapshot: snap-xxxxxxxxxxxxxxxxx ==> amazon-ebs: Creating AMI tags - amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.10.0" + amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.10.1" amazon-ebs: Adding tag: "source_ami_name": "al2023-ami-ecs-hvm-2023.0.20241003-kernel-6.1-x86_64" ==> amazon-ebs: Creating snapshot tags ==> amazon-ebs: Terminating the source AWS instance... @@ -79,7 +79,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro "Architecture": "x86_64", "CreationDate": "2024-05-30T14:02:21.000Z", "ImageId": "ami-xxxxxxxxxxxxxxxxx", - "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z", + "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.10.1-arm64-2024-05-30T13-57-31Z", "ImageType": "machine", "Public": false, "OwnerId": "xxxxxxxxxxxx", @@ -100,14 +100,14 @@ The files referenced in this section can be found in [scripts/third-party-enviro ], "EnaSupport": true, "Hypervisor": "xen", - "Name": "malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z", + "Name": "malcolm-v24.10.1-arm64-2024-05-30T13-57-31Z", "RootDeviceName": "/dev/xvda", "RootDeviceType": "ebs", "SriovNetSupport": "simple", "Tags": [ { "Key": "Malcolm", - "Value": "idaholab/Malcolm/v24.10.0" + "Value": "idaholab/Malcolm/v24.10.1" }, { "Key": "source_ami_name", diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 9e77c9c8d..d49211129 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -261,25 +261,25 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 24.10.1 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 24.10.1 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 24.10.1 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 24.10.1 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 24.10.1 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 24.10.1 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 24.10.1 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 24.10.1 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 24.10.1 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 24.10.1 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 24.10.1 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 24.10.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 24.10.1 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 24.10.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 24.10.1 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 24.10.1 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 24.10.1 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 24.10.1 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 24.10.1 xxxxxxxxxxxx 3 days ago 1GB ``` Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing. diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml index d216b4aa0..815a87763 100644 --- a/kubernetes/03-opensearch.yml +++ b/kubernetes/03-opensearch.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: opensearch-container - image: ghcr.io/idaholab/malcolm/opensearch:24.10.0 + image: ghcr.io/idaholab/malcolm/opensearch:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -71,7 +71,7 @@ spec: subPath: "opensearch" initContainers: - name: opensearch-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml index 37f58106a..87afa4b6e 100644 --- a/kubernetes/04-dashboards.yml +++ b/kubernetes/04-dashboards.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-container - image: ghcr.io/idaholab/malcolm/dashboards:24.10.0 + image: ghcr.io/idaholab/malcolm/dashboards:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml index e094081c0..67dc3fd0e 100644 --- a/kubernetes/05-upload.yml +++ b/kubernetes/05-upload.yml @@ -34,7 +34,7 @@ spec: spec: containers: - name: upload-container - image: ghcr.io/idaholab/malcolm/file-upload:24.10.0 + image: ghcr.io/idaholab/malcolm/file-upload:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -73,7 +73,7 @@ spec: subPath: "upload" initContainers: - name: upload-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml index c947523c8..03509338a 100644 --- a/kubernetes/06-pcap-monitor.yml +++ b/kubernetes/06-pcap-monitor.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: pcap-monitor-container - image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -70,7 +70,7 @@ spec: name: pcap-monitor-zeek-volume initContainers: - name: pcap-monitor-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml index bf363d3a4..6e4de9a78 100644 --- a/kubernetes/07-arkime.yml +++ b/kubernetes/07-arkime.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: arkime-container - image: ghcr.io/idaholab/malcolm/arkime:24.10.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -81,7 +81,7 @@ spec: name: arkime-pcap-volume initContainers: - name: arkime-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml index 860ed225a..1d5f074d4 100644 --- a/kubernetes/08-api.yml +++ b/kubernetes/08-api.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: api-container - image: ghcr.io/idaholab/malcolm/api:24.10.0 + image: ghcr.io/idaholab/malcolm/api:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml index 98769d4b3..8b06a86fd 100644 --- a/kubernetes/09-dashboards-helper.yml +++ b/kubernetes/09-dashboards-helper.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-helper-container - image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml index 7900c7a29..b48a0700a 100644 --- a/kubernetes/10-zeek.yml +++ b/kubernetes/10-zeek.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-offline-container - image: ghcr.io/idaholab/malcolm/zeek:24.10.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -62,7 +62,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml index 4af3177ae..74df4bce9 100644 --- a/kubernetes/11-suricata.yml +++ b/kubernetes/11-suricata.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-offline-container - image: ghcr.io/idaholab/malcolm/suricata:24.10.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -55,7 +55,7 @@ spec: name: suricata-offline-custom-configs-volume initContainers: - name: suricata-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml index dc2f4b4b5..c40d56c15 100644 --- a/kubernetes/12-file-monitor.yml +++ b/kubernetes/12-file-monitor.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: file-monitor-container - image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0 + image: ghcr.io/idaholab/malcolm/file-monitor:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: name: file-monitor-yara-rules-custom-volume initContainers: - name: file-monitor-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml index a9c45be20..4bad9aed5 100644 --- a/kubernetes/13-filebeat.yml +++ b/kubernetes/13-filebeat.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: filebeat-container - image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "nginx" initContainers: - name: filebeat-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml index e1c8823e8..88192e877 100644 --- a/kubernetes/14-logstash.yml +++ b/kubernetes/14-logstash.yml @@ -49,7 +49,7 @@ spec: # topologyKey: "kubernetes.io/hostname" containers: - name: logstash-container - image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -115,7 +115,7 @@ spec: subPath: "logstash" initContainers: - name: logstash-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml index 4267666bd..9acc15d83 100644 --- a/kubernetes/15-netbox-redis.yml +++ b/kubernetes/15-netbox-redis.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-container - image: ghcr.io/idaholab/malcolm/redis:24.10.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: netbox/redis initContainers: - name: netbox-redis-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml index 8bf968227..ceff58143 100644 --- a/kubernetes/16-netbox-redis-cache.yml +++ b/kubernetes/16-netbox-redis-cache.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-cache-container - image: ghcr.io/idaholab/malcolm/redis:24.10.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml index c96d1bb4c..9beb6150c 100644 --- a/kubernetes/17-netbox-postgres.yml +++ b/kubernetes/17-netbox-postgres.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-postgres-container - image: ghcr.io/idaholab/malcolm/postgresql:24.10.0 + image: ghcr.io/idaholab/malcolm/postgresql:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -74,7 +74,7 @@ spec: subPath: netbox/postgres initContainers: - name: netbox-postgres-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml index 5d3d59a15..b2d8add31 100644 --- a/kubernetes/18-netbox.yml +++ b/kubernetes/18-netbox.yml @@ -36,7 +36,7 @@ spec: spec: containers: - name: netbox-container - image: ghcr.io/idaholab/malcolm/netbox:24.10.0 + image: ghcr.io/idaholab/malcolm/netbox:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -88,7 +88,7 @@ spec: subPath: netbox/media initContainers: - name: netbox-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml index 9438eae0c..7e61e21e2 100644 --- a/kubernetes/19-htadmin.yml +++ b/kubernetes/19-htadmin.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: htadmin-container - image: ghcr.io/idaholab/malcolm/htadmin:24.10.0 + image: ghcr.io/idaholab/malcolm/htadmin:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -63,7 +63,7 @@ spec: subPath: "htadmin" initContainers: - name: htadmin-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml index 44a13f65d..f246b88a1 100644 --- a/kubernetes/20-pcap-capture.yml +++ b/kubernetes/20-pcap-capture.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: pcap-capture-container - image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -50,7 +50,7 @@ spec: subPath: "upload" initContainers: - name: pcap-capture-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml index 4c2d1fd69..3586e4044 100644 --- a/kubernetes/21-zeek-live.yml +++ b/kubernetes/21-zeek-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-live-container - image: ghcr.io/idaholab/malcolm/zeek:24.10.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -61,7 +61,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml index 80d085b12..f587c370b 100644 --- a/kubernetes/22-suricata-live.yml +++ b/kubernetes/22-suricata-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-live-container - image: ghcr.io/idaholab/malcolm/suricata:24.10.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -56,7 +56,7 @@ spec: name: suricata-live-custom-configs-volume initContainers: - name: suricata-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/23-arkime-live.yml b/kubernetes/23-arkime-live.yml index 39f5deb30..2b0a72754 100644 --- a/kubernetes/23-arkime-live.yml +++ b/kubernetes/23-arkime-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: arkime-live-container - image: ghcr.io/idaholab/malcolm/arkime:24.10.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -64,7 +64,7 @@ spec: name: arkime-live-pcap-volume initContainers: - name: arkime-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/24-freq.yml b/kubernetes/24-freq.yml index 87bd1ff95..c88134128 100644 --- a/kubernetes/24-freq.yml +++ b/kubernetes/24-freq.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: freq-container - image: ghcr.io/idaholab/malcolm/freq:24.10.0 + image: ghcr.io/idaholab/malcolm/freq:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml index 9608d5163..b1d97fb4c 100644 --- a/kubernetes/98-nginx-proxy.yml +++ b/kubernetes/98-nginx-proxy.yml @@ -39,7 +39,7 @@ spec: spec: containers: - name: nginx-proxy-container - image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.1 imagePullPolicy: Always stdin: false tty: true @@ -99,7 +99,7 @@ spec: subPath: "nginx" initContainers: - name: nginx-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.1 imagePullPolicy: Always stdin: false tty: true diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example index 637b4c20d..883b7e8f8 100644 --- a/scripts/third-party-environments/aws/ami/packer_vars.json.example +++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example @@ -3,7 +3,7 @@ "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "instance_type": "t2.micro", "instance_arch": "x86_64", - "malcolm_tag": "v24.10.0", + "malcolm_tag": "v24.10.1", "malcolm_repo": "idaholab/Malcolm", "malcolm_uid": "1000", "ssh_username": "ec2-user", diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh index 4594eddce..126bce31a 100755 --- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh +++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh @@ -32,7 +32,7 @@ fi # -u UID (user UID, e.g., 1000) VERBOSE_FLAG= MALCOLM_REPO=${MALCOLM_REPO:-idaholab/Malcolm} -MALCOLM_TAG=${MALCOLM_TAG:-v24.10.0} +MALCOLM_TAG=${MALCOLM_TAG:-v24.10.1} [[ -z "$MALCOLM_UID" ]] && ( [[ $EUID -eq 0 ]] && MALCOLM_UID=1000 || MALCOLM_UID="$(id -u)" ) while getopts 'vr:t:u:' OPTION; do case "$OPTION" in From cd152c44910dc72e2ce23b8165eb474eb896866c Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 06:39:33 -0600 Subject: [PATCH 16/65] fill in bits to allow for Raspberry Pi 5 build (see idaholab/Malcolm#569); however, this will not yet allow for rpi5 builds as there are upstream problems --- hedgehog-raspi/Makefile | 8 ++++---- hedgehog-raspi/README.md | 22 +++++++++++----------- hedgehog-raspi/generate-recipe.py | 29 ++++++----------------------- hedgehog-raspi/raspi_master.yaml | 1 - 4 files changed, 21 insertions(+), 39 deletions(-) diff --git a/hedgehog-raspi/Makefile b/hedgehog-raspi/Makefile index 2067f470c..ba24cb568 100644 --- a/hedgehog-raspi/Makefile +++ b/hedgehog-raspi/Makefile @@ -1,9 +1,9 @@ all: shasums # List all the supported and built Pi platforms here. They get expanded -# to names like 'raspi_2_buster.yaml' and 'raspi_3_bullseye.img.xz'. -BUILD_FAMILIES := 1 2 3 4 -BUILD_RELEASES := bullseye bookworm trixie +# to names like 'raspi_4_bookworm.yaml' and 'raspi_5_bookworm.img.xz'. +BUILD_FAMILIES := 4 5 +BUILD_RELEASES := bookworm platforms := $(foreach plat, $(BUILD_FAMILIES),$(foreach rel, $(BUILD_RELEASES), raspi_$(plat)_$(rel))) @@ -57,7 +57,7 @@ _ck_root: [ `whoami` = 'root' ] # Only root can summon vmdb2 ☹ _clean_yaml: - rm -f $(addsuffix .yaml,$(platforms)) raspi_base_bullseye.yaml raspi_base_bookworm.yaml raspi_base_trixie.yaml + rm -f $(addsuffix .yaml,$(platforms)) raspi_base_bookworm.yaml _clean_images: rm -f $(addsuffix .img,$(platforms)) _clean_xzimages: diff --git a/hedgehog-raspi/README.md b/hedgehog-raspi/README.md index fe63ddbee..0b6dec10f 100644 --- a/hedgehog-raspi/README.md +++ b/hedgehog-raspi/README.md @@ -54,22 +54,22 @@ you'll need to execute `make` as root. The argument to `make` is constructed as follows: `raspi__.` -Whereby is one of `1`, `2`, `3` or `4`, is either -`bullseye`, `bookworm`, or `trixie`; and is `img` or `yaml`. +Whereby is one of `4` or `5`; is `bookworm`; and is `img` or `yaml`. Model `1` should be used for the Raspberry Pi 0, 0w and 1, models A and B. Model `2` for the Raspberry Pi 2 models A and B. Model `3` for all -models of the Raspberry Pi 3 and model `4` for all models of the -Raspberry Pi 4. -So if you want to build the default image for a Raspberry Pi 3B+ with -Bullseye, you can just issue: +models of the Raspberry Pi 3, model `4` for all models of the +Raspberry Pi 4, and model `5` for all models of the +Raspberry Pi 5. +So if you want to build the default image for a Raspberry Pi 4 with +Bookworm, you can just issue: ```shell make raspi_4_bookworm.img ``` **NOTE:** While this setup will build hedgehog for all raspberry pi variants, it is highly unlikely -that any variant other than RPI 4 (8GB version) will have adequate resources to function effectively as a sensor. +that any variant other than RPI 4 (8GB version) or higher will have adequate resources to function effectively as a sensor. At this point; it might be wise to go do something else. The build **WILL** take a while. Initial testing on a 8-core 16GB build machine took approximately 5.5 hours to complete the image. @@ -94,25 +94,25 @@ important parts of your system. Double check it's the correct device!), copy the image onto the SD card: ```shell -bmaptool copy raspi_3_bullseye.img.xz /dev/mmcblk0 +bmaptool copy raspi_3_bookworm.img.xz /dev/mmcblk0 ``` Alternatively, if you don't have `bmap-tools` installed, you can use `dd` with the compressed image: ```shell -xzcat raspi_3_bullseye.img.xz | dd of=/dev/mmcblk0 bs=64k oflag=dsync status=progress +xzcat raspi_3_bookworm.img.xz | dd of=/dev/mmcblk0 bs=64k oflag=dsync status=progress ``` Or with the uncompressed image: ```shell -dd if=raspi_3_bullseye.img of=/dev/mmcblk0 bs=64k oflag=dsync status=progress +dd if=raspi_3_bookworm.img of=/dev/mmcblk0 bs=64k oflag=dsync status=progress ``` Then, plug the SD card into the Raspberry Pi, and power it up. -The image uses the hostname `Hedgehog-rpi-0w`, `Hedgehog-rpi-2`, `Hedgehog-rpi-3`, or `Hedgehog-rpi-4` depending on the +The image uses the hostname `Hedgehog-rpi-0w`, `Hedgehog-rpi-2`, `Hedgehog-rpi-3`, `Hedgehog-rpi-4`, `Hedgehog-rpi-5` depending on the target build. The provided image will allow you to log in with the `sensor` account with a default password of `Hedgehog_Linux` or `root` account with a default password of `Hedgehog_Linux_Root`, but only logging in at the diff --git a/hedgehog-raspi/generate-recipe.py b/hedgehog-raspi/generate-recipe.py index c0d43bed2..79e1ebf95 100755 --- a/hedgehog-raspi/generate-recipe.py +++ b/hedgehog-raspi/generate-recipe.py @@ -18,7 +18,7 @@ sys.exit(1) version = sys.argv[1] -if version not in ["1", "2", "3", "4"]: +if version not in ["4", "5"]: print("E: unsupported version %s" % version, file=sys.stderr) sys.exit(1) @@ -32,15 +32,7 @@ ### Setting variables based on suite and version starts here # Arch, kernel, DTB: -if version == '1': - arch = 'armel' - linux = 'linux-image-rpi' - dtb = '/usr/lib/linux-image-*-rpi/bcm*rpi-*.dtb' -elif version == '2': - arch = 'armhf' - linux = 'linux-image-armmp' - dtb = '/usr/lib/linux-image-*-armmp/bcm*rpi*.dtb' -elif version in ['3', '4']: +if version in ['4', '5']: arch = 'arm64' linux = 'linux-image-arm64' dtb = '/usr/lib/linux-image-*-arm64/broadcom/bcm*rpi*.dtb' @@ -53,28 +45,20 @@ firmware_component_old = 'non-free' # wireless firmware: -if version != '2': - wireless_firmware = 'firmware-brcm80211' -else: - wireless_firmware = '' +wireless_firmware = 'firmware-brcm80211' # bluetooth firmware: -if version != '2': - bluetooth_firmware = 'bluez-firmware' -else: - bluetooth_firmware = '' +bluetooth_firmware = 'bluez-firmware' # We're pulling suricata from backports backports_enable = True backports_suite = '%s-backports' % suite # Serial console: -if version in ['1', '2']: - serial = 'ttyAMA0,115200' -elif version in ['3', '4']: +if version in ['4', '5']: serial = 'ttyS1,115200' -# CMA fixup: +# CMA fixup (TODO: does this apply to Rpi5?): extra_chroot_shell_cmds = [] if version == '4': extra_chroot_shell_cmds = [ @@ -111,7 +95,6 @@ % MALCOLM_DIR, ] -# Extend list just in case version is 4 extra_chroot_shell_cmds.extend( [ 'chmod 755 /root/sensor_install.sh', diff --git a/hedgehog-raspi/raspi_master.yaml b/hedgehog-raspi/raspi_master.yaml index 38ed3e9f1..5facd2b46 100644 --- a/hedgehog-raspi/raspi_master.yaml +++ b/hedgehog-raspi/raspi_master.yaml @@ -1,5 +1,4 @@ --- -# See https://wiki.debian.org/RaspberryPi3 for known issues and more details. # image.yml based on revision: __GITCOMMIT__ steps: From aa352804eb902fd597f8699d0a62ba1ce8ed6ef1 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 06:54:42 -0600 Subject: [PATCH 17/65] readme update --- hedgehog-raspi/README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hedgehog-raspi/README.md b/hedgehog-raspi/README.md index 0b6dec10f..801473f86 100644 --- a/hedgehog-raspi/README.md +++ b/hedgehog-raspi/README.md @@ -68,11 +68,17 @@ Bookworm, you can just issue: make raspi_4_bookworm.img ``` +At this point; it might be wise to go do something else. The build **WILL** take a while. +Initial testing on a 8-core 16GB build machine took approximately 5.5 hours to complete the image. + **NOTE:** While this setup will build hedgehog for all raspberry pi variants, it is highly unlikely that any variant other than RPI 4 (8GB version) or higher will have adequate resources to function effectively as a sensor. -At this point; it might be wise to go do something else. The build **WILL** take a while. -Initial testing on a 8-core 16GB build machine took approximately 5.5 hours to complete the image. +**NOTE:** Raspberry Pi 5 is **not yet supported** due to missing upstream kernel support. See the following resources: + +* [Debian Wiki](https://raspi.debian.net/faq/#faq-rpi5) +* [Debian Mailing list, March 2024](https://lists.debian.org/debian-arm/2024/03/msg00009.html) +* [Debian Mailing list, November 2023](https://lists.debian.org/debian-arm/2023/11/msg00025.html) ## Installing the image onto the Raspberry Pi From 47d06b27770824f588d805f34308bae3bc5a3715 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 07:08:59 -0600 Subject: [PATCH 18/65] bump supercronic to v0.2.33 --- Dockerfiles/dashboards-helper.Dockerfile | 2 +- Dockerfiles/file-monitor.Dockerfile | 2 +- Dockerfiles/file-upload.Dockerfile | 2 +- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/netbox.Dockerfile | 2 +- Dockerfiles/suricata.Dockerfile | 2 +- Dockerfiles/zeek.Dockerfile | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile index 3225431ea..543049c41 100644 --- a/Dockerfiles/dashboards-helper.Dockerfile +++ b/Dockerfiles/dashboards-helper.Dockerfile @@ -42,7 +42,7 @@ ENV OPENSEARCH_DEFAULT_DASHBOARD $OPENSEARCH_DEFAULT_DASHBOARD ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE ENV PATH="/data:${PATH}" -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 0c05ae5e7..f68858fb3 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -100,7 +100,7 @@ ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY ENV EXTRACTED_FILE_HTTP_SERVER_RECURSIVE $EXTRACTED_FILE_HTTP_SERVER_RECURSIVE ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 44aac2835..dea33cfad 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -56,7 +56,7 @@ ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH ARG STALE_UPLOAD_DELETE_MIN=360 ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index d57a3a2c4..378e8146c 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -67,7 +67,7 @@ ARG FILEBEAT_TCP_PARSE_DROP_FIELD="" ARG FILEBEAT_TCP_TAG="_malcolm_beats" ARG PCAP_NODE_NAME=malcolm -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 16d87b39e..9bf794a4f 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -25,7 +25,7 @@ ENV PGROUP "ubuntu" ENV PUSER_PRIV_DROP true USER root -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index d6502fe54..2241a50d3 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -33,7 +33,7 @@ ENV PUSER_RLIMIT_UNLOCK true # see PUSER_CHOWN at the bottom of the file (after the other environment variables it references) USER root -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index e01ebdf7c..a823a1603 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -52,7 +52,7 @@ ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/ # custom one-off packages locally ADD zeek/custom-pkg "$ZEEK_DIR"/custom-pkg -ENV SUPERCRONIC_VERSION "0.2.32" +ENV SUPERCRONIC_VERSION "0.2.33" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "${ZEEK_DIR}/crontab" From 2e2fce14da748d983fd2a709df705a9b8b39f3d0 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 09:50:32 -0600 Subject: [PATCH 19/65] some cleanup and improvements of the zeek logstash pipeline idaholab/Malcolm#592 --- docs/contributing-logstash.md | 8 +- logstash/maps/malcolm_severity.yaml | 2 +- ...1_input_zeek.conf => 0100_input_zeek.conf} | 0 ...{10_zeek_prep.conf => 1000_zeek_prep.conf} | 0 logstash/pipelines/zeek/1001_zeek_parse.conf | 82 + logstash/pipelines/zeek/1011_zeek_bacnet.conf | 146 + .../pipelines/zeek/1012_zeek_bestguess.conf | 37 + logstash/pipelines/zeek/1013_zeek_bsap.conf | 185 + logstash/pipelines/zeek/1014_zeek_conn.conf | 85 + .../pipelines/zeek/1015_zeek_dce_rpc.conf | 43 + logstash/pipelines/zeek/1016_zeek_dhcp.conf | 77 + .../pipelines/zeek/1017_zeek_diagnostic.conf | 336 + logstash/pipelines/zeek/1018_zeek_dnp3.conf | 103 + logstash/pipelines/zeek/1019_zeek_dns.conf | 47 + logstash/pipelines/zeek/1020_zeek_ecat.conf | 346 + logstash/pipelines/zeek/1021_zeek_enip.conf | 140 + logstash/pipelines/zeek/1022_zeek_files.conf | 72 + logstash/pipelines/zeek/1023_zeek_ftp.conf | 42 + .../pipelines/zeek/1024_zeek_genisys.conf | 49 + .../pipelines/zeek/1025_zeek_ge_srtp.conf | 46 + logstash/pipelines/zeek/1026_zeek_gquic.conf | 43 + .../pipelines/zeek/1027_zeek_hart_ip.conf | 210 + logstash/pipelines/zeek/1028_zeek_http.conf | 59 + logstash/pipelines/zeek/1029_zeek_intel.conf | 56 + logstash/pipelines/zeek/1030_zeek_ipsec.conf | 50 + logstash/pipelines/zeek/1031_zeek_irc.conf | 43 + .../pipelines/zeek/1032_zeek_kerberos.conf | 50 + logstash/pipelines/zeek/1033_zeek_known.conf | 202 + logstash/pipelines/zeek/1034_zeek_ldap.conf | 100 + logstash/pipelines/zeek/1035_zeek_login.conf | 35 + logstash/pipelines/zeek/1036_zeek_modbus.conf | 210 + logstash/pipelines/zeek/1037_zeek_mqtt.conf | 115 + logstash/pipelines/zeek/1038_zeek_mysql.conf | 40 + logstash/pipelines/zeek/1039_zeek_notice.conf | 53 + logstash/pipelines/zeek/1040_zeek_ntlm.conf | 51 + logstash/pipelines/zeek/1041_zeek_ntp.conf | 42 + logstash/pipelines/zeek/1042_zeek_ocsp.conf | 39 + .../zeek/1043_zeek_opcua_binary.conf | 1598 ++++ logstash/pipelines/zeek/1044_zeek_ospf.conf | 59 + logstash/pipelines/zeek/1045_zeek_pe.conf | 43 + .../pipelines/zeek/1046_zeek_profinet.conf | 115 + logstash/pipelines/zeek/1047_zeek_radius.conf | 46 + logstash/pipelines/zeek/1048_zeek_rdp.conf | 46 + logstash/pipelines/zeek/1049_zeek_rfb.conf | 39 + logstash/pipelines/zeek/1050_zeek_s7comm.conf | 186 + .../pipelines/zeek/1051_zeek_signatures.conf | 40 + logstash/pipelines/zeek/1052_zeek_sip.conf | 43 + logstash/pipelines/zeek/1053_zeek_smb.conf | 131 + logstash/pipelines/zeek/1054_zeek_smtp.conf | 48 + logstash/pipelines/zeek/1055_zeek_snmp.conf | 43 + logstash/pipelines/zeek/1056_zeek_socks.conf | 40 + .../pipelines/zeek/1057_zeek_software.conf | 47 + logstash/pipelines/zeek/1058_zeek_ssh.conf | 87 + logstash/pipelines/zeek/1059_zeek_ssl.conf | 54 + logstash/pipelines/zeek/1060_zeek_stun.conf | 96 + .../zeek/1061_zeek_synchrophasor.conf | 242 + logstash/pipelines/zeek/1062_zeek_syslog.conf | 40 + logstash/pipelines/zeek/1063_zeek_tds.conf | 115 + logstash/pipelines/zeek/1064_zeek_tftp.conf | 43 + logstash/pipelines/zeek/1065_zeek_tunnel.conf | 48 + logstash/pipelines/zeek/1066_zeek_weird.conf | 35 + .../pipelines/zeek/1067_zeek_wireguard.conf | 45 + logstash/pipelines/zeek/1068_zeek_x509.conf | 63 + .../pipelines/zeek/1199_zeek_unknown.conf | 27 + logstash/pipelines/zeek/11_zeek_parse.conf | 6411 ----------------- ...zeek_mutate.conf => 1200_zeek_mutate.conf} | 2 +- ...ormalize.conf => 1300_zeek_normalize.conf} | 2 +- ...ek_convert.conf => 1400_zeek_convert.conf} | 0 .../{19_severity.conf => 1900_severity.conf} | 0 ...ek_forward.conf => 9900_zeek_forward.conf} | 0 logstash/scripts/logstash-start.sh | 5 + scripts/zeek_script_to_malcolm_boilerplate.py | 9 +- shared/bin/zeek_carve_logger.py | 12 +- 73 files changed, 6675 insertions(+), 6429 deletions(-) rename logstash/pipelines/zeek/{01_input_zeek.conf => 0100_input_zeek.conf} (100%) rename logstash/pipelines/zeek/{10_zeek_prep.conf => 1000_zeek_prep.conf} (100%) create mode 100644 logstash/pipelines/zeek/1001_zeek_parse.conf create mode 100644 logstash/pipelines/zeek/1011_zeek_bacnet.conf create mode 100644 logstash/pipelines/zeek/1012_zeek_bestguess.conf create mode 100644 logstash/pipelines/zeek/1013_zeek_bsap.conf create mode 100644 logstash/pipelines/zeek/1014_zeek_conn.conf create mode 100644 logstash/pipelines/zeek/1015_zeek_dce_rpc.conf create mode 100644 logstash/pipelines/zeek/1016_zeek_dhcp.conf create mode 100644 logstash/pipelines/zeek/1017_zeek_diagnostic.conf create mode 100644 logstash/pipelines/zeek/1018_zeek_dnp3.conf create mode 100644 logstash/pipelines/zeek/1019_zeek_dns.conf create mode 100644 logstash/pipelines/zeek/1020_zeek_ecat.conf create mode 100644 logstash/pipelines/zeek/1021_zeek_enip.conf create mode 100644 logstash/pipelines/zeek/1022_zeek_files.conf create mode 100644 logstash/pipelines/zeek/1023_zeek_ftp.conf create mode 100644 logstash/pipelines/zeek/1024_zeek_genisys.conf create mode 100644 logstash/pipelines/zeek/1025_zeek_ge_srtp.conf create mode 100644 logstash/pipelines/zeek/1026_zeek_gquic.conf create mode 100644 logstash/pipelines/zeek/1027_zeek_hart_ip.conf create mode 100644 logstash/pipelines/zeek/1028_zeek_http.conf create mode 100644 logstash/pipelines/zeek/1029_zeek_intel.conf create mode 100644 logstash/pipelines/zeek/1030_zeek_ipsec.conf create mode 100644 logstash/pipelines/zeek/1031_zeek_irc.conf create mode 100644 logstash/pipelines/zeek/1032_zeek_kerberos.conf create mode 100644 logstash/pipelines/zeek/1033_zeek_known.conf create mode 100644 logstash/pipelines/zeek/1034_zeek_ldap.conf create mode 100644 logstash/pipelines/zeek/1035_zeek_login.conf create mode 100644 logstash/pipelines/zeek/1036_zeek_modbus.conf create mode 100644 logstash/pipelines/zeek/1037_zeek_mqtt.conf create mode 100644 logstash/pipelines/zeek/1038_zeek_mysql.conf create mode 100644 logstash/pipelines/zeek/1039_zeek_notice.conf create mode 100644 logstash/pipelines/zeek/1040_zeek_ntlm.conf create mode 100644 logstash/pipelines/zeek/1041_zeek_ntp.conf create mode 100644 logstash/pipelines/zeek/1042_zeek_ocsp.conf create mode 100644 logstash/pipelines/zeek/1043_zeek_opcua_binary.conf create mode 100644 logstash/pipelines/zeek/1044_zeek_ospf.conf create mode 100644 logstash/pipelines/zeek/1045_zeek_pe.conf create mode 100644 logstash/pipelines/zeek/1046_zeek_profinet.conf create mode 100644 logstash/pipelines/zeek/1047_zeek_radius.conf create mode 100644 logstash/pipelines/zeek/1048_zeek_rdp.conf create mode 100644 logstash/pipelines/zeek/1049_zeek_rfb.conf create mode 100644 logstash/pipelines/zeek/1050_zeek_s7comm.conf create mode 100644 logstash/pipelines/zeek/1051_zeek_signatures.conf create mode 100644 logstash/pipelines/zeek/1052_zeek_sip.conf create mode 100644 logstash/pipelines/zeek/1053_zeek_smb.conf create mode 100644 logstash/pipelines/zeek/1054_zeek_smtp.conf create mode 100644 logstash/pipelines/zeek/1055_zeek_snmp.conf create mode 100644 logstash/pipelines/zeek/1056_zeek_socks.conf create mode 100644 logstash/pipelines/zeek/1057_zeek_software.conf create mode 100644 logstash/pipelines/zeek/1058_zeek_ssh.conf create mode 100644 logstash/pipelines/zeek/1059_zeek_ssl.conf create mode 100644 logstash/pipelines/zeek/1060_zeek_stun.conf create mode 100644 logstash/pipelines/zeek/1061_zeek_synchrophasor.conf create mode 100644 logstash/pipelines/zeek/1062_zeek_syslog.conf create mode 100644 logstash/pipelines/zeek/1063_zeek_tds.conf create mode 100644 logstash/pipelines/zeek/1064_zeek_tftp.conf create mode 100644 logstash/pipelines/zeek/1065_zeek_tunnel.conf create mode 100644 logstash/pipelines/zeek/1066_zeek_weird.conf create mode 100644 logstash/pipelines/zeek/1067_zeek_wireguard.conf create mode 100644 logstash/pipelines/zeek/1068_zeek_x509.conf create mode 100644 logstash/pipelines/zeek/1199_zeek_unknown.conf delete mode 100644 logstash/pipelines/zeek/11_zeek_parse.conf rename logstash/pipelines/zeek/{12_zeek_mutate.conf => 1200_zeek_mutate.conf} (99%) rename logstash/pipelines/zeek/{13_zeek_normalize.conf => 1300_zeek_normalize.conf} (99%) rename logstash/pipelines/zeek/{14_zeek_convert.conf => 1400_zeek_convert.conf} (100%) rename logstash/pipelines/zeek/{19_severity.conf => 1900_severity.conf} (100%) rename logstash/pipelines/zeek/{99_zeek_forward.conf => 9900_zeek_forward.conf} (100%) diff --git a/docs/contributing-logstash.md b/docs/contributing-logstash.md index 2cfcb085d..3309ec358 100644 --- a/docs/contributing-logstash.md +++ b/docs/contributing-logstash.md @@ -34,12 +34,12 @@ Finally, in the [`./config/logstash.env` file](malcolm-config.md#MalcolmConfigEn The following modifications must be made in order for Malcolm to parse new Zeek log files: -1. Add a parsing section to [`logstash/pipelines/zeek/11_zeek_parse.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/11_zeek_parse.conf) +1. Add a parsing filter file named so that it sorts after [`logstash/pipelines/zeek/1001_zeek_parse.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1001_zeek_parse.conf) but before [`logstash/pipelines/zeek/1199_zeek_unknown.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1199_zeek_unknown.conf) * Follow patterns for existing log files as an example * For common Zeek fields such as the `id` four-tuple, timestamp, etc., use the same convention used by existing Zeek logs in that file (e.g., `ts`, `uid`, `orig_h`, `orig_p`, `resp_h`, `resp_p`) - * Take care, especially when copy-pasting filter code, the Zeek delimiter isn't modified from a tab character to a space character (see "*zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP*" warnings in that file) -1. If necessary, perform log normalization in [`logstash/pipelines/zeek/13_zeek_normalize.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/13_zeek_normalize.conf) for values such as action (`event.action`), result (`event.result`), application protocol version (`network.protocol_version`), etc. -1. If necessary, define conversions for floating point or integer values in [`logstash/pipelines/zeek/14_zeek_convert.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/14_zeek_convert.conf) + * The [`logstash/scripts/logstash-start.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/scripts/logstash-start.sh) Logstash container startup script should automatically fix any issues with parsing the Zeek tab delimiter (e.g., converting spaces in the `dissect` and `split` filters to tabs) +1. If necessary, perform log normalization in [`logstash/pipelines/zeek/1300_zeek_normalize.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1300_zeek_normalize.conf) for values such as action (`event.action`), result (`event.result`), application protocol version (`network.protocol_version`), etc. +1. If necessary, define conversions for floating point or integer values in [`logstash/pipelines/zeek/1400_zeek_convert.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1400_zeek_convert.conf) 1. Identify the new fields and add them as described in [Adding new log fields](contributing-new-log-fields.md#NewFields) The script [`scripts/zeek_script_to_malcolm_boilerplate.py`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/zeek_script_to_malcolm_boilerplate.py) may help by autogenerating these filters. diff --git a/logstash/maps/malcolm_severity.yaml b/logstash/maps/malcolm_severity.yaml index b6c43d01d..96bb74e0a 100644 --- a/logstash/maps/malcolm_severity.yaml +++ b/logstash/maps/malcolm_severity.yaml @@ -1,4 +1,4 @@ -# keys should match the event.severity_tags values set in 19_severity.conf +# keys should match the event.severity_tags values set in 1900_severity.conf "Cross-segment traffic": 20 "External traffic": 20 "Inbound traffic": 50 diff --git a/logstash/pipelines/zeek/01_input_zeek.conf b/logstash/pipelines/zeek/0100_input_zeek.conf similarity index 100% rename from logstash/pipelines/zeek/01_input_zeek.conf rename to logstash/pipelines/zeek/0100_input_zeek.conf diff --git a/logstash/pipelines/zeek/10_zeek_prep.conf b/logstash/pipelines/zeek/1000_zeek_prep.conf similarity index 100% rename from logstash/pipelines/zeek/10_zeek_prep.conf rename to logstash/pipelines/zeek/1000_zeek_prep.conf diff --git a/logstash/pipelines/zeek/1001_zeek_parse.conf b/logstash/pipelines/zeek/1001_zeek_parse.conf new file mode 100644 index 000000000..454ba8e53 --- /dev/null +++ b/logstash/pipelines/zeek/1001_zeek_parse.conf @@ -0,0 +1,82 @@ +######################## +# zeek -> arkime session creation and enrichment +# +# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation +# +# see source.zeeklogs.js for the Arkime code that turns these into UI fields +# +# to profile, debug: +# - get filters sorted by execution time (where in > 0) +# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4 +# - get filters where in != out +# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' +# +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + # handle JSON-formatted Zeek logs right out of the gate, we'll do the field renaming below + if ([message] =~ /^{.*}$/) { json { + id => "json_zeek_message_parse" + source => "[message]" + target => "[zeek_cols]" + add_tag => [ "_jsonparsesuccess" ] + } } + + + # in JSON, do some global renaming of common fields to make them match the names we'd + # be assigning to them if we were reading TSV + if ("_jsonparsesuccess" in [tags]) { + + # some of the ICSNPP parsers do an interesting thing to handle source and destination fields + # (see https://github.com/cisagov/icsnpp-bacnet/?tab=readme-ov-file#source-and-destination-fields) + # so check for and handle those first + ruby { + id => "ruby_zeek_json_determine_source_destination_fields" + code => " + if ![event.get('[zeek_cols][source_h]').to_s, + event.get('[zeek_cols][source_p]').to_s, + event.get('[zeek_cols][destination_h]').to_s, + event.get('[zeek_cols][destination_p]').to_s].reject{ |e| e.nil? || e.empty? || (e == '0') }.empty? then + event.set('[@metadata][icsnpp_source_dest_fields]', 'true') + end + " + } + if ([@metadata][icsnpp_source_dest_fields]) { + mutate { + id => "mutate_rename_zeek_json_common_reversed_direction_fields" + rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][drop_orig_h]" } + rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][drop_orig_p]" } + rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][drop_resp_h]" } + rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][drop_resp_p]" } + rename => { "[zeek_cols][source_h]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][source_p]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][destination_h]" => "[zeek_cols][resp_h]" } + rename => { "[zeek_cols][destination_p]" => "[zeek_cols][resp_p]" } + } + + } else { + mutate { + id => "mutate_rename_zeek_json_common_fields" + rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][resp_h]" } + rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][resp_p]" } + } + } # icsnpp_source_dest_fields or not + } # _jsonparsesuccess in tags + + # for non-JSON: + # The Dissect is WAY faster than CSV, and quite a bit faster than mutate.split. However, it + # is not as flexible when it comes to missing or extra columns + # (See https://github.com/logstash-plugins/logstash-filter-dissect/issues/62) + # + # So, if the dissect filter fails, we're going to fall back to split-then-zip solution. + # This should be a good tradeoff between performance (in the case where the Zeek logs + # match what we think they should look like) and flexibility (when they don't). + # + # The one drawback is that if you make a change to the fields in dissect, make sure + # you make the corresponding change in the ruby init code. + +} # end Filter diff --git a/logstash/pipelines/zeek/1011_zeek_bacnet.conf b/logstash/pipelines/zeek/1011_zeek_bacnet.conf new file mode 100644 index 000000000..841a0b415 --- /dev/null +++ b/logstash/pipelines/zeek/1011_zeek_bacnet.conf @@ -0,0 +1,146 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "bacnet") { + ############################################################################################################################# + # bacnet.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet" + init => "@zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bacnet_device_control") { + ############################################################################################################################# + # bacnet_device_control.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet_device_control" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet_device_control" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet_device_control" + init => "@zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet_device_control" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bacnet_discovery") { + ############################################################################################################################# + # bacnet_discovery.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet_discovery" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][device_id_type]} %{[zeek_cols][device_id_number]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet_discovery" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet_discovery" + init => "@zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'device_id_type', 'device_id_number', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet_discovery" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bacnet_property") { + ############################################################################################################################# + # bacnet_property.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet_property" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet_property" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet_property" + init => "@zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet_property" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1012_zeek_bestguess.conf b/logstash/pipelines/zeek/1012_zeek_bestguess.conf new file mode 100644 index 000000000..9067f3f09 --- /dev/null +++ b/logstash/pipelines/zeek/1012_zeek_bestguess.conf @@ -0,0 +1,37 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "bestguess") { + ############################################################################################################################# + # bestguess.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bestguess" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][name]} %{[zeek_cols][category]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bestguess" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bestguess" + init => "@zeek_bestguess_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'name', 'category' ]" + code => "event.set('[zeek_cols]', @zeek_bestguess_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_ics_best_guess_log" + add_tag => [ "ics_best_guess" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1013_zeek_bsap.conf b/logstash/pipelines/zeek/1013_zeek_bsap.conf new file mode 100644 index 000000000..8a9f8f0b6 --- /dev/null +++ b/logstash/pipelines/zeek/1013_zeek_bsap.conf @@ -0,0 +1,185 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "bsap_ip_header") { + ############################################################################################################################# + # bsap_ip_header.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_ip_header" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_ip_header" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_ip_header" + init => "@zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_ip_header" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_ip_rdb") { + ############################################################################################################################# + # bsap_ip_rdb.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_ip_rdb" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_ip_rdb" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_ip_rdb" + init => "@zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_ip_rdb" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_serial_header") { + ############################################################################################################################# + # bsap_serial_header.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_serial_header" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_serial_header" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_serial_header" + init => "@zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_serial_header" + add_field => { + "[zeek_cols][proto]" => "serial" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_serial_rdb") { + ############################################################################################################################# + # bsap_serial_rdb.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_serial_rdb" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_serial_rdb" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_serial_rdb" + init => "@zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_serial_rdb" + add_field => { + "[zeek_cols][proto]" => "serial" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_serial_rdb_ext") { + ############################################################################################################################# + # bsap_serial_rdb_ext.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_serial_rdb_ext" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_serial_rdb_ext" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_serial_rdb_ext" + init => "@zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_serial_rdb_ext" + add_field => { + "[zeek_cols][proto]" => "serial" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + # for now, drop hex-encoded binary data for size + if ([zeek_cols][data]) { + mutate { id => "mutate_remove_field_zeek_bsap_serial_rdb_ext_data" + remove_field => [ "[zeek_cols][data]" ] } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1014_zeek_conn.conf b/logstash/pipelines/zeek/1014_zeek_conn.conf new file mode 100644 index 000000000..29f2cb613 --- /dev/null +++ b/logstash/pipelines/zeek/1014_zeek_conn.conf @@ -0,0 +1,85 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "conn") { + ############################################################################################################################# + # conn.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_conn_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][duration]} %{[zeek_cols][orig_bytes]} %{[zeek_cols][resp_bytes]} %{[zeek_cols][conn_state]} %{[zeek_cols][local_orig]} %{[zeek_cols][local_resp]} %{[zeek_cols][missed_bytes]} %{[zeek_cols][history]} %{[zeek_cols][orig_pkts]} %{[zeek_cols][orig_ip_bytes]} %{[zeek_cols][resp_pkts]} %{[zeek_cols][resp_ip_bytes]} %{[zeek_cols][tunnel_parents]} %{[zeek_cols][vlan]} %{[zeek_cols][inner_vlan]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][community_id]} %{[zeek_cols][ja4l]} %{[zeek_cols][ja4ls]} %{[zeek_cols][ja4t]} %{[zeek_cols][ja4ts]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_conn" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_conn" + init => "@zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id', 'ja4l', 'ja4ls', 'ja4t', 'ja4ts' ]" + code => "event.set('[zeek_cols]', @zeek_conn_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + # normalize service string(s) + + # For some reason, even in JSON, I have service strings like: + # ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",... + # so whatever reason it's not already an array. Split it here. + mutate { id => "mutate_split_zeek_conn_commas" + split => { "[zeek_cols][service]" => "," } } + + # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix + mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix" + gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } + + # if it's coming from spicy, we don't care to have that in the service name + mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix" + gsub => [ "[zeek_cols][service]", "spicy_", "" ] } + + mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix" + gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } + + if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') { + mutate { id => "mutate_add_field_zeek_srcBytes" + add_field => { "[source][bytes]" => "%{[zeek_cols][orig_ip_bytes]}" } } + } + if ([zeek_cols][resp_ip_bytes]) and ([zeek_cols][resp_ip_bytes] != '-') and ([zeek_cols][resp_ip_bytes] != '(empty)') and ([zeek_cols][resp_ip_bytes] != '') { + mutate { id => "mutate_add_field_zeek_dstBytes" + add_field => { "[destination][bytes]" => "%{[zeek_cols][resp_ip_bytes]}" } } + } + if ([zeek_cols][orig_pkts]) and ([zeek_cols][orig_pkts] != '-') and ([zeek_cols][orig_pkts] != '(empty)') and ([zeek_cols][orig_pkts] != '') { + mutate { id => "mutate_add_field_zeek_srcPackets" + add_field => { "[source][packets]" => "%{[zeek_cols][orig_pkts]}" } } + } + if ([zeek_cols][orig_bytes]) and ([zeek_cols][orig_bytes] != '-') and ([zeek_cols][orig_bytes] != '(empty)') and ([zeek_cols][orig_bytes] != '') { + mutate { id => "mutate_add_field_zeek_srcDataBytes" + add_field => { "[client][bytes]" => "%{[zeek_cols][orig_bytes]}" } } + } + if ([zeek_cols][resp_pkts]) and ([zeek_cols][resp_pkts] != '-') and ([zeek_cols][resp_pkts] != '(empty)') and ([zeek_cols][resp_pkts] != '') { + mutate { id => "mutate_add_field_zeek_dstPackets" + add_field => { "[destination][packets]" => "%{[zeek_cols][resp_pkts]}" } } + } + if ([zeek_cols][resp_bytes]) and ([zeek_cols][resp_bytes] != '-') and ([zeek_cols][resp_bytes] != '(empty)') and ([zeek_cols][resp_bytes] != '') { + mutate { id => "mutate_add_field_zeek_dstDataBytes" + add_field => { "[server][bytes]" => "%{[zeek_cols][resp_bytes]}" } } + } + if ([zeek_cols][tunnel_parents]) and ([zeek_cols][tunnel_parents] != '(empty)') and ([zeek_cols][tunnel_parents] != '-') and ([zeek_cols][tunnel_parents] != '') { + if ("_jsonparsesuccess" not in [tags]) { mutate { id => "mutate_split_zeek_tunnel_parents" + split => { "[zeek_cols][tunnel_parents]" => "," } } } + mutate { id => "mutate_add_field_zeek_conn_rootId" + add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf b/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf new file mode 100644 index 000000000..e2efbab9c --- /dev/null +++ b/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dce_rpc") { + ############################################################################################################################# + # dce_rpc.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dce_rpc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rtt]} %{[zeek_cols][named_pipe]} %{[zeek_cols][endpoint]} %{[zeek_cols][operation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dce_rpc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dce_rpc" + init => "@zeek_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rtt', 'named_pipe', 'endpoint', 'operation' ]" + code => "event.set('[zeek_cols]', @zeek_dce_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dce_rpc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "dce_rpc" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1016_zeek_dhcp.conf b/logstash/pipelines/zeek/1016_zeek_dhcp.conf new file mode 100644 index 000000000..f94df57df --- /dev/null +++ b/logstash/pipelines/zeek/1016_zeek_dhcp.conf @@ -0,0 +1,77 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dhcp") { + ############################################################################################################################# + # dhcp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_dhcp_fields" + rename => { "[zeek_cols][uids]" => "[zeek_cols][uid]" } + rename => { "[zeek_cols][client_addr]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][server_addr]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][mac]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][requested_addr]" => "[zeek_cols][requested_ip]" } + rename => { "[zeek_cols][assigned_addr]" => "[zeek_cols][assigned_ip]" } + } + + } else { + dissect { + id => "dissect_zeek_dhcp_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]} %{[zeek_cols][client_software]} %{[zeek_cols][server_software]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dhcp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dhcp" + init => "@zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration', 'client_software', 'server_software' ]" + code => "event.set('[zeek_cols]', @zeek_dhcp_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_dhcp_msg_types" + split => { "[zeek_cols][msg_types]" => "," } } + if ([zeek_cols][uid]) and + ([zeek_cols][uid] != '(empty)') and + ([zeek_cols][uid] != '') { + mutate { id => "mutate_split_zeek_dhcp_uids" + split => { "[zeek_cols][uid]" => "," } } + } + } + + if ([zeek_cols][uid] and [zeek_cols][uid][0]) { + mutate { id => "mutate_add_field_zeek_dhcp_uids" + add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } } + } + + if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) { + mutate { + id => "mutate_add_field_zeek_dhcp_ports" + add_field => { + "[zeek_cols][orig_p]" => 68 + "[zeek_cols][resp_p]" => 67 + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dhcp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "dhcp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1017_zeek_diagnostic.conf b/logstash/pipelines/zeek/1017_zeek_diagnostic.conf new file mode 100644 index 000000000..b1c7025aa --- /dev/null +++ b/logstash/pipelines/zeek/1017_zeek_diagnostic.conf @@ -0,0 +1,336 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "analyzer") { + ############################################################################################################################# + # analyzer.log + # Zeek Logging analyzer confirmations and violations into analyzer.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/logging.zeek.html + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_analyzer" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][cause]} %{[zeek_cols][analyzer_kind]} %{[zeek_cols][analyzer_name]} %{[zeek_cols][uid]} %{[zeek_cols][fuid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][failure_reason]} %{[zeek_cols][failure_data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_analyzer" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_analyzer" + init => "@zeek_diagnostic_analyzer_field_names = [ 'ts', 'cause', 'analyzer_kind', 'analyzer_name', 'uid', 'fuid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'failure_reason', 'failure_data' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_analyzer_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + # we are *not* adding the _zeekdiagnostic even though it could arguably be classified as such, the reason being that + # the UID/FUID and IP/ports make it suitable to be searched with the network data + + } else if ([log_source] == "broker") { + ############################################################################################################################# + # broker.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_broker_fields" + rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" } + rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" } + rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" } + rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" } + rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" } + } + + } else { + dissect { + id => "dissect_zeek_diagnostic_broker" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][event_type]} %{[zeek_cols][event_action]} %{[zeek_cols][peer_ip]} %{[zeek_cols][peer_port]} %{[zeek_cols][peer_message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_broker" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_broker" + init => "@zeek_diagnostic_broker_field_names = [ 'ts', 'event_type', 'event_action', 'peer_ip', 'peer_port', 'peer_message' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_broker_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_broker" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "capture_loss") { + ############################################################################################################################# + # capture_loss.log + # Reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers. + # https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_capture_loss" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][ts_delta]} %{[zeek_cols][peer]} %{[zeek_cols][gaps]} %{[zeek_cols][acks]} %{[zeek_cols][percent_lost]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_capture_loss" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_capture_loss" + init => "@zeek_diagnostic_capture_loss_field_names = [ 'ts', 'ts_delta', 'peer', 'gaps', 'acks', 'percent_lost' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_capture_loss_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_capture_loss" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "cluster") { + ############################################################################################################################# + # cluster.log + # Logging for establishing and controlling a cluster of Zeek instances + # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_cluster_fields" + rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" } + } + + } else { + dissect { + id => "dissect_zeek_diagnostic_cluster" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][node_message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_cluster" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_cluster" + init => "@zeek_diagnostic_cluster_field_names = [ 'ts', 'node', 'node_message' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_cluster_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_cluster" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "config") { + ############################################################################################################################# + # config.log + # Logging for Zeek configuration changes + # https://docs.zeek.org/en/master/scripts/base/frameworks/config/main.zeek.html#type-Config::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_config" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][value_name]} %{[zeek_cols][value_old]} %{[zeek_cols][value_new]} %{[zeek_cols][location]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_config" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_config" + init => "@zeek_diagnostic_config_field_names = [ 'ts', 'value_name', 'value_old', 'value_new', 'location' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_config_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_config" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "packet_filter") { + ############################################################################################################################# + # packet_filter.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/packet-filter/main.zeek.html#type-PacketFilter::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_packet_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][filter]} %{[zeek_cols][init]} %{[zeek_cols][success]} %{[zeek_cols][failure_reason]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_packet_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_packet_filter" + init => "@zeek_diagnostic_packet_filter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_packet_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_packet_filter" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "print") { + ############################################################################################################################# + # print.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/logging/main.zeek.html#type-Log::PrintLogInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_print" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][vals]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_print" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_print" + init => "@zeek_diagnostic_print_field_names = [ 'ts', 'vals' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_print_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "split_zeek_diagnostic_print_vals" + split => { "[zeek_cols][vals]" => "," } } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_print" + add_tag => [ "_zeekdiagnostic" ] } + + + } else if ([log_source] == "reporter") { + ############################################################################################################################# + # reporter.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_reporter_fields" + rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" } + } + + } else { + dissect { + id => "dissect_zeek_diagnostic_reporter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][level]} %{[zeek_cols][msg]} %{[zeek_cols][location]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_reporter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_reporter" + init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_reporter" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "stats") { + ############################################################################################################################# + # stats.log + # https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html#type-Stats::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_stats" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][peer]} %{[zeek_cols][mem]} %{[zeek_cols][pkts_proc]} %{[zeek_cols][bytes_recv]} %{[zeek_cols][pkts_dropped]} %{[zeek_cols][pkts_link]} %{[zeek_cols][pkt_lag]} %{[zeek_cols][pkts_filtered]} %{[zeek_cols][events_proc]} %{[zeek_cols][events_queued]} %{[zeek_cols][active_tcp_conns]} %{[zeek_cols][active_udp_conns]} %{[zeek_cols][active_icmp_conns]} %{[zeek_cols][tcp_conns]} %{[zeek_cols][udp_conns]} %{[zeek_cols][icmp_conns]} %{[zeek_cols][timers]} %{[zeek_cols][active_timers]} %{[zeek_cols][files]} %{[zeek_cols][active_files]} %{[zeek_cols][dns_requests]} %{[zeek_cols][active_dns_requests]} %{[zeek_cols][reassem_tcp_size]} %{[zeek_cols][reassem_file_size]} %{[zeek_cols][reassem_frag_size]} %{[zeek_cols][reassem_unknown_size]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_stats" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_stats" + init => "@zeek_diagnostic_stats_field_names = [ 'ts', 'peer', 'mem', 'pkts_proc', 'bytes_recv', 'pkts_dropped', 'pkts_link', 'pkt_lag', 'pkts_filtered', 'events_proc', 'events_queued', 'active_tcp_conns', 'active_udp_conns', 'active_icmp_conns', 'tcp_conns', 'udp_conns', 'icmp_conns', 'timers', 'active_timers', 'files', 'active_files', 'dns_requests', 'active_dns_requests', 'reassem_tcp_size', 'reassem_file_size', 'reassem_frag_size', 'reassem_unknown_size' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_stats_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_stats" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "dpd") { + ############################################################################################################################# + # dpd.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_dpd_fields" + rename => { "[zeek_cols][analyzer]" => "[zeek_cols][service]" } + } + + } else { + dissect { + id => "dissect_zeek_dpd" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][failure_reason]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dpd" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dpd" + init => "@zeek_dpd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'failure_reason' ]" + code => "event.set('[zeek_cols]', @zeek_dpd_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_lowercase_zeek_dpd_service" + lowercase => [ "[zeek_cols][service]" ] } + + # normalize service string(s) + if ([zeek_cols][service] =~ /^spicy_/) { + # if it's coming from spicy, we don't care to have that in the service name + mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_prefix" + gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } + + # some spicy services are named like blah_udp or blah_tcp, + # and we don't care about the _udp/_tcp suffix + mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_suffix" + gsub => [ "[zeek_cols][service]", "_(tcp|udp)(_hmac)?(_(sha|md)\d+)?$", "" ] } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1018_zeek_dnp3.conf b/logstash/pipelines/zeek/1018_zeek_dnp3.conf new file mode 100644 index 000000000..846343c79 --- /dev/null +++ b/logstash/pipelines/zeek/1018_zeek_dnp3.conf @@ -0,0 +1,103 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dnp3") { + ############################################################################################################################# + # dnp3.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dnp3" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fc_request]} %{[zeek_cols][fc_reply]} %{[zeek_cols][iin]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dnp3" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dnp3" + init => "@zeek_dnp3_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fc_request', 'fc_reply', 'iin' ]" + code => "event.set('[zeek_cols]', @zeek_dnp3_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dnp3" + add_field => { "[zeek_cols][service]" => "dnp3" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "dnp3_control") { + ############################################################################################################################# + # dnp3_control.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dnp3_control" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dnp3_control" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dnp3_control" + init => "@zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]" + code => "event.set('[zeek_cols]', @zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dnp3_control" + add_field => { "[zeek_cols][service]" => "dnp3" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "dnp3_objects") { + ############################################################################################################################# + # dnp3_objects.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dnp3_objects" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dnp3_objects" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dnp3_objects" + init => "@zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]" + code => "event.set('[zeek_cols]', @zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dnp3_objects" + add_field => { "[zeek_cols][service]" => "dnp3" } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1019_zeek_dns.conf b/logstash/pipelines/zeek/1019_zeek_dns.conf new file mode 100644 index 000000000..7971b0e31 --- /dev/null +++ b/logstash/pipelines/zeek/1019_zeek_dns.conf @@ -0,0 +1,47 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dns") { + ############################################################################################################################# + # dns.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dns" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][trans_id]} %{[zeek_cols][rtt]} %{[zeek_cols][query]} %{[zeek_cols][qclass]} %{[zeek_cols][qclass_name]} %{[zeek_cols][qtype]} %{[zeek_cols][qtype_name]} %{[zeek_cols][rcode]} %{[zeek_cols][rcode_name]} %{[zeek_cols][AA]} %{[zeek_cols][TC]} %{[zeek_cols][RD]} %{[zeek_cols][RA]} %{[zeek_cols][Z]} %{[zeek_cols][answers]} %{[zeek_cols][TTLs]} %{[zeek_cols][rejected]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dns" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dns" + init => "@zeek_dns_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'trans_id', 'rtt', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answers', 'TTLs', 'rejected' ]" + code => "event.set('[zeek_cols]', @zeek_dns_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_dns_commas" + split => { "[zeek_cols][TTLs]" => "," + "[zeek_cols][answers]" => "," } } + } + + # remove C_ prefix from qclass_name + mutate { id => "mutate_gsub_field_zeek_dns_qclass_name" + gsub => [ "[zeek_cols][qclass_name]", "^C_", "" ] } + + mutate { + id => "mutate_add_fields_zeek_dns" + add_field => { "[zeek_cols][service]" => "dns" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1020_zeek_ecat.conf b/logstash/pipelines/zeek/1020_zeek_ecat.conf new file mode 100644 index 000000000..b3272fc21 --- /dev/null +++ b/logstash/pipelines/zeek/1020_zeek_ecat.conf @@ -0,0 +1,346 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ecat_registers") { + ############################################################################################################################# + # ecat_registers.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_registers_fields" + rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } + rename => { "[zeek_cols][Slave_Addr]" => "[zeek_cols][server_addr]" } + rename => { "[zeek_cols][Register_Type]" => "[zeek_cols][register_type]" } + rename => { "[zeek_cols][Register_Addr]" => "[zeek_cols][register_addr]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_registers" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][command]} %{[zeek_cols][server_addr]} %{[zeek_cols][register_type]} %{[zeek_cols][register_addr]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_registers" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_registers" + init => "@zeek_ecat_registers_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'command', 'server_addr', 'register_type', 'register_addr', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_registers_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_registers" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_log_address") { + ############################################################################################################################# + # ecat_log_address.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_log_address_fields" + rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][Log_Addr]" => "[zeek_cols][log_addr]" } + rename => { "[zeek_cols][Length]" => "[zeek_cols][length]" } + rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_log_address" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][log_addr]} %{[zeek_cols][length]} %{[zeek_cols][command]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_log_address" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_log_address" + init => "@zeek_ecat_log_address_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'log_addr', 'length', 'command', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_log_address_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_log_address" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_dev_info") { + ############################################################################################################################# + # ecat_dev_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_dev_info_fields" + rename => { "[zeek_cols][slave_id]" => "[zeek_cols][server_id]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_dev_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][server_id]} %{[zeek_cols][revision]} %{[zeek_cols][dev_type]} %{[zeek_cols][build]} %{[zeek_cols][fmmucnt]} %{[zeek_cols][smcount]} %{[zeek_cols][ports]} %{[zeek_cols][dpram]} %{[zeek_cols][features]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_dev_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_dev_info" + init => "@zeek_ecat_dev_info_field_names = [ 'ts', 'server_id', 'revision', 'dev_type', 'build', 'fmmucnt', 'smcount', 'ports', 'dpram', 'features' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_dev_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_dev_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_aoe_info") { + ############################################################################################################################# + # ecat_aoe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_aoe_info_fields" + rename => { "[zeek_cols][targetid]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][targetport]" => "[zeek_cols][resp_port]" } + rename => { "[zeek_cols][senderid]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][senderport]" => "[zeek_cols][orig_port]" } + rename => { "[zeek_cols][cmd]" => "[zeek_cols][command]" } + rename => { "[zeek_cols][stateflags]" => "[zeek_cols][state]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_aoe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][resp_port]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][orig_port]} %{[zeek_cols][command]} %{[zeek_cols][state]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_aoe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_aoe_info" + init => "@zeek_ecat_aoe_info_field_names = [ 'ts', 'resp_l2_addr', 'resp_port', 'orig_l2_addr', 'orig_port', 'command', 'state', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_aoe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_aoe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_coe_info") { + ############################################################################################################################# + # ecat_coe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_coe_info_fields" + rename => { "[zeek_cols][Type]" => "[zeek_cols][type]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_coe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][number]} %{[zeek_cols][type]} %{[zeek_cols][req_resp]} %{[zeek_cols][index]} %{[zeek_cols][subindex]} %{[zeek_cols][dataoffset]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_coe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_coe_info" + init => "@zeek_ecat_coe_info_field_names = [ 'ts', 'number', 'type', 'req_resp', 'index', 'subindex', 'dataoffset' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_coe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_coe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_foe_info") { + ############################################################################################################################# + # ecat_foe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_foe_info_fields" + rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_foe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][reserved]} %{[zeek_cols][packet_num]} %{[zeek_cols][error_code]} %{[zeek_cols][filename]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_foe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_foe_info" + init => "@zeek_ecat_foe_info_field_names = [ 'ts', 'opcode', 'reserved', 'packet_num', 'error_code', 'filename', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_foe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_foe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_soe_info") { + ############################################################################################################################# + # ecat_soe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_soe_info_fields" + rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } + rename => { "[zeek_cols][element_flags]" => "[zeek_cols][element]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_soe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][incomplete]} %{[zeek_cols][error]} %{[zeek_cols][drive_num]} %{[zeek_cols][element]} %{[zeek_cols][index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_soe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_soe_info" + init => "@zeek_ecat_soe_info_field_names = [ 'ts', 'opcode', 'incomplete', 'error', 'drive_num', 'element', 'index' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_soe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_soe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_arp_info") { + ############################################################################################################################# + # ecat_arp_info.log + # https://github.com/cisagov/icsnpp-ethercat + # + # NOTE: I currently have this disabled via policy hook in local.zeek, as it is including ALL arps and + # not just those from ethercat traffic which can be misleading (i.e., indicating ecat traffic where there is none) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_arp_info_fields" + rename => { "[zeek_cols][mac_src]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][mac_dst]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][SPA]" => "[zeek_cols][orig_proto_addr]" } + rename => { "[zeek_cols][SHA]" => "[zeek_cols][orig_hw_addr]" } + rename => { "[zeek_cols][TPA]" => "[zeek_cols][resp_proto_addr]" } + rename => { "[zeek_cols][THA]" => "[zeek_cols][resp_hw_addr]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_arp_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][arp_type]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][orig_proto_addr]} %{[zeek_cols][orig_hw_addr]} %{[zeek_cols][resp_proto_addr]} %{[zeek_cols][resp_hw_addr]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_arp_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_arp_info" + init => "@zeek_ecat_arp_info_field_names = [ 'ts', 'arp_type', 'orig_l2_addr', 'resp_l2_addr', 'orig_proto_addr', 'orig_hw_addr', 'resp_proto_addr', 'resp_hw_addr' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_arp_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_arp_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + } + + # TODO: check orig_proto_addr/orig_hw_addr resp_proto_addr/resp_hw_addr and convert to ip, etc. if necessary? + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1021_zeek_enip.conf b/logstash/pipelines/zeek/1021_zeek_enip.conf new file mode 100644 index 000000000..2a2f9e8f2 --- /dev/null +++ b/logstash/pipelines/zeek/1021_zeek_enip.conf @@ -0,0 +1,140 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "cip") { + ############################################################################################################################# + # cip.log + # https://github.com/cisagov/ICSNPP + # + # todo: class_id, instance_id is a hex integer, should it be converted to an integer? + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip" + init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" + code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cip" + add_field => { "[zeek_cols][service]" => "cip" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "cip_identity") { + ############################################################################################################################# + # cip_identity.log + # https://github.com/cisagov/ICSNPP + # + # TODO: device_status and device_state are a hex int string, convert to int? + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cip_identity" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip_identity" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip_identity" + init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]" + code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cip_identity" + add_field => { "[zeek_cols][service]" => "cip" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "cip_io") { + ############################################################################################################################# + # cip_io.log + # https://github.com/cisagov/ICSNPP + # + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cip_io" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip_io" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip_io" + init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" + code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cip_io" + add_field => { "[zeek_cols][service]" => "cip" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "enip") { + ############################################################################################################################# + # enip.log + # https://github.com/cisagov/ICSNPP + # + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_enip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_enip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_enip" + init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" + code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_enip" + add_field => { "[zeek_cols][service]" => "enip" } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1022_zeek_files.conf b/logstash/pipelines/zeek/1022_zeek_files.conf new file mode 100644 index 000000000..105492ee9 --- /dev/null +++ b/logstash/pipelines/zeek/1022_zeek_files.conf @@ -0,0 +1,72 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "files") { + ############################################################################################################################# + # files.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_v51_files_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][source]} %{[zeek_cols][depth]} %{[zeek_cols][analyzers]} %{[zeek_cols][mime_type]} %{[zeek_cols][filename]} %{[zeek_cols][duration]} %{[zeek_cols][local_orig]} %{[zeek_cols][is_orig]} %{[zeek_cols][seen_bytes]} %{[zeek_cols][total_bytes]} %{[zeek_cols][missing_bytes]} %{[zeek_cols][overflow_bytes]} %{[zeek_cols][timedout]} %{[zeek_cols][parent_fuid]} %{[zeek_cols][md5]} %{[zeek_cols][sha1]} %{[zeek_cols][sha256]} %{[zeek_cols][extracted]} %{[zeek_cols][extracted_cutoff]} %{[zeek_cols][extracted_size]} %{[zeek_cols][ftime]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_files" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_files" + init => "@zeek_files_field_names = [ 'ts', 'fuid', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'source', 'depth', 'analyzers', 'mime_type', 'filename', 'duration', 'local_orig', 'is_orig', 'seen_bytes', 'total_bytes', 'missing_bytes', 'overflow_bytes', 'timedout', 'parent_fuid', 'md5', 'sha1', 'sha256', 'extracted', 'extracted_cutoff', 'extracted_size', 'ftime' ]" + code => "event.set('[zeek_cols]', @zeek_files_field_names.zip(event.get('[message]')).to_h)" + } + } + if ([zeek_cols][conn_uids]) and ([zeek_cols][conn_uids] != '(empty)') and ([zeek_cols][conn_uids] != '') { + mutate { id => "mutate_split_zeek_files_conn_uids" + split => { "[zeek_cols][conn_uids]" => "," } } + } + if ([zeek_cols][tx_hosts]) and ([zeek_cols][tx_hosts] != '(empty)') and ([zeek_cols][tx_hosts] != '') { + mutate { id => "mutate_split_zeek_files_tx_hosts" + split => { "[zeek_cols][tx_hosts]" => "," } } + } + if ([zeek_cols][rx_hosts]) and ([zeek_cols][rx_hosts] != '(empty)') and ([zeek_cols][rx_hosts] != '') { + mutate { id => "mutate_split_zeek_files_rx_hosts" + split => { "[zeek_cols][rx_hosts]" => "," } } + } + mutate { id => "mutate_split_zeek_files_parent_fuid_and_analyzers" + split => { "[zeek_cols][parent_fuid]" => "," + "[zeek_cols][analyzers]" => "," } } + } + + if ([zeek_cols][conn_uids] and [zeek_cols][conn_uids][0]) { + mutate { + id => "mutate_add_field_zeek_files_conn_uids_to_uid" + add_field => { "[rootId]" => "%{[zeek_cols][conn_uids][0]}" + "[zeek_cols][uid]" => "%{[zeek_cols][conn_uids][0]}" } + } + } else if (![zeek_cols][uid]) { + mutate { + id => "mutate_add_fields_zeek_files_fuid_to_uid" + add_field => { "[zeek_cols][uid]" => "%{[zeek_cols][fuid]}" } + } + } + + if ([zeek_cols][tx_hosts] and [zeek_cols][tx_hosts][0]) { + mutate { id => "mutate_add_field_zeek_tx_hosts" + add_field => { "[source][ip]" => "%{[zeek_cols][tx_hosts][0]}" } } + } + + if ([zeek_cols][rx_hosts] and [zeek_cols][rx_hosts][0]) { + mutate { id => "mutate_add_field_zeek_rx_hosts" + add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1023_zeek_ftp.conf b/logstash/pipelines/zeek/1023_zeek_ftp.conf new file mode 100644 index 000000000..30473a39f --- /dev/null +++ b/logstash/pipelines/zeek/1023_zeek_ftp.conf @@ -0,0 +1,42 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "ftp") { + ############################################################################################################################# + # ftp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ftp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][command]} %{[zeek_cols][arg]} %{[zeek_cols][mime_type]} %{[zeek_cols][file_size]} %{[zeek_cols][reply_code]} %{[zeek_cols][reply_msg]} %{[zeek_cols][data_channel][passive]} %{[zeek_cols][data_channel][orig_h]} %{[zeek_cols][data_channel][resp_h]} %{[zeek_cols][data_channel][resp_p]} %{[zeek_cols][fuid]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ftp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ftp" + init => "@zeek_ftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'password', 'command', 'arg', 'mime_type', 'file_size', 'reply_code', 'reply_msg', 'data_channel.passive', 'data_channel.orig_h', 'data_channel.resp_h', 'data_channel.resp_p', 'fuid' ]" + code => "event.set('[zeek_cols]', @zeek_ftp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ftp" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ftp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1024_zeek_genisys.conf b/logstash/pipelines/zeek/1024_zeek_genisys.conf new file mode 100644 index 000000000..fb50b5d93 --- /dev/null +++ b/logstash/pipelines/zeek/1024_zeek_genisys.conf @@ -0,0 +1,49 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "genisys") { + ############################################################################################################################# + # genisys.log + # https://github.com/cisagov/icsnpp-genisys + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_genisys_fields" + rename => { "[zeek_cols][payload]" => "[zeek_cols][payload_raw]" } + } + + } else { + dissect { + id => "dissect_zeek_genisys" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][header]} %{[zeek_cols][server]} %{[zeek_cols][direction]} %{[zeek_cols][crc_transmitted]} %{[zeek_cols][crc_calculated]} %{[zeek_cols][payload_raw]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_genisys" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_genisys" + init => "@zeek_genisys_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'header', 'server', 'direction', 'crc_transmitted', 'crc_calculated', 'payload_raw' ]" + code => "event.set('[zeek_cols]', @zeek_genisys_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_genisys" + add_field => { + "[zeek_cols][service]" => "genisys" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf b/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf new file mode 100644 index 000000000..b7e73d456 --- /dev/null +++ b/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf @@ -0,0 +1,46 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ge_srtp") { + ############################################################################################################################# + # ge_srtp_general.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ge_srtp_log" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][srtp_type]} %{[zeek_cols][sequence_number_1]} %{[zeek_cols][text_length]} %{[zeek_cols][time_seconds]} %{[zeek_cols][time_minutes]} %{[zeek_cols][time_hours]} %{[zeek_cols][sequence_number_2]} %{[zeek_cols][message_type]} %{[zeek_cols][mailbox_source]} %{[zeek_cols][mailbox_destination]} %{[zeek_cols][packet_number]} %{[zeek_cols][total_packet_number]} %{[zeek_cols][service_request_code]} %{[zeek_cols][segment_selector]} %{[zeek_cols][memory_offset]} %{[zeek_cols][data_length]} %{[zeek_cols][status_code]} %{[zeek_cols][minor_status_code]} %{[zeek_cols][data_requested]} %{[zeek_cols][control_program_number]} %{[zeek_cols][current_privilege_level]} %{[zeek_cols][last_sweep_time]} %{[zeek_cols][oversweep_flag]} %{[zeek_cols][constant_sweep_mode]} %{[zeek_cols][plc_fault_entry_last_read]} %{[zeek_cols][io_fault_entry_last_read]} %{[zeek_cols][plc_fault_entry_present]} %{[zeek_cols][io_fault_entry_present]} %{[zeek_cols][programmer_attachment]} %{[zeek_cols][front_panel_enable_switch]} %{[zeek_cols][front_panel_run_switch]} %{[zeek_cols][oem_protected]} %{[zeek_cols][plc_state]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ge_srtp_log" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ge_srtp_log" + init => "$zeek_ge_srtp_log_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'srtp_type', 'sequence_number_1', 'text_length', 'time_seconds', 'time_minutes', 'time_hours', 'sequence_number_2', 'message_type', 'mailbox_source', 'mailbox_destination', 'packet_number', 'total_packet_number', 'service_request_code', 'segment_selector', 'memory_offset', 'data_length', 'status_code', 'minor_status_code', 'data_requested', 'control_program_number', 'current_privilege_level', 'last_sweep_time', 'oversweep_flag', 'constant_sweep_mode', 'plc_fault_entry_last_read', 'io_fault_entry_last_read', 'plc_fault_entry_present', 'io_fault_entry_present', 'programmer_attachment', 'front_panel_enable_switch', 'front_panel_run_switch', 'oem_protected', 'plc_state' ]" + code => "event.set('[zeek_cols]', $zeek_ge_srtp_log_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_remove_field_ge_srtp_proto" + remove_field => [ "[zeek_cols][proto]" ] } + mutate { + id => "mutate_add_fields_zeek_ge_srtp_log" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ge_srtp" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1026_zeek_gquic.conf b/logstash/pipelines/zeek/1026_zeek_gquic.conf new file mode 100644 index 000000000..70a697dff --- /dev/null +++ b/logstash/pipelines/zeek/1026_zeek_gquic.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "gquic") { + ############################################################################################################################# + # gquic.log + # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_gquic" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][server_name]} %{[zeek_cols][user_agent]} %{[zeek_cols][tag_count]} %{[zeek_cols][cyu]} %{[zeek_cols][cyutags]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_gquic" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_gquic" + init => "@zeek_gquic_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'server_name', 'user_agent', 'tag_count', 'cyu', 'cyutags' ]" + code => "event.set('[zeek_cols]', @zeek_gquic_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_gquic" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "quic" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1027_zeek_hart_ip.conf b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf new file mode 100644 index 000000000..3df8e4445 --- /dev/null +++ b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf @@ -0,0 +1,210 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "hart_ip_common_commands") { + ############################################################################################################################# + # hart_ip_common_commands.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_common_commands" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_common_commands" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_common_commands" + init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_common_commands" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + # The other fields are basically just placeholders we don't want to store the raw data for. + mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto" + remove_field => [ "[zeek_cols][proto]", + "[zeek][hart_ip][token_passing_pdu_contents_data_data]", + "[zeek][hart_ip][message_packet_bytes]", + "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] } + + + } else if ([log_source] == "hart_ip_direct_pdu_command") { + ############################################################################################################################# + # hart_ip_direct_pdu_command.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_direct_pdu_command" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_direct_pdu_command" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_direct_pdu_command" + init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip") { + ############################################################################################################################# + # hart_ip.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip" + init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip_session_record") { + ############################################################################################################################# + # hart_ip_session_record.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_session_record" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_session_record" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_session_record" + init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_session_record" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip_universal_commands") { + ############################################################################################################################# + # hart_ip_universal_commands.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_universal_commands" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_universal_commands" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_universal_commands" + init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_universal_commands" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1028_zeek_http.conf b/logstash/pipelines/zeek/1028_zeek_http.conf new file mode 100644 index 000000000..0baf87789 --- /dev/null +++ b/logstash/pipelines/zeek/1028_zeek_http.conf @@ -0,0 +1,59 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "http") { + ############################################################################################################################# + # http.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_http_fields" + rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } + } + + } else { + dissect { + id => "dissect_zeek_http_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_http" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_http" + init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" + code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_http_commas" + split => { "[zeek_cols][client_header_names]" => "," + "[zeek_cols][orig_filenames]" => "," + "[zeek_cols][orig_fuids]" => "," + "[zeek_cols][orig_mime_types]" => "," + "[zeek_cols][proxied]" => "," + "[zeek_cols][resp_filenames]" => "," + "[zeek_cols][resp_fuids]" => "," + "[zeek_cols][resp_mime_types]" => "," + "[zeek_cols][server_header_names]" => "," + "[zeek_cols][tags]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_http" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "http" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1029_zeek_intel.conf b/logstash/pipelines/zeek/1029_zeek_intel.conf new file mode 100644 index 000000000..d284f10a4 --- /dev/null +++ b/logstash/pipelines/zeek/1029_zeek_intel.conf @@ -0,0 +1,56 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "intel") { + ############################################################################################################################# + # intel.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_intel_fields" + rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" } + rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" } + rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" } + rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" } + rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" } + rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" } + rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" } + } + + } else { + dissect { + id => "dissect_zeek_intel" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_intel" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_intel" + init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]" + code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_intel_commas" + split => { "[zeek_cols][sources]" => "," + "[zeek_cols][matched]" => "," } } + } + + # For some reason, even in JSON, I have cif_tags strings like: + # Network activity,osint:source-type=\"block-or-filter-list\" + # so whatever reason it's not already an array. Split it here. + mutate { id => "mutate_split_zeek_intel_cif_tags" + split => { "[zeek_cols][cif_tags]" => "," } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1030_zeek_ipsec.conf b/logstash/pipelines/zeek/1030_zeek_ipsec.conf new file mode 100644 index 000000000..34d5a3a4c --- /dev/null +++ b/logstash/pipelines/zeek/1030_zeek_ipsec.conf @@ -0,0 +1,50 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ipsec") { + ############################################################################################################################# + # ipsec.log + # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ipsec" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][initiator_spi]} %{[zeek_cols][responder_spi]} %{[zeek_cols][maj_ver]} %{[zeek_cols][min_ver]} %{[zeek_cols][exchange_type]} %{[zeek_cols][flag_e]} %{[zeek_cols][flag_c]} %{[zeek_cols][flag_a]} %{[zeek_cols][flag_i]} %{[zeek_cols][flag_v]} %{[zeek_cols][flag_r]} %{[zeek_cols][message_id]} %{[zeek_cols][vendor_ids]} %{[zeek_cols][notify_messages]} %{[zeek_cols][transforms]} %{[zeek_cols][ke_dh_groups]} %{[zeek_cols][proposals]} %{[zeek_cols][protocol_id]} %{[zeek_cols][certificates]} %{[zeek_cols][transform_attributes]} %{[zeek_cols][length]} %{[zeek_cols][hash]} %{[zeek_cols][doi]} %{[zeek_cols][situation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ipsec" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ipsec" + init => "@zeek_ipsec_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'initiator_spi', 'responder_spi', 'maj_ver', 'min_ver', 'exchange_type', 'flag_e', 'flag_c', 'flag_a', 'flag_i', 'flag_v', 'flag_r', 'message_id', 'vendor_ids', 'notify_messages', 'transforms', 'ke_dh_groups', 'proposals', 'protocol_id', 'certificates', 'transform_attributes', 'length', 'hash', 'doi', 'situation' ]" + code => "event.set('[zeek_cols]', @zeek_ipsec_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ipsec_commas" + split => { "[zeek_cols][vendor_ids]" => "," + "[zeek_cols][notify_messages]" => "," + "[zeek_cols][transforms]" => "," + "[zeek_cols][ke_dh_groups]" => "," + "[zeek_cols][proposals]" => "," + "[zeek_cols][certificates]" => "," + "[zeek_cols][transform_attributes]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ipsec" + add_field => { + "[zeek_cols][service]" => "ipsec" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1031_zeek_irc.conf b/logstash/pipelines/zeek/1031_zeek_irc.conf new file mode 100644 index 000000000..b674565e9 --- /dev/null +++ b/logstash/pipelines/zeek/1031_zeek_irc.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "irc") { + ############################################################################################################################# + # irc.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_irc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nick]} %{[zeek_cols][user]} %{[zeek_cols][command]} %{[zeek_cols][value]} %{[zeek_cols][addl]} %{[zeek_cols][dcc_file_name]} %{[zeek_cols][dcc_file_size]} %{[zeek_cols][dcc_mime_type]} %{[zeek_cols][fuid]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_irc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_irc" + init => "@zeek_irc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'nick', 'user', 'command', 'value', 'addl', 'dcc_file_name', 'dcc_file_size', 'dcc_mime_type', 'fuid' ]" + code => "event.set('[zeek_cols]', @zeek_irc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_irc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "irc" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1032_zeek_kerberos.conf b/logstash/pipelines/zeek/1032_zeek_kerberos.conf new file mode 100644 index 000000000..d79335c5e --- /dev/null +++ b/logstash/pipelines/zeek/1032_zeek_kerberos.conf @@ -0,0 +1,50 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "kerberos") { + ############################################################################################################################# + # kerberos.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_kerberos_fields" + rename => { "[zeek_cols][client]" => "[zeek_cols][cname]" } + rename => { "[zeek_cols][service]" => "[zeek_cols][sname]" } + } + + } else { + dissect { + id => "dissect_zeek_kerberos" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][request_type]} %{[zeek_cols][cname]} %{[zeek_cols][sname]} %{[zeek_cols][success]} %{[zeek_cols][error_msg]} %{[zeek_cols][from]} %{[zeek_cols][till]} %{[zeek_cols][cipher]} %{[zeek_cols][forwardable]} %{[zeek_cols][renewable]} %{[zeek_cols][client_cert_subject]} %{[zeek_cols][client_cert_fuid]} %{[zeek_cols][server_cert_subject]} %{[zeek_cols][server_cert_fuid]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_kerberos" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_kerberos" + init => "@zeek_kerberos_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'request_type', 'cname', 'sname', 'success', 'error_msg', 'from', 'till', 'cipher', 'forwardable', 'renewable', 'client_cert_subject', 'client_cert_fuid', 'server_cert_subject', 'server_cert_fuid' ]" + code => "event.set('[zeek_cols]', @zeek_kerberos_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_kerberos_commas" + split => { "[zeek_cols][client_cert_fuid]" => "," + "[zeek_cols][server_cert_fuid]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_krb5" + add_field => { "[zeek_cols][service]" => "krb" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1033_zeek_known.conf b/logstash/pipelines/zeek/1033_zeek_known.conf new file mode 100644 index 000000000..0b701453a --- /dev/null +++ b/logstash/pipelines/zeek/1033_zeek_known.conf @@ -0,0 +1,202 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "known_certs") { + ############################################################################################################################# + # known_certs.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_certs_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][port_num]" => "[zeek_cols][orig_p]" } + } + + } else { + dissect { + id => "dissect_zeek_known_certs" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_certs" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_certs" + init => "@zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]" + code => "event.set('[zeek_cols]', @zeek_known_certs_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_known_certs" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tls" + } + } + + } else if ([log_source] == "known_hosts") { + ############################################################################################################################# + # known_hosts.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_hosts_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + } + + } else { + dissect { + id => "dissect_zeek_known_hosts" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_hosts" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_hosts" + init => "@zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]" + code => "event.set('[zeek_cols]', @zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } else if ([log_source] == "known_modbus") { + ############################################################################################################################# + # known_modbus.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_modbus_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + } + + } else { + dissect { + id => "dissect_zeek_known_modbus" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_modbus" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_modbus" + init => "@zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]" + code => "event.set('[zeek_cols]', @zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_gsub_zeek_known_modbus_device_type" + gsub => [ "[zeek_cols][device_type]", "Known::", "" ] } + + mutate { id => "mutate_gsub_zeek_known_modbus_master" + gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] } + + mutate { id => "mutate_gsub_zeek_known_modbus_slave" + gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] } + + mutate { id => "mutate_add_tag_ics_known_modbus_log" + add_tag => [ "ics" ] } + + } else if ([log_source] == "known_routers") { + ############################################################################################################################# + # known_routers.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_known_routers" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_routers" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_routers" + init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]" + code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } else if ([log_source] == "known_services") { + ############################################################################################################################# + # known_services.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_services_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][resp_h]" } + rename => { "[zeek_cols][port_num]" => "[zeek_cols][resp_p]" } + rename => { "[zeek_cols][port_proto]" => "[zeek_cols][proto]" } + } + + } else { + dissect { + id => "dissect_zeek_known_services" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_services" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_services" + init => "@zeek_known_services_field_names = [ 'ts', 'resp_h', 'resp_p', 'proto', 'service' ]" + code => "event.set('[zeek_cols]', @zeek_known_services_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_lowercase_zeek_known_services_service" + lowercase => [ "[zeek_cols][service]" ] } + + # normalize service string(s) + + # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix + mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix" + gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } + + if ([zeek_cols][service] =~ /^spicy_/) { + # if it's coming from spicy, we don't care to have that in the service name + mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix" + gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } + + # some spicy services are named like blah_udp or blah_tcp, + # and we don't care about the _udp/_tcp suffix + mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix" + gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } + + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1034_zeek_ldap.conf b/logstash/pipelines/zeek/1034_zeek_ldap.conf new file mode 100644 index 000000000..3ae2f8f17 --- /dev/null +++ b/logstash/pipelines/zeek/1034_zeek_ldap.conf @@ -0,0 +1,100 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ldap") { + ############################################################################################################################# + # ldap.log + # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ldap_fields" + rename => { "[zeek_cols][arguments]" => "[zeek_cols][argument]" } + rename => { "[zeek_cols][opcode]" => "[zeek_cols][operation]" } + rename => { "[zeek_cols][opcodes]" => "[zeek_cols][operation]" } + rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } + rename => { "[zeek_cols][diagnostic_messages]" => "[zeek_cols][result_message]" } + } + + } else { + dissect { + id => "dissect_zeek_ldap" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][version]} %{[zeek_cols][operation]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][object]} %{[zeek_cols][argument]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ldap" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ldap" + init => "@zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]" + code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ldap" + add_field => { + "[zeek_cols][service]" => "ldap" + } + + } + + } else if ([log_source] == "ldap_search") { + ############################################################################################################################# + # ldap_search.log + # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ldap_search_fields" + rename => { "[zeek_cols][base_objects]" => "[zeek_cols][base_object]" } + rename => { "[zeek_cols][deref_aliases]" => "[zeek_cols][deref]" } + rename => { "[zeek_cols][derefs]" => "[zeek_cols][deref]" } + rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } + rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][scopes]" => "[zeek_cols][scope]" } + } + + } else { + dissect { + id => "dissect_zeek_ldap_search" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ldap_search" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ldap_search" + init => "@zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]" + code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ldap_search" + add_field => { + "[zeek_cols][service]" => "ldap" + } + + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1035_zeek_login.conf b/logstash/pipelines/zeek/1035_zeek_login.conf new file mode 100644 index 000000000..2460ffa56 --- /dev/null +++ b/logstash/pipelines/zeek/1035_zeek_login.conf @@ -0,0 +1,35 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "login") { + ############################################################################################################################# + # login.log + # custom login.log module (rudimentary, telnet/rlogin/rsh analyzers are old and not the greatest) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_login" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_login" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_login" + init => "@zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]" + code => "event.set('[zeek_cols]', @zeek_login_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1036_zeek_modbus.conf b/logstash/pipelines/zeek/1036_zeek_modbus.conf new file mode 100644 index 000000000..4ff4723cb --- /dev/null +++ b/logstash/pipelines/zeek/1036_zeek_modbus.conf @@ -0,0 +1,210 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "modbus") { + ############################################################################################################################# + # modbus.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_modbus" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][exception]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus" + init => "@zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus" + add_field => { "[zeek_cols][service]" => "modbus" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_detailed") { + ############################################################################################################################# + # modbus_detailed.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_detailed_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_detailed" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_detailed" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_detailed" + init => "@zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_modbus_detailed_values" + split => { "[zeek_cols][values]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_detailed" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_mask_write_register") { + ############################################################################################################################# + # modbus_mask_write_register.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_mask_write_register_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_mask_write_register" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_mask_write_register" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_mask_write_register" + init => "@zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_mask_write_register" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_read_device_identification") { + ############################################################################################################################# + # modbus_read_device_identification.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_read_device_identification_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_read_device_identification" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_read_device_identification" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_read_device_identification" + init => "@zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_read_device_identification" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_read_write_multiple_registers") { + ############################################################################################################################# + # modbus_read_write_multiple_registers.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_read_write_multiple_registers_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_read_write_multiple_registers" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_read_write_multiple_registers" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_read_write_multiple_registers" + init => "@zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_commas" + split => { "[zeek_cols][read_registers]" => "," + "[zeek_cols][write_registers]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1037_zeek_mqtt.conf b/logstash/pipelines/zeek/1037_zeek_mqtt.conf new file mode 100644 index 000000000..8c3730f44 --- /dev/null +++ b/logstash/pipelines/zeek/1037_zeek_mqtt.conf @@ -0,0 +1,115 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "mqtt_connect") { + ############################################################################################################################# + # mqtt_connect.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mqtt_connect" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_connect" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_connect" + init => "@zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]" + code => "event.set('[zeek_cols]', @zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_connect" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + } else if ([log_source] == "mqtt_publish") { + ############################################################################################################################# + # mqtt_publish.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mqtt_publish" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_publish" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_publish" + init => "@zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]" + code => "event.set('[zeek_cols]', @zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_publish" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + } else if ([log_source] == "mqtt_subscribe") { + ############################################################################################################################# + # mqtt_subscribe.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mqtt_subscribe" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_subscribe" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_subscribe" + init => "@zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]" + code => "event.set('[zeek_cols]', @zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_mqtt_subscribe_commas" + split => { "[zeek_cols][topics]" => "," + "[zeek_cols][qos_levels]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_subscribe" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action" + gsub => [ "[zeek_cols][action]", "MQTT::", "" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1038_zeek_mysql.conf b/logstash/pipelines/zeek/1038_zeek_mysql.conf new file mode 100644 index 000000000..892ac1bb2 --- /dev/null +++ b/logstash/pipelines/zeek/1038_zeek_mysql.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "mysql") { + ############################################################################################################################# + # mysql.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mysql" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mysql" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mysql" + init => "@zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]" + code => "event.set('[zeek_cols]', @zeek_mysql_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_mysql" + add_field => { "[zeek_cols][service]" => "mysql" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1039_zeek_notice.conf b/logstash/pipelines/zeek/1039_zeek_notice.conf new file mode 100644 index 000000000..ac044fef8 --- /dev/null +++ b/logstash/pipelines/zeek/1039_zeek_notice.conf @@ -0,0 +1,53 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "notice") { + ############################################################################################################################# + # notice.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_notice_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][email_dest]} %{[zeek_cols][suppress_for]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][community_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_notice" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_notice" + init => "@zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'email_dest', 'suppress_for', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'community_id' ]" + code => "event.set('[zeek_cols]', @zeek_notice_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_notice_actions" + split => { "[zeek_cols][actions]" => "," } } + } + + if ([zeek_cols][src]) and ((![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or + ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '')) { + mutate { id => "mutate_replace_zeek_notice_orig_h" + replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } } + } + if ([zeek_cols][dst]) and ((![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or + ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '')) { + mutate { id => "mutate_replace_zeek_notice_resp_h" + replace => { "[zeek_cols][resp_h]" => "%{[zeek_cols][dst]}" } } + } + if [zeek_cols][p] and ((![zeek_cols][resp_p]) or ([zeek_cols][resp_p] == '(empty)') or + ([zeek_cols][resp_p] == '-') or ([zeek_cols][resp_p] == '')) { + mutate { id => "mutate_replace_zeek_resp_p" + replace => { "[zeek_cols][resp_p]" => "%{[zeek_cols][p]}" } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1040_zeek_ntlm.conf b/logstash/pipelines/zeek/1040_zeek_ntlm.conf new file mode 100644 index 000000000..b0cafaee7 --- /dev/null +++ b/logstash/pipelines/zeek/1040_zeek_ntlm.conf @@ -0,0 +1,51 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ntlm") { + ############################################################################################################################# + # ntlm.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ntlm_fields" + rename => { "[zeek_cols][hostname]" => "[zeek_cols][host]" } + rename => { "[zeek_cols][domainname]" => "[zeek_cols][domain]" } + rename => { "[zeek_cols][server_nb_computer_name]" => "[zeek_cols][server_nb_computer]" } + rename => { "[zeek_cols][server_dns_computer_name]" => "[zeek_cols][server_dns_computer]" } + rename => { "[zeek_cols][server_tree_name]" => "[zeek_cols][server_tree]" } + rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } + } + + } else { + dissect { + id => "dissect_zeek_ntlm_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][host]} %{[zeek_cols][domain]} %{[zeek_cols][server_nb_computer]} %{[zeek_cols][server_dns_computer]} %{[zeek_cols][server_tree]} %{[zeek_cols][success]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ntlm" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ntlm" + init => "@zeek_ntlm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'host', 'domain', 'server_nb_computer', 'server_dns_computer', 'server_tree', 'success' ]" + code => "event.set('[zeek_cols]', @zeek_ntlm_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ntlm" + add_field => { "[zeek_cols][service]" => "ntlm" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1041_zeek_ntp.conf b/logstash/pipelines/zeek/1041_zeek_ntp.conf new file mode 100644 index 000000000..fc4196b57 --- /dev/null +++ b/logstash/pipelines/zeek/1041_zeek_ntp.conf @@ -0,0 +1,42 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "ntp") { + ############################################################################################################################# + # ntp.log + # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ntp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ntp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ntp" + init => "@zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]" + code => "event.set('[zeek_cols]', @zeek_ntp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ntp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "ntp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1042_zeek_ocsp.conf b/logstash/pipelines/zeek/1042_zeek_ocsp.conf new file mode 100644 index 000000000..b6919838e --- /dev/null +++ b/logstash/pipelines/zeek/1042_zeek_ocsp.conf @@ -0,0 +1,39 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ocsp") { + ############################################################################################################################# + # ocsp.log + # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ocsp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][hashAlgorithm]} %{[zeek_cols][issuerNameHash]} %{[zeek_cols][issuerKeyHash]} %{[zeek_cols][serialNumber]} %{[zeek_cols][certStatus]} %{[zeek_cols][revoketime]} %{[zeek_cols][revokereason]} %{[zeek_cols][thisUpdate]} %{[zeek_cols][nextUpdate]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ocsp" + split => { "[message]" => " " } + } + + ruby { + id => "ruby_zip_zeek_ocsp" + init => "@zeek_ocsp_field_names = [ 'ts', 'fuid', 'hashAlgorithm', 'issuerNameHash', 'issuerKeyHash', 'serialNumber', 'certStatus', 'revoketime', 'revokereason', 'thisUpdate', 'nextUpdate' ]" + code => "event.set('[zeek_cols]', @zeek_ocsp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_fields_zeek_service_ocsp" + add_field => { "[zeek_cols][service]" => "X.509" } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf b/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf new file mode 100644 index 000000000..b9431e3d2 --- /dev/null +++ b/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf @@ -0,0 +1,1598 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] =~ /^opcua_binary/) { + if ([log_source] == "opcua_binary") { + ############################################################################################################################# + # opcua_binary.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary" + init => "@zeek_opcua_binary_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_activate_session") { + ############################################################################################################################# + # opcua_binary_activate_session.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_activate_session" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_activate_session" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_activate_session" + init => "@zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'opcua_locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_activate_session" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") { + ############################################################################################################################# + # opcua_binary_activate_session_client_software_cert.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_activate_session_client_software_cert" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert" + init => "@zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_activate_session_client_software_cert" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_activate_session_locale_id") { + ############################################################################################################################# + # opcua_binary_activate_session_locale_id.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_activate_session_locale_id" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][local_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_activate_session_locale_id" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id" + init => "@zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_locale_link_id', 'local_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_activate_session_locale_id" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_aggregate_filter") { + ############################################################################################################################# + # opcua_binary_aggregate_filter.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_aggregate_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][start_time]} %{[zeek_cols][start_time_str]} %{[zeek_cols][aggregate_type_encoding_mask]} %{[zeek_cols][aggregate_type_namespace_idx]} %{[zeek_cols][aggregate_type_numeric]} %{[zeek_cols][aggregate_type_string]} %{[zeek_cols][aggregate_type_guid]} %{[zeek_cols][aggregate_type_opaque]} %{[zeek_cols][processing_interval]} %{[zeek_cols][use_server_capabilities_default]} %{[zeek_cols][treat_uncertain_as_bad]} %{[zeek_cols][percent_data_good]} %{[zeek_cols][percent_data_bad]} %{[zeek_cols][use_slopped_extrapolation]} %{[zeek_cols][revised_start_time]} %{[zeek_cols][revised_start_time_str]} %{[zeek_cols][revised_processing_interval]} %{[zeek_cols][revised_use_server_capabilities_default]} %{[zeek_cols][revised_treat_uncertain_as_bad]} %{[zeek_cols][revised_percent_data_good]} %{[zeek_cols][revised_percent_data_bad]} %{[zeek_cols][revised_use_slopped_extrapolation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_aggregate_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_aggregate_filter" + init => "@zeek_opcua_binary_aggregate_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'start_time', 'start_time_str', 'aggregate_type_encoding_mask', 'aggregate_type_namespace_idx', 'aggregate_type_numeric', 'aggregate_type_string', 'aggregate_type_guid', 'aggregate_type_opaque', 'processing_interval', 'use_server_capabilities_default', 'treat_uncertain_as_bad', 'percent_data_good', 'percent_data_bad', 'use_slopped_extrapolation', 'revised_start_time', 'revised_start_time_str', 'revised_processing_interval', 'revised_use_server_capabilities_default', 'revised_treat_uncertain_as_bad', 'revised_percent_data_good', 'revised_percent_data_bad', 'revised_use_slopped_extrapolation' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_aggregate_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_aggregate_filter" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_attribute_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_attribute_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_attribute_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][alias]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][attribute]} %{[zeek_cols][index_range]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand" + init => "@zeek_opcua_binary_event_filter_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'alias', 'browse_path_element_link_id', 'attribute', 'index_range' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_attribute_operand_browse_paths") { + ############################################################################################################################# + # opcua_binary_event_filter_attribute_operand_browse_paths.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][is_inverse]} %{[zeek_cols][include_subtypes]} %{[zeek_cols][target_name_namespace_idx]} %{[zeek_cols][target_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + init => "@zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_path_element_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'is_inverse', 'include_subtypes', 'target_name_namespace_idx', 'target_name' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse") { + ############################################################################################################################# + # opcua_binary_browse.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse" + init => "@zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_response_link_id', 'browse_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_description") { + ############################################################################################################################# + # opcua_binary_browse_description.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_description" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_description" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_description" + init => "@zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_description" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_response_references") { + ############################################################################################################################# + # opcua_binary_browse_response_references.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_response_references" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_response_references" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_response_references" + init => "@zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_response_references" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_request_continuation_point") { + ############################################################################################################################# + # opcua_binary_browse_request_continuation_point.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_request_continuation_point" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point" + init => "@zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_next_link_id', 'continuation_point' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_request_continuation_point" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_result") { + ############################################################################################################################# + # opcua_binary_browse_result.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_result" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_result" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_result" + init => "@zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_result" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_close_session") { + ############################################################################################################################# + # opcua_binary_close_session.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_close_session" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][del_subscriptions]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_close_session" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_close_session" + init => "@zeek_opcua_binary_close_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'del_subscriptions' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_close_session_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_close_session" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_where_clause") { + ############################################################################################################################# + # opcua_binary_event_filter_where_clause.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_where_clause" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][where_clause_link_id]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][content_filter_status_code_link_id]} %{[zeek_cols][content_filter_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_where_clause" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause" + init => "@zeek_opcua_binary_event_filter_where_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'where_clause_link_id', 'content_filter_element_link_id', 'content_filter_status_code_link_id', 'content_filter_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_where_clause_elements") { + ############################################################################################################################# + # opcua_binary_event_filter_where_clause_elements.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_where_clause_elements" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][filter_operator]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_encoding_mask]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_namespace_idx]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_numeric]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_guid]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_opaque]} %{[zeek_cols][content_filter_filter_operand_type_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_encoding]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][content_filter_operand_status_code_link_id]} %{[zeek_cols][content_filter_operand_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_where_clause_elements" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause_elements" + init => "@zeek_opcua_binary_event_filter_where_clause_elements_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_element_link_id', 'filter_operator', 'content_filter_filter_operand_type_id_node_id_encoding_mask', 'content_filter_filter_operand_type_id_node_id_namespace_idx', 'content_filter_filter_operand_type_id_node_id_numeric', 'content_filter_filter_operand_type_id_node_id_string', 'content_filter_filter_operand_type_id_node_id_guid', 'content_filter_filter_operand_type_id_node_id_opaque', 'content_filter_filter_operand_type_id_string', 'content_filter_filter_operand_type_id_encoding', 'content_filter_filter_operand_link_id', 'content_filter_operand_status_code_link_id', 'content_filter_operand_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_elements_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause_elements" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_monitored_items") { + ############################################################################################################################# + # opcua_binary_create_monitored_items.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_monitored_items" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][subscription_id]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][create_monitored_items_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_monitored_items" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_monitored_items" + init => "@zeek_opcua_binary_create_monitored_items_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'subscription_id', 'timestamps_to_return', 'timestamps_to_return_str', 'create_item_link_id', 'create_monitored_items_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_monitored_items_create_item") { + ############################################################################################################################# + # opcua_binary_create_monitored_items_create_item.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_monitored_items_create_item" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][item_to_monitor_node_id_encoding_mask]} %{[zeek_cols][item_to_monitor_node_id_namespace_idx]} %{[zeek_cols][item_to_monitor_node_id_numeric]} %{[zeek_cols][item_to_monitor_node_id_string]} %{[zeek_cols][item_to_monitor_node_id_guid]} %{[zeek_cols][item_to_monitor_node_id_opaque]} %{[zeek_cols][item_to_monitor_attribute_id]} %{[zeek_cols][item_to_monitor_index_range]} %{[zeek_cols][item_to_monitor_namespace_idx]} %{[zeek_cols][item_to_monitor_name]} %{[zeek_cols][monitoring_mode]} %{[zeek_cols][monitoring_parameters_client_handle]} %{[zeek_cols][monitoring_parameters_sampling_interval]} %{[zeek_cols][monitoring_parameters_queue_size]} %{[zeek_cols][monitoring_parameters_discard_oldest]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_encoding_mask]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_namespace_idx]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_numeric]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_guid]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_opaque]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_encoding]} %{[zeek_cols][filter_info_details_link_id]} %{[zeek_cols][monitoring_parameters_status_code_link_id]} %{[zeek_cols][monitored_item_index_id]} %{[zeek_cols][monitoring_parameters_revised_sampling_interval]} %{[zeek_cols][monitoring_parameters_revised_queue_size]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_monitored_items_create_item" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_monitored_items_create_item" + init => "@zeek_opcua_binary_create_monitored_items_create_item_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'create_item_link_id', 'item_to_monitor_node_id_encoding_mask', 'item_to_monitor_node_id_namespace_idx', 'item_to_monitor_node_id_numeric', 'item_to_monitor_node_id_string', 'item_to_monitor_node_id_guid', 'item_to_monitor_node_id_opaque', 'item_to_monitor_attribute_id', 'item_to_monitor_index_range', 'item_to_monitor_namespace_idx', 'item_to_monitor_name', 'monitoring_mode', 'monitoring_parameters_client_handle', 'monitoring_parameters_sampling_interval', 'monitoring_parameters_queue_size', 'monitoring_parameters_discard_oldest', 'monitoring_parameters_filter_info_type_id_node_id_encoding_mask', 'monitoring_parameters_filter_info_type_id_node_id_namespace_idx', 'monitoring_parameters_filter_info_type_id_node_id_numeric', 'monitoring_parameters_filter_info_type_id_node_id_string', 'monitoring_parameters_filter_info_type_id_node_id_guid', 'monitoring_parameters_filter_info_type_id_node_id_opaque', 'monitoring_parameters_filter_info_type_id_string', 'monitoring_parameters_filter_info_type_id_encoding', 'filter_info_details_link_id', 'monitoring_parameters_status_code_link_id', 'monitored_item_index_id', 'monitoring_parameters_revised_sampling_interval', 'monitoring_parameters_revised_queue_size' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_create_item_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items_create_item" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session") { + ############################################################################################################################# + # opcua_binary_create_session.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session" + init => "@zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session_discovery") { + ############################################################################################################################# + # opcua_binary_create_session_discovery.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session_discovery" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session_discovery" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session_discovery" + init => "@zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session_discovery" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session_endpoints") { + ############################################################################################################################# + # opcua_binary_create_session_endpoints.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session_endpoints" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session_endpoints" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session_endpoints" + init => "@zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session_endpoints" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session_user_token") { + ############################################################################################################################# + # opcua_binary_create_session_user_token.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session_user_token" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session_user_token" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session_user_token" + init => "@zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session_user_token" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_subscription") { + ############################################################################################################################# + # opcua_binary_create_subscription.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_subscription" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_subscription" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_subscription" + init => "@zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_subscription" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_data_change_filter") { + ############################################################################################################################# + # opcua_binary_data_change_filter.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_data_change_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][trigger]} %{[zeek_cols][deadband_type]} %{[zeek_cols][deadband_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_data_change_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_data_change_filter" + init => "@zeek_opcua_binary_data_change_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'trigger', 'deadband_type', 'deadband_value' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_data_change_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_data_change_filter" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_diag_info_detail") { + ############################################################################################################################# + # opcua_binary_diag_info_detail.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_diag_info_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][root_object_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_diag_info_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_diag_info_detail" + init => "@zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'diag_info_link_id', 'root_object_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_diag_info_detail" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_element_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_element_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_element_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][element_index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_element_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_element_operand" + init => "@zeek_opcua_binary_event_filter_element_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'element_index' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_element_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_element_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter") { + ############################################################################################################################# + # opcua_binary_event_filter.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][where_clause_content_filter_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter" + init => "@zeek_opcua_binary_event_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'select_clause_link_id', 'where_clause_content_filter_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints") { + ############################################################################################################################# + # opcua_binary_get_endpoints.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints" + init => "@zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_description") { + ############################################################################################################################# + # opcua_binary_get_endpoints_description.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_description" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_description" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_description" + init => "@zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_description" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_discovery") { + ############################################################################################################################# + # opcua_binary_get_endpoints_discovery.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_discovery" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_discovery" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery" + init => "@zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_discovery" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") { + ############################################################################################################################# + # opcua_binary_get_endpoints_locale_id.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_locale_id" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id" + init => "@zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'locale_link_id', 'locale_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_locale_id" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") { + ############################################################################################################################# + # opcua_binary_get_endpoints_profile_uri.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri" + init => "@zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_profile_uri" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_user_token") { + ############################################################################################################################# + # opcua_binary_get_endpoints_user_token.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_user_token" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_user_token" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token" + init => "@zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_user_token" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_literal_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_literal_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_literal_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][literal_operand_variant_link]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_literal_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_literal_operand" + init => "@zeek_opcua_binary_event_filter_literal_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'literal_operand_variant_link' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_literal_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_literal_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_opensecure_channel") { + ############################################################################################################################# + # opcua_binary_opensecure_channel.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_opensecure_channel" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_opensecure_channel" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_opensecure_channel" + init => "@zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_opensecure_channel" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_read") { + ############################################################################################################################# + # opcua_binary_read.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_read" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][max_age]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][read_results_link_id]} %{[zeek_cols][diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_read" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_read" + init => "@zeek_opcua_binary_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'max_age', 'timestamps_to_return', 'timestamps_to_return_str', 'nodes_to_read_link_id', 'read_results_link_id', 'diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_read" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_read_nodes_to_read") { + ############################################################################################################################# + # opcua_binary_read_nodes_to_read.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_read_nodes_to_read" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][attribute_id]} %{[zeek_cols][attribute_id_str]} %{[zeek_cols][index_range]} %{[zeek_cols][data_encoding_name_idx]} %{[zeek_cols][data_encoding_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_read_nodes_to_read" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_read_nodes_to_read" + init => "@zeek_opcua_binary_read_nodes_to_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'nodes_to_read_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_encoding_name_idx', 'data_encoding_name' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_nodes_to_read_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_read_nodes_to_read" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_read_results") { + ############################################################################################################################# + # opcua_binary_read_results.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_read_results" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][results_link_id]} %{[zeek_cols][level]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][read_results_variant_metadata_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_read_results" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_read_results" + init => "@zeek_opcua_binary_read_results_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'results_link_id', 'level', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'read_results_variant_metadata_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_results_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_read_results" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_select_clause") { + ############################################################################################################################# + # opcua_binary_event_filter_select_clause.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_select_clause" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]} %{[zeek_cols][select_clause_status_code_link_id]} %{[zeek_cols][select_clause_diagnostic_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_select_clause" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_select_clause" + init => "@zeek_opcua_binary_event_filter_select_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'select_clause_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range', 'select_clause_status_code_link_id', 'select_clause_diagnostic_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_select_clause_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_select_clause" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_simple_attribute_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand" + init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand_browse_paths") { + ############################################################################################################################# + # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][browse_path_src]} %{[zeek_cols][namespace_index]} %{[zeek_cols][name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'simple_attribute_operand_browse_path_link_id', 'browse_path_src', 'namespace_index', 'name' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_status_code_detail") { + ############################################################################################################################# + # opcua_binary_status_code_detail.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_status_code_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianpartial]} %{[zeek_cols][historianextradata]} %{[zeek_cols][historianmultivalue]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_status_code_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_status_code_detail" + init => "@zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianpartial', 'historianextradata', 'historianmultivalue' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_status_code_detail" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_array_dims") { + ############################################################################################################################# + # opcua_binary_variant_array_dims.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_array_dims" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][array_dim_link_id]} %{[zeek_cols][dimension]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_array_dims" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_array_dims" + init => "@zeek_opcua_binary_variant_array_dims_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'array_dim_link_id', 'dimension' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_array_dims_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_array_dims" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_data") { + ############################################################################################################################# + # opcua_binary_variant_data.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_data" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_value_signed_numeric]} %{[zeek_cols][variant_data_value_unsigned_numeric]} %{[zeek_cols][variant_data_value_string]} %{[zeek_cols][variant_data_node_id_encoding_mask]} %{[zeek_cols][variant_data_node_id_namespace_idx]} %{[zeek_cols][variant_data_node_id_numeric]} %{[zeek_cols][variant_data_node_id_string]} %{[zeek_cols][variant_data_node_id_guid]} %{[zeek_cols][variant_data_node_id_opaque]} %{[zeek_cols][variant_data_node_id_namespace_uri]} %{[zeek_cols][variant_data_node_id_server_idx]} %{[zeek_cols][variant_data_value_time]} %{[zeek_cols][variant_data_encoding_name_idx]} %{[zeek_cols][variant_data_encoding_name]} %{[zeek_cols][variant_data_mask]} %{[zeek_cols][variant_data_locale]} %{[zeek_cols][variant_data_text]} %{[zeek_cols][variant_data_value_decimal]} %{[zeek_cols][variant_data_status_code_link_id]} %{[zeek_cols][variant_data_diag_info_link_id]} %{[zeek_cols][variant_data_ext_obj_link_id]} %{[zeek_cols][variant_metadata_data_link_id]} %{[zeek_cols][variant_data_value_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_data" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_data" + init => "@zeek_opcua_binary_variant_data_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_link_id', 'variant_data_value_signed_numeric', 'variant_data_value_unsigned_numeric', 'variant_data_value_string', 'variant_data_node_id_encoding_mask', 'variant_data_node_id_namespace_idx', 'variant_data_node_id_numeric', 'variant_data_node_id_string', 'variant_data_node_id_guid', 'variant_data_node_id_opaque', 'variant_data_node_id_namespace_uri', 'variant_data_node_id_server_idx', 'variant_data_value_time', 'variant_data_encoding_name_idx', 'variant_data_encoding_name', 'variant_data_mask', 'variant_data_locale', 'variant_data_text', 'variant_data_value_decimal', 'variant_data_status_code_link_id', 'variant_data_diag_info_link_id', 'variant_data_ext_obj_link_id', 'variant_metadata_data_link_id', 'variant_data_value_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_data" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_data_value") { + ############################################################################################################################# + # opcua_binary_variant_data_value.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_data_value" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_value_source_link]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][variant_metadata_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_data_value" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_data_value" + init => "@zeek_opcua_binary_variant_data_value_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_value_source_link', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'variant_metadata_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_value_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_data_value" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_extension_object") { + ############################################################################################################################# + # opcua_binary_variant_extension_object.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_extension_object" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ext_obj_link_id]} %{[zeek_cols][ext_obj_node_id_encoding_mask]} %{[zeek_cols][ext_obj_node_id_namespace_idx]} %{[zeek_cols][ext_obj_node_id_numeric]} %{[zeek_cols][ext_obj_node_id_string]} %{[zeek_cols][ext_obj_node_id_guid]} %{[zeek_cols][ext_obj_node_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_extension_object" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_extension_object" + init => "@zeek_opcua_binary_variant_extension_object_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'ext_obj_link_id', 'ext_obj_node_id_encoding_mask', 'ext_obj_node_id_namespace_idx', 'ext_obj_node_id_numeric', 'ext_obj_node_id_string', 'ext_obj_node_id_guid', 'ext_obj_node_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_extension_object_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_extension_object" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_metadata") { + ############################################################################################################################# + # opcua_binary_variant_metadata.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_metadata" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_source_data_link_id]} %{[zeek_cols][variant_data_source]} %{[zeek_cols][variant_data_source_str]} %{[zeek_cols][dara_variant_encoding_mask]} %{[zeek_cols][data_variant_data_type]} %{[zeek_cols][data_variant_data_type_str]} %{[zeek_cols][built_in_data_type]} %{[zeek_cols][built_in_data_type_str]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_array_dim]} %{[zeek_cols][variant_data_array_multi_dim_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_metadata" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_metadata" + init => "@zeek_opcua_binary_variant_metadata_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_source_data_link_id', 'variant_data_source', 'variant_data_source_str', 'dara_variant_encoding_mask', 'data_variant_data_type', 'data_variant_data_type_str', 'built_in_data_type', 'built_in_data_type_str', 'variant_data_link_id', 'variant_data_array_dim', 'variant_data_array_multi_dim_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_metadata_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_metadata" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else { + # some other unknown zeek opcua- log file. should start with ts at least! + + if ("_jsonparsesuccess" not in [tags]) { + csv { + id => "csv_zeek_unknown_opcua" + columns => ["ts"] + separator => " " + # there's no way to *disable* the csv quote char, so set it to something we'll never see + quote_char => " " + + target => "[zeek_cols]" + } + } + + mutate { id => "mutate_add_tag_zeek_unknown_opcua" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "_unknown_log_type" ] + } + + } # if / else if for opcua log types + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1044_zeek_ospf.conf b/logstash/pipelines/zeek/1044_zeek_ospf.conf new file mode 100644 index 000000000..462bb4979 --- /dev/null +++ b/logstash/pipelines/zeek/1044_zeek_ospf.conf @@ -0,0 +1,59 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ospf") { + ############################################################################################################################# + # ospf.log + # https://github.com/corelight/zeek-spicy-ospf + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ospf_fields" + rename => { "[zeek_cols][ip_dst]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][ip_src]" => "[zeek_cols][resp_h]" } + } + + } else { + dissect { + id => "dissect_zeek_ospf" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][ospf_type]} %{[zeek_cols][version]} %{[zeek_cols][router_id]} %{[zeek_cols][area_id]} %{[zeek_cols][interface_id]} %{[zeek_cols][netmask]} %{[zeek_cols][desig_router]} %{[zeek_cols][backup_router]} %{[zeek_cols][neighbors]} %{[zeek_cols][lsa_type]} %{[zeek_cols][link_state_id]} %{[zeek_cols][advert_router]} %{[zeek_cols][routers]} %{[zeek_cols][link_id]} %{[zeek_cols][link_data]} %{[zeek_cols][link_type]} %{[zeek_cols][neighbor_router_id]} %{[zeek_cols][metrics]} %{[zeek_cols][fwd_addrs]} %{[zeek_cols][route_tags]} %{[zeek_cols][neighbor_interface_id]} %{[zeek_cols][prefix]} %{[zeek_cols][metric]} %{[zeek_cols][dest_router_id]} %{[zeek_cols][link_prefixes]} %{[zeek_cols][intra_prefixes]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ospf" + split => { "[message]" => " " } + } + + ruby { + id => "ruby_zip_zeek_ospf" + init => "@zeek_ospf_field_names = [ 'ts', 'orig_h', 'resp_h', 'ospf_type', 'version', 'router_id', 'area_id', 'interface_id', 'netmask', 'desig_router', 'backup_router', 'neighbors', 'lsa_type', 'link_state_id', 'advert_router', 'routers', 'link_id', 'link_data', 'link_type', 'neighbor_router_id', 'metrics', 'fwd_addrs', 'route_tags', 'neighbor_interface_id', 'prefix', 'metric', 'dest_router_id', 'link_prefixes', 'intra_prefixes' ]" + code => "event.set('[zeek_cols]', @zeek_ospf_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ospf_commas" + split => { "[zeek_cols][neighbors]" => "," + "[zeek_cols][routers]" => "," + "[zeek_cols][metrics]" => "," + "[zeek_cols][fwd_addrs]" => "," + "[zeek_cols][route_tags]" => "," + "[zeek_cols][link_prefixes]" => "," + "[zeek_cols][intra_prefixes]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ospf" + add_field => { + "[zeek_cols][proto]" => "ospf" + "[zeek_cols][service]" => "ospf" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1045_zeek_pe.conf b/logstash/pipelines/zeek/1045_zeek_pe.conf new file mode 100644 index 000000000..992c6829d --- /dev/null +++ b/logstash/pipelines/zeek/1045_zeek_pe.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "pe") { + ############################################################################################################################# + # pe.log + # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_pe_fields" + rename => { "[zeek_cols][id]" => "[zeek_cols][fuid]" } + } + + } else { + dissect { + id => "dissect_zeek_pe" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][machine]} %{[zeek_cols][compile_ts]} %{[zeek_cols][os]} %{[zeek_cols][subsystem]} %{[zeek_cols][is_exe]} %{[zeek_cols][is_64bit]} %{[zeek_cols][uses_aslr]} %{[zeek_cols][uses_dep]} %{[zeek_cols][uses_code_integrity]} %{[zeek_cols][uses_seh]} %{[zeek_cols][has_import_table]} %{[zeek_cols][has_export_table]} %{[zeek_cols][has_cert_table]} %{[zeek_cols][has_debug_data]} %{[zeek_cols][section_names]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_pe" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_pe" + init => "@zeek_pe_field_names = [ 'ts', 'fuid', 'machine', 'compile_ts', 'os', 'subsystem', 'is_exe', 'is_64bit', 'uses_aslr', 'uses_dep', 'uses_code_integrity', 'uses_seh', 'has_import_table', 'has_export_table', 'has_cert_table', 'has_debug_data', 'section_names' ]" + code => "event.set('[zeek_cols]', @zeek_pe_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_pe_section_names" + split => { "[zeek_cols][section_names]" => "," } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1046_zeek_profinet.conf b/logstash/pipelines/zeek/1046_zeek_profinet.conf new file mode 100644 index 000000000..e02d05afc --- /dev/null +++ b/logstash/pipelines/zeek/1046_zeek_profinet.conf @@ -0,0 +1,115 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "profinet") { + ############################################################################################################################# + # profinet.log + # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_profinet" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet" + init => "@zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]" + code => "event.set('[zeek_cols]', @zeek_profinet_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_profinet" + add_field => { "[zeek_cols][service]" => "profinet" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "profinet_dce_rpc") { + ############################################################################################################################# + # profinet_dce_rpc.log + # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_profinet_dce_rpc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet_dce_rpc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet_dce_rpc" + init => "@zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]" + code => "event.set('[zeek_cols]', @zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_profinet_dce_rpc" + add_field => { "[zeek_cols][service]" => "profinet_dce_rpc" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "profinet_io_cm") { + ############################################################################################################################# + # profinet_io_cm.log + # https://github.com/cisagov/icsnpp-profinet-io-cm + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_profinet_io_cm_fields" + rename => { "[zeek_cols][array_of_sel_ack]" => "[zeek_cols][sel_ack]" } + rename => { "[zeek_cols][operation_num]" => "[zeek_cols][operation]" } + } + + } else { + dissect { + id => "dissect_zeek_profinet_io_cm" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][rpc_version]} %{[zeek_cols][packet_type]} %{[zeek_cols][reserved_for_impl_1]} %{[zeek_cols][last_fragment]} %{[zeek_cols][fragment]} %{[zeek_cols][no_fragment_requested]} %{[zeek_cols][maybe]} %{[zeek_cols][idempotent]} %{[zeek_cols][broadcast]} %{[zeek_cols][reserved_for_impl_2]} %{[zeek_cols][cancel_was_pending_at_call_end]} %{[zeek_cols][integer_encoding]} %{[zeek_cols][character_encoding]} %{[zeek_cols][floating_point_encoding]} %{[zeek_cols][serial_high]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][interface_vers_major]} %{[zeek_cols][interface_vers_minor]} %{[zeek_cols][sequence_num]} %{[zeek_cols][operation]} %{[zeek_cols][interface_hint]} %{[zeek_cols][activity_hint]} %{[zeek_cols][len_of_body]} %{[zeek_cols][fragment_num]} %{[zeek_cols][auth_protocol]} %{[zeek_cols][serial_low]} %{[zeek_cols][vers_fack]} %{[zeek_cols][window_size]} %{[zeek_cols][max_tsdu]} %{[zeek_cols][max_frag_size]} %{[zeek_cols][serial_number]} %{[zeek_cols][sel_ack_len]} %{[zeek_cols][sel_ack]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet_io_cm" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet_io_cm" + init => "$zeek_profinet_io_cm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'rpc_version', 'packet_type', 'reserved_for_impl_1', 'last_fragment', 'fragment', 'no_fragment_requested', 'maybe', 'idempotent', 'broadcast', 'reserved_for_impl_2', 'cancel_was_pending_at_call_end', 'integer_encoding', 'character_encoding', 'floating_point_encoding', 'serial_high', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'interface_vers_major', 'interface_vers_minor', 'sequence_num', 'operation', 'interface_hint', 'activity_hint', 'len_of_body', 'fragment_num', 'auth_protocol', 'serial_low', 'vers_fack', 'window_size', 'max_tsdu', 'max_frag_size', 'serial_number', 'sel_ack_len', 'sel_ack' ]" + code => "event.set('[zeek_cols]', $zeek_profinet_io_cm_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_profinet_io_cm_commas" + split => { "[zeek_cols][sel_ack]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_profinet_io_cm" + add_field => { + "[zeek_cols][proto]" => "udp" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1047_zeek_radius.conf b/logstash/pipelines/zeek/1047_zeek_radius.conf new file mode 100644 index 000000000..8164bdcd2 --- /dev/null +++ b/logstash/pipelines/zeek/1047_zeek_radius.conf @@ -0,0 +1,46 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "radius") { + ############################################################################################################################# + # radius.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_radius_fields" + rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } + } + + } else { + dissect { + id => "dissect_zeek_radius" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_radius" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_radius" + init => "@zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]" + code => "event.set('[zeek_cols]', @zeek_radius_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_radius" + add_field => { "[zeek_cols][service]" => "radius" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1048_zeek_rdp.conf b/logstash/pipelines/zeek/1048_zeek_rdp.conf new file mode 100644 index 000000000..c773b9962 --- /dev/null +++ b/logstash/pipelines/zeek/1048_zeek_rdp.conf @@ -0,0 +1,46 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "rdp") { + ############################################################################################################################# + # rdp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_rdp_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_rdp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_rdp" + init => "@zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]" + code => "event.set('[zeek_cols]', @zeek_rdp_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_rdp_client_channels" + split => { "[zeek_cols][client_channels]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_rdp" + add_field => { "[zeek_cols][service]" => "rdp" } + } + + # remove RDP prefix from client_build (version) + mutate { id => "mutate_gsub_field_zeek_rdp_client_build" + gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1049_zeek_rfb.conf b/logstash/pipelines/zeek/1049_zeek_rfb.conf new file mode 100644 index 000000000..e65d628fc --- /dev/null +++ b/logstash/pipelines/zeek/1049_zeek_rfb.conf @@ -0,0 +1,39 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "rfb") { + ############################################################################################################################# + # rfb.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_rfb" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_rfb" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_rfb" + init => "@zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]" + code => "event.set('[zeek_cols]', @zeek_rfb_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_rfb" + add_field => { "[zeek_cols][service]" => "rfb" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1050_zeek_s7comm.conf b/logstash/pipelines/zeek/1050_zeek_s7comm.conf new file mode 100644 index 000000000..4b808b194 --- /dev/null +++ b/logstash/pipelines/zeek/1050_zeek_s7comm.conf @@ -0,0 +1,186 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "cotp") { + ############################################################################################################################# + # cotp.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cotp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cotp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cotp" + init => "@zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]" + code => "event.set('[zeek_cols]', @zeek_cotp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cotp" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "cotp" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm") { + ############################################################################################################################# + # s7comm.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_s7comm" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm" + init => "@zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm_plus") { + ############################################################################################################################# + # s7comm_plus.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_s7comm_plus" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_plus" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_plus" + init => "@zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_plus" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm_plus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm_read_szl") { + ############################################################################################################################# + # s7comm_read_szl.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_s7comm_read_szl" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_read_szl" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_read_szl" + init => "@zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_read_szl" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm_upload_download") { + ############################################################################################################################# + # s7comm_upload_download.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_s7comm_upload_download_fields" + rename => { "[zeek_cols][rosctr]" => "[zeek_cols][rosctr_name]" } + } + + } else { + dissect { + id => "dissect_zeek_s7comm_upload_download" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_upload_download" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_upload_download" + init => "@zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_upload_download" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1051_zeek_signatures.conf b/logstash/pipelines/zeek/1051_zeek_signatures.conf new file mode 100644 index 000000000..4f6a20441 --- /dev/null +++ b/logstash/pipelines/zeek/1051_zeek_signatures.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "signatures") { + ############################################################################################################################# + # signatures.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_signatures" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_signatures" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_signatures" + init => "@zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]" + code => "event.set('[zeek_cols]', @zeek_signatures_field_names.zip(event.get('[message]')).to_h)" + } + } + if ("_carved" in [tags]) { + # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it: + # - _carved signature logs' sub_message contains fuid(s) comma-separated + mutate { id => "mutate_split_zeek_signatures_sub_message" + split => { "[zeek_cols][sub_message]" => "," } } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1052_zeek_sip.conf b/logstash/pipelines/zeek/1052_zeek_sip.conf new file mode 100644 index 000000000..fc49f7c33 --- /dev/null +++ b/logstash/pipelines/zeek/1052_zeek_sip.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "sip") { + ############################################################################################################################# + # sip.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_sip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][uri]} %{[zeek_cols][date]} %{[zeek_cols][request_from]} %{[zeek_cols][request_to]} %{[zeek_cols][response_from]} %{[zeek_cols][response_to]} %{[zeek_cols][reply_to]} %{[zeek_cols][call_id]} %{[zeek_cols][seq]} %{[zeek_cols][subject]} %{[zeek_cols][request_path]} %{[zeek_cols][response_path]} %{[zeek_cols][user_agent]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][warning]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][content_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_sip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_sip" + init => "@zeek_sip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'uri', 'date', 'request_from', 'request_to', 'response_from', 'response_to', 'reply_to', 'call_id', 'seq', 'subject', 'request_path', 'response_path', 'user_agent', 'status_code', 'status_msg', 'warning', 'request_body_len', 'response_body_len', 'content_type' ]" + code => "event.set('[zeek_cols]', @zeek_sip_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_sip_commas" + split => { "[zeek_cols][request_path]" => "," + "[zeek_cols][response_path]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_sip" + add_field => { "[zeek_cols][service]" => "sip" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1053_zeek_smb.conf b/logstash/pipelines/zeek/1053_zeek_smb.conf new file mode 100644 index 000000000..9e42d4429 --- /dev/null +++ b/logstash/pipelines/zeek/1053_zeek_smb.conf @@ -0,0 +1,131 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "smb_cmd") { + ############################################################################################################################# + # smb_cmd.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo + # + # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be + # merged up as its own top-level entity so I don't have to duplicate the parsing effort below + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_smb_cmd_referenced_file_fields" + rename => { "[zeek_cols][referenced_file.id.orig_h]" => "[zeek_cols][referenced_file][orig_h]" } + rename => { "[zeek_cols][referenced_file.id.orig_p]" => "[zeek_cols][referenced_file][orig_p]" } + rename => { "[zeek_cols][referenced_file.id.resp_h]" => "[zeek_cols][referenced_file][resp_h]" } + rename => { "[zeek_cols][referenced_file.id.resp_p]" => "[zeek_cols][referenced_file][resp_p]" } + } + + } else { + dissect { + id => "dissect_zeek_smb_cmd" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_cmd" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_cmd" + init => "@zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]" + code => "event.set('[zeek_cols]', @zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_cmd" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + # remove SMB prefix from version + mutate { id => "mutate_gsub_field_zeek_smb_cmd_version" + gsub => [ "[zeek_cols][version]", "^SMB", "" ] } + + mutate { id => "mutate_gsub_zeek_smb_cmd_command" + gsub => [ "[zeek_cols][command]", "^SMB::", "" ] } + + } else if ([log_source] == "smb_files") { + ############################################################################################################################# + # smb_files.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_smb_files_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][action]} %{[zeek_cols][path]} %{[zeek_cols][name]} %{[zeek_cols][size]} %{[zeek_cols][prev_name]} %{[zeek_cols][times_modified]} %{[zeek_cols][times_accessed]} %{[zeek_cols][times_created]} %{[zeek_cols][times_changed]} %{[zeek_cols][data_offset_req]} %{[zeek_cols][data_len_req]} %{[zeek_cols][data_len_rsp]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_files" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_files" + init => "@zeek_smb_files_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'action', 'path', 'name', 'size', 'prev_name', 'times_modified', 'times_accessed', 'times_created', 'times_changed', 'data_offset_req', 'data_len_req', 'data_len_rsp' ]" + code => "event.set('[zeek_cols]', @zeek_smb_files_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_files" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + mutate { id => "mutate_gsub_zeek_smb_files_action" + gsub => [ "[zeek_cols][action]", "^SMB::", "" ] } + + } else if ([log_source] == "smb_mapping") { + ############################################################################################################################# + # smb_mapping.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_smb_mapping" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][path]} %{[zeek_cols][resource_type]} %{[zeek_cols][native_file_system]} %{[zeek_cols][share_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_mapping" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_mapping" + init => "@zeek_smb_mapping_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'path', 'resource_type', 'native_file_system', 'share_type' ]" + code => "event.set('[zeek_cols]', @zeek_smb_mapping_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_mapping" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1054_zeek_smtp.conf b/logstash/pipelines/zeek/1054_zeek_smtp.conf new file mode 100644 index 000000000..f4587c5d5 --- /dev/null +++ b/logstash/pipelines/zeek/1054_zeek_smtp.conf @@ -0,0 +1,48 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "smtp") { + ############################################################################################################################# + # smtp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_smtp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smtp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smtp" + init => "@zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]" + code => "event.set('[zeek_cols]', @zeek_smtp_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_smtp_commas" + split => { "[zeek_cols][rcptto]" => "," + "[zeek_cols][to]" => "," + "[zeek_cols][cc]" => "," + "[zeek_cols][path]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_smtp" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smtp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1055_zeek_snmp.conf b/logstash/pipelines/zeek/1055_zeek_snmp.conf new file mode 100644 index 000000000..2991ed095 --- /dev/null +++ b/logstash/pipelines/zeek/1055_zeek_snmp.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "snmp") { + ############################################################################################################################# + # snmp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_snmp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][duration]} %{[zeek_cols][version]} %{[zeek_cols][community]} %{[zeek_cols][get_requests]} %{[zeek_cols][get_bulk_requests]} %{[zeek_cols][get_responses]} %{[zeek_cols][set_requests]} %{[zeek_cols][display_string]} %{[zeek_cols][up_since]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_snmp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_snmp" + init => "@zeek_snmp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'duration', 'version', 'community', 'get_requests', 'get_bulk_requests', 'get_responses', 'set_requests', 'display_string', 'up_since' ]" + code => "event.set('[zeek_cols]', @zeek_snmp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_snmp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "snmp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1056_zeek_socks.conf b/logstash/pipelines/zeek/1056_zeek_socks.conf new file mode 100644 index 000000000..aeec39cb0 --- /dev/null +++ b/logstash/pipelines/zeek/1056_zeek_socks.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "socks") { + ############################################################################################################################# + # socks.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_socks" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][server_status]} %{[zeek_cols][request_host]} %{[zeek_cols][request_name]} %{[zeek_cols][request_port]} %{[zeek_cols][bound_host]} %{[zeek_cols][bound_name]} %{[zeek_cols][bound_port]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_socks" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_socks" + init => "@zeek_socks_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'user', 'password', 'server_status', 'request_host', 'request_name', 'request_port', 'bound_host', 'bound_name', 'bound_port' ]" + code => "event.set('[zeek_cols]', @zeek_socks_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_socks" + add_field => { "[zeek_cols][service]" => "socks" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1057_zeek_software.conf b/logstash/pipelines/zeek/1057_zeek_software.conf new file mode 100644 index 000000000..e6cfe36d5 --- /dev/null +++ b/logstash/pipelines/zeek/1057_zeek_software.conf @@ -0,0 +1,47 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "software") { + ############################################################################################################################# + # software.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_software_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][host_p]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][version.major]" => "[zeek_cols][version_major]" } + rename => { "[zeek_cols][version.minor]" => "[zeek_cols][version_minor]" } + rename => { "[zeek_cols][version.minor2]" => "[zeek_cols][version_minor2]" } + rename => { "[zeek_cols][version.minor3]" => "[zeek_cols][version_minor3]" } + rename => { "[zeek_cols][version.addl]" => "[zeek_cols][version_addl]" } + } + + } else { + dissect { + id => "dissect_zeek_software" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_software" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_software" + init => "@zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]" + code => "event.set('[zeek_cols]', @zeek_software_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1058_zeek_ssh.conf b/logstash/pipelines/zeek/1058_zeek_ssh.conf new file mode 100644 index 000000000..bf1177a34 --- /dev/null +++ b/logstash/pipelines/zeek/1058_zeek_ssh.conf @@ -0,0 +1,87 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ja4ssh") { + ############################################################################################################################# + # ja4ssh.log + # https://github.com/FoxIO-LLC/ja4 + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ja4ssh" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ja4ssh" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ja4ssh" + init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]" + code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ja4ssh" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ssh" + } + } + + } else if ([log_source] == "ssh") { + ############################################################################################################################# + # ssh.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ssh_fields" + rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" } + } + + } else { + dissect { + id => "dissect_zeek_ssh_with_all_fields_with_hassh" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][auth_success]} %{[zeek_cols][auth_attempts]} %{[zeek_cols][direction]} %{[zeek_cols][client]} %{[zeek_cols][server]} %{[zeek_cols][cipher_alg]} %{[zeek_cols][mac_alg]} %{[zeek_cols][compression_alg]} %{[zeek_cols][kex_alg]} %{[zeek_cols][host_key_alg]} %{[zeek_cols][host_key]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][hasshVersion]} %{[zeek_cols][hassh]} %{[zeek_cols][hasshServer]} %{[zeek_cols][cshka]} %{[zeek_cols][hasshAlgorithms]} %{[zeek_cols][sshka]} %{[zeek_cols][hasshServerAlgorithms]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ssh" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ssh" + init => "@zeek_ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'auth_success', 'auth_attempts', 'direction', 'client', 'server', 'cipher_alg', 'mac_alg', 'compression_alg', 'kex_alg', 'host_key_alg', 'host_key', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'hasshVersion', 'hassh', 'hasshServer', 'cshka', 'hasshAlgorithms', 'sshka', 'hasshServerAlgorithms' ]" + code => "event.set('[zeek_cols]', @zeek_ssh_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ssh_commas" + split => { "[zeek_cols][hasshAlgorithms]" => "," + "[zeek_cols][hasshServerAlgorithms]" => "," + "[zeek_cols][cshka]" => "," + "[zeek_cols][sshka]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ssh" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ssh" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1059_zeek_ssl.conf b/logstash/pipelines/zeek/1059_zeek_ssl.conf new file mode 100644 index 000000000..675bb103b --- /dev/null +++ b/logstash/pipelines/zeek/1059_zeek_ssl.conf @@ -0,0 +1,54 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ssl") { + ############################################################################################################################# + # ssl.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ssl_fields" + rename => { "[zeek_cols][version]" => "[zeek_cols][ssl_version]" } + } + + } else { + dissect { + id => "dissect_zeek_ssl_v1_with_ja4" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ssl_version]} %{[zeek_cols][cipher]} %{[zeek_cols][curve]} %{[zeek_cols][server_name]} %{[zeek_cols][resumed]} %{[zeek_cols][last_alert]} %{[zeek_cols][next_protocol]} %{[zeek_cols][established]} %{[zeek_cols][ssl_history]} %{[zeek_cols][cert_chain_fps]} %{[zeek_cols][client_cert_chain_fps]} %{[zeek_cols][sni_matches_cert]} %{[zeek_cols][validation_status]} %{[zeek_cols][ja4]} %{[zeek_cols][ja4s]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ssl" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ssl" + init => "@zeek_ssl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ssl_version', 'cipher', 'curve', 'server_name', 'resumed', 'last_alert', 'next_protocol', 'established', 'ssl_history', 'cert_chain_fps', 'client_cert_chain_fps', 'sni_matches_cert', 'validation_status', 'ja4', 'ja4s' ]" + code => "event.set('[zeek_cols]', @zeek_ssl_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ssl_commas" + split => { "[zeek_cols][cert_chain_fuids]" => "," + "[zeek_cols][client_cert_chain_fuids]" => "," + "[zeek_cols][cert_chain_fps]" => "," + "[zeek_cols][client_cert_chain_fps]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ssl" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tls" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1060_zeek_stun.conf b/logstash/pipelines/zeek/1060_zeek_stun.conf new file mode 100644 index 000000000..fdb291513 --- /dev/null +++ b/logstash/pipelines/zeek/1060_zeek_stun.conf @@ -0,0 +1,96 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "stun") { + ############################################################################################################################# + # stun.log + # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_stun_fields" + rename => { "[zeek_cols][attr_types]" => "[zeek_cols][attr_type]" } + rename => { "[zeek_cols][attr_vals]" => "[zeek_cols][attr_val]" } + } + + } else { + dissect { + id => "dissect_zeek_stun" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][trans_id]} %{[zeek_cols][method]} %{[zeek_cols][class]} %{[zeek_cols][attr_type]} %{[zeek_cols][attr_val]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_stun" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_stun" + init => "@zeek_stun_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'trans_id', 'method', 'class', 'attr_type', 'attr_val' ]" + code => "event.set('[zeek_cols]', @zeek_stun_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_field_zeek_stun_commas" + split => { "[zeek_cols][attr_type]" => "," + "[zeek_cols][attr_val]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_stun" + add_field => { + "[zeek_cols][service]" => "stun" + } + } + + } else if ([log_source] == "stun_nat") { + ############################################################################################################################# + # stun.log + # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_stun_nat_fields" + rename => { "[zeek_cols][wan_addrs]" => "[zeek_cols][wan_addr]" } + rename => { "[zeek_cols][wan_ports]" => "[zeek_cols][wan_port]" } + rename => { "[zeek_cols][lan_addrs]" => "[zeek_cols][lan_addr]" } + } + + } else { + dissect { + id => "dissect_zeek_stun_nat" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][wan_addr]} %{[zeek_cols][wan_port]} %{[zeek_cols][lan_addr]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_stun_nat" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_stun_nat" + init => "@zeek_stun_nat_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'wan_addr', 'wan_port', 'lan_addr' ]" + code => "event.set('[zeek_cols]', @zeek_stun_nat_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_field_zeek_stun_nat_commas" + split => { "[zeek_cols][wan_addrs]" => "," + "[zeek_cols][wan_ports]" => "," + "[zeek_cols][lan_addrs]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_stun_nat" + add_field => { + "[zeek_cols][service]" => "stun" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf b/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf new file mode 100644 index 000000000..ad4795ec7 --- /dev/null +++ b/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf @@ -0,0 +1,242 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "synchrophasor") { + ############################################################################################################################# + # synchrophasor.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor" + init => "@zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + + } else if ([log_source] == "synchrophasor_cmd") { + ############################################################################################################################# + # synchrophasor_cmd.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_cmd" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cmd" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cmd" + init => "@zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cmd" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_cfg") { + ############################################################################################################################# + # synchrophasor_cfg.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_cfg" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cfg" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cfg" + init => "@zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cfg" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_cfg_detail") { + ############################################################################################################################# + # synchrophasor_cfg_detail.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_cfg_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cfg_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cfg_detail" + init => "@zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cfg_detail" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_data") { + ############################################################################################################################# + # synchrophasor_data.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_data" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_data" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_data" + init => "@zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_data" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_data_detail") { + ############################################################################################################################# + # synchrophasor_data_detail.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_data_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_data_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_data_detail" + init => "@zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_data_detail" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_hdr") { + ############################################################################################################################# + # synchrophasor_hdr.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_hdr" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_hdr" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_hdr" + init => "@zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_hdr" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1062_zeek_syslog.conf b/logstash/pipelines/zeek/1062_zeek_syslog.conf new file mode 100644 index 000000000..efb0ed69b --- /dev/null +++ b/logstash/pipelines/zeek/1062_zeek_syslog.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "syslog") { + ############################################################################################################################# + # syslog.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_syslog" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_syslog" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_syslog" + init => "@zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]" + code => "event.set('[zeek_cols]', @zeek_syslog_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_syslog" + add_field => { "[zeek_cols][service]" => "syslog" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1063_zeek_tds.conf b/logstash/pipelines/zeek/1063_zeek_tds.conf new file mode 100644 index 000000000..23a724d0c --- /dev/null +++ b/logstash/pipelines/zeek/1063_zeek_tds.conf @@ -0,0 +1,115 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "tds") { + ############################################################################################################################# + # tds.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tds" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds" + init => "@zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]" + code => "event.set('[zeek_cols]', @zeek_tds_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tds" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } else if ([log_source] == "tds_rpc") { + ############################################################################################################################# + # tds_rpc.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_tds_rpc_fields" + rename => { "[zeek_cols][parameters]" => "[zeek_cols][parameter]" } + } + + } else { + dissect { + id => "dissect_zeek_tds_rpc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds_rpc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds_rpc" + init => "@zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]" + code => "event.set('[zeek_cols]', @zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tds_rpc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } else if ([log_source] == "tds_sql_batch") { + ############################################################################################################################# + # tds_sql_batch.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tds_sql_batch" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds_sql_batch" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds_sql_batch" + init => "@zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]" + code => "event.set('[zeek_cols]', @zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tds_sql_batch" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1064_zeek_tftp.conf b/logstash/pipelines/zeek/1064_zeek_tftp.conf new file mode 100644 index 000000000..67cd6acef --- /dev/null +++ b/logstash/pipelines/zeek/1064_zeek_tftp.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "tftp") { + ############################################################################################################################# + # tftp.log + # https://github.com/zeek/spicy-tftp + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tftp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][wrq]} %{[zeek_cols][fname]} %{[zeek_cols][mode]} %{[zeek_cols][uid_data]} %{[zeek_cols][size]} %{[zeek_cols][block_sent]} %{[zeek_cols][block_acked]} %{[zeek_cols][error_code]} %{[zeek_cols][error_msg]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tftp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tftp" + init => "@zeek_tftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'wrq', 'fname', 'mode', 'uid_data', 'size', 'block_sent', 'block_acked', 'error_code', 'error_msg' ]" + code => "event.set('[zeek_cols]', @zeek_tftp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tftp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "tftp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1065_zeek_tunnel.conf b/logstash/pipelines/zeek/1065_zeek_tunnel.conf new file mode 100644 index 000000000..6dfa8829f --- /dev/null +++ b/logstash/pipelines/zeek/1065_zeek_tunnel.conf @@ -0,0 +1,48 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "tunnel") { + ############################################################################################################################# + # tunnel.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tunnel" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][tunnel_type]} %{[zeek_cols][action]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tunnel" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tunnel" + init => "@zeek_tunnel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'tunnel_type', 'action' ]" + code => "event.set('[zeek_cols]', @zeek_tunnel_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_gsub_zeek_tunnel_action" + gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] } + + mutate { id => "mutate_gsub_zeek_tunnel_type" + gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] } + + mutate { + id => "mutate_add_fields_zeek_tunnel" + add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" } + } + + mutate { id => "mutate_lowercase_zeek_tunnel_service" + lowercase => [ "[zeek_cols][service]" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1066_zeek_weird.conf b/logstash/pipelines/zeek/1066_zeek_weird.conf new file mode 100644 index 000000000..4c1da69e3 --- /dev/null +++ b/logstash/pipelines/zeek/1066_zeek_weird.conf @@ -0,0 +1,35 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "weird") { + ############################################################################################################################# + # weird.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_weird" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][name]} %{[zeek_cols][addl]} %{[zeek_cols][notice]} %{[zeek_cols][peer]} %{[zeek_cols][source]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_weird" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_weird" + init => "@zeek_weird_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'name', 'addl', 'notice', 'peer', 'source' ]" + code => "event.set('[zeek_cols]', @zeek_weird_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1067_zeek_wireguard.conf b/logstash/pipelines/zeek/1067_zeek_wireguard.conf new file mode 100644 index 000000000..4a69f88d7 --- /dev/null +++ b/logstash/pipelines/zeek/1067_zeek_wireguard.conf @@ -0,0 +1,45 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "wireguard") { + ############################################################################################################################# + # wireguard.log + # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_wireguard" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][established]} %{[zeek_cols][initiations]} %{[zeek_cols][responses]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_wireguard" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_wireguard" + init => "@zeek_wireguard_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'established', 'initiations', 'responses' ]" + code => "event.set('[zeek_cols]', @zeek_wireguard_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_gsub_zeek_wireguard_packet_type" + gsub => [ "[zeek_cols][packet_type]", "Wireguard::WG_", "" ] } + + mutate { + id => "mutate_add_field_zeek_service_wireguard" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "wireguard" + } + } + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1068_zeek_x509.conf b/logstash/pipelines/zeek/1068_zeek_x509.conf new file mode 100644 index 000000000..9705ebd83 --- /dev/null +++ b/logstash/pipelines/zeek/1068_zeek_x509.conf @@ -0,0 +1,63 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "x509") { + ############################################################################################################################# + # x509.log + # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_x509_fields" + rename => { "[zeek_cols][certificate.version]" => "[zeek_cols][certificate_version]" } + rename => { "[zeek_cols][certificate.serial]" => "[zeek_cols][certificate_serial]" } + rename => { "[zeek_cols][certificate.subject]" => "[zeek_cols][certificate_subject]" } + rename => { "[zeek_cols][certificate.issuer]" => "[zeek_cols][certificate_issuer]" } + rename => { "[zeek_cols][certificate.not_valid_before]" => "[zeek_cols][certificate_not_valid_before]" } + rename => { "[zeek_cols][certificate.not_valid_after]" => "[zeek_cols][certificate_not_valid_after]" } + rename => { "[zeek_cols][certificate.key_alg]" => "[zeek_cols][certificate_key_alg]" } + rename => { "[zeek_cols][certificate.sig_alg]" => "[zeek_cols][certificate_sig_alg]" } + rename => { "[zeek_cols][certificate.key_type]" => "[zeek_cols][certificate_key_type]" } + rename => { "[zeek_cols][certificate.key_length]" => "[zeek_cols][certificate_key_length]" } + rename => { "[zeek_cols][certificate.exponent]" => "[zeek_cols][certificate_exponent]" } + rename => { "[zeek_cols][certificate.curve]" => "[zeek_cols][certificate_curve]" } + rename => { "[zeek_cols][san.dns]" => "[zeek_cols][san_dns]" } + rename => { "[zeek_cols][san.uri]" => "[zeek_cols][san_uri]" } + rename => { "[zeek_cols][san.email]" => "[zeek_cols][san_email]" } + rename => { "[zeek_cols][san.ip]" => "[zeek_cols][san_ip]" } + rename => { "[zeek_cols][basic_constraints.ca]" => "[zeek_cols][basic_constraints_ca]" } + rename => { "[zeek_cols][basic_constraints.path_len]" => "[zeek_cols][basic_constraints_path_len]" } + } + + } else { + dissect { + id => "dissect_zeek_x509_v1" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fingerprint]} %{[zeek_cols][certificate_version]} %{[zeek_cols][certificate_serial]} %{[zeek_cols][certificate_subject]} %{[zeek_cols][certificate_issuer]} %{[zeek_cols][certificate_not_valid_before]} %{[zeek_cols][certificate_not_valid_after]} %{[zeek_cols][certificate_key_alg]} %{[zeek_cols][certificate_sig_alg]} %{[zeek_cols][certificate_key_type]} %{[zeek_cols][certificate_key_length]} %{[zeek_cols][certificate_exponent]} %{[zeek_cols][certificate_curve]} %{[zeek_cols][san_dns]} %{[zeek_cols][san_uri]} %{[zeek_cols][san_email]} %{[zeek_cols][san_ip]} %{[zeek_cols][basic_constraints_ca]} %{[zeek_cols][basic_constraints_path_len]} %{[zeek_cols][host_cert]} %{[zeek_cols][client_cert]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_x509" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_x509" + init => "@zeek_x509_field_names = [ 'ts', 'fuid', 'certificate_version', 'certificate_serial', 'certificate_subject', 'certificate_issuer', 'certificate_not_valid_before', 'certificate_not_valid_after', 'certificate_key_alg', 'certificate_sig_alg', 'certificate_key_type', 'certificate_key_length', 'certificate_exponent', 'certificate_curve', 'san_dns', 'san_uri', 'san_email', 'san_ip', 'basic_constraints_ca', 'basic_constraints_path_len', 'host_cert', 'client_cert' ]" + code => "event.set('[zeek_cols]', @zeek_x509_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_x509_san_ip" + split => { "[zeek_cols][san_ip]" => "," + "[zeek_cols][fingerprint]" => "," } } + } + + mutate { id => "mutate_add_fields_zeek_x509" + add_field => { "[zeek_cols][service]" => "X.509" } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1199_zeek_unknown.conf b/logstash/pipelines/zeek/1199_zeek_unknown.conf new file mode 100644 index 000000000..ea72245c1 --- /dev/null +++ b/logstash/pipelines/zeek/1199_zeek_unknown.conf @@ -0,0 +1,27 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if (![zeek_cols]) { + + if ("_jsonparsesuccess" not in [tags]) { + # some other unknown zeek log file. should start with ts at least! + csv { + id => "csv_zeek_unknown" + columns => ["ts"] + separator => " " + # there's no way to *disable* the csv quote char, so set it to something we'll never see + quote_char => " " + + target => "[zeek_cols]" + } + } + + mutate { id => "mutate_add_tag_zeek_unknown" + add_tag => [ "_unknown_log_type" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf deleted file mode 100644 index 83daff13b..000000000 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ /dev/null @@ -1,6411 +0,0 @@ -######################## -# zeek -> arkime session creation and enrichment -# -# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation -# -# see source.zeeklogs.js for the Arkime code that turns these into UI fields -# -# to profile, debug: -# - get filters sorted by execution time (where in > 0) -# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4 -# - get filters where in != out -# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' -# -# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. -####################### - -filter { - - # handle JSON-formatted Zeek logs right out of the gate, we'll do the field renaming below - if ([message] =~ /^{.*}$/) { json { - id => "json_zeek_message_parse" - source => "[message]" - target => "[zeek_cols]" - add_tag => [ "_jsonparsesuccess" ] - } } - - - # in JSON, do some global renaming of common fields to make them match the names we'd - # be assigning to them if we were reading TSV - if ("_jsonparsesuccess" in [tags]) { - - # some of the ICSNPP parsers do an interesting thing to handle source and destination fields - # (see https://github.com/cisagov/icsnpp-bacnet/?tab=readme-ov-file#source-and-destination-fields) - # so check for and handle those first - ruby { - id => "ruby_zeek_json_determine_source_destination_fields" - code => " - if ![event.get('[zeek_cols][source_h]').to_s, - event.get('[zeek_cols][source_p]').to_s, - event.get('[zeek_cols][destination_h]').to_s, - event.get('[zeek_cols][destination_p]').to_s].reject{ |e| e.nil? || e.empty? || (e == '0') }.empty? then - event.set('[@metadata][icsnpp_source_dest_fields]', 'true') - end - " - } - if ([@metadata][icsnpp_source_dest_fields]) { - mutate { - id => "mutate_rename_zeek_json_common_reversed_direction_fields" - rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][drop_orig_h]" } - rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][drop_orig_p]" } - rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][drop_resp_h]" } - rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][drop_resp_p]" } - rename => { "[zeek_cols][source_h]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][source_p]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][destination_h]" => "[zeek_cols][resp_h]" } - rename => { "[zeek_cols][destination_p]" => "[zeek_cols][resp_p]" } - } - - } else { - mutate { - id => "mutate_rename_zeek_json_common_fields" - rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][resp_h]" } - rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][resp_p]" } - } - } # icsnpp_source_dest_fields or not - } # _jsonparsesuccess in tags - - # The Dissect is WAY faster than CSV, and quite a bit faster than mutate.split. However, it - # is not as flexible when it comes to missing or extra columns - # (See https://github.com/logstash-plugins/logstash-filter-dissect/issues/62) - # - # So, if the dissect filter fails, we're going to fall back to split-then-zip solution. - # This should be a good tradeoff between performance (in the case where the Zeek logs - # match what we think they should look like) and flexibility (when they don't). - # - # The one drawback is that if you make a change to the fields in dissect, make sure - # you make the corresponding change in the ruby init code. - - if ([log_source] == "conn") { - ############################################################################################################################# - # conn.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_conn_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][duration]} %{[zeek_cols][orig_bytes]} %{[zeek_cols][resp_bytes]} %{[zeek_cols][conn_state]} %{[zeek_cols][local_orig]} %{[zeek_cols][local_resp]} %{[zeek_cols][missed_bytes]} %{[zeek_cols][history]} %{[zeek_cols][orig_pkts]} %{[zeek_cols][orig_ip_bytes]} %{[zeek_cols][resp_pkts]} %{[zeek_cols][resp_ip_bytes]} %{[zeek_cols][tunnel_parents]} %{[zeek_cols][vlan]} %{[zeek_cols][inner_vlan]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][community_id]} %{[zeek_cols][ja4l]} %{[zeek_cols][ja4ls]} %{[zeek_cols][ja4t]} %{[zeek_cols][ja4ts]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_conn" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_conn" - init => "@zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id', 'ja4l', 'ja4ls', 'ja4t', 'ja4ts' ]" - code => "event.set('[zeek_cols]', @zeek_conn_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - # normalize service string(s) - - # For some reason, even in JSON, I have service strings like: - # ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",... - # so whatever reason it's not already an array. Split it here. - mutate { id => "mutate_split_zeek_conn_commas" - split => { "[zeek_cols][service]" => "," } } - - # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix - mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix" - gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } - - # if it's coming from spicy, we don't care to have that in the service name - mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix" - gsub => [ "[zeek_cols][service]", "spicy_", "" ] } - - mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix" - gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } - - if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') { - mutate { id => "mutate_add_field_zeek_srcBytes" - add_field => { "[source][bytes]" => "%{[zeek_cols][orig_ip_bytes]}" } } - } - if ([zeek_cols][resp_ip_bytes]) and ([zeek_cols][resp_ip_bytes] != '-') and ([zeek_cols][resp_ip_bytes] != '(empty)') and ([zeek_cols][resp_ip_bytes] != '') { - mutate { id => "mutate_add_field_zeek_dstBytes" - add_field => { "[destination][bytes]" => "%{[zeek_cols][resp_ip_bytes]}" } } - } - if ([zeek_cols][orig_pkts]) and ([zeek_cols][orig_pkts] != '-') and ([zeek_cols][orig_pkts] != '(empty)') and ([zeek_cols][orig_pkts] != '') { - mutate { id => "mutate_add_field_zeek_srcPackets" - add_field => { "[source][packets]" => "%{[zeek_cols][orig_pkts]}" } } - } - if ([zeek_cols][orig_bytes]) and ([zeek_cols][orig_bytes] != '-') and ([zeek_cols][orig_bytes] != '(empty)') and ([zeek_cols][orig_bytes] != '') { - mutate { id => "mutate_add_field_zeek_srcDataBytes" - add_field => { "[client][bytes]" => "%{[zeek_cols][orig_bytes]}" } } - } - if ([zeek_cols][resp_pkts]) and ([zeek_cols][resp_pkts] != '-') and ([zeek_cols][resp_pkts] != '(empty)') and ([zeek_cols][resp_pkts] != '') { - mutate { id => "mutate_add_field_zeek_dstPackets" - add_field => { "[destination][packets]" => "%{[zeek_cols][resp_pkts]}" } } - } - if ([zeek_cols][resp_bytes]) and ([zeek_cols][resp_bytes] != '-') and ([zeek_cols][resp_bytes] != '(empty)') and ([zeek_cols][resp_bytes] != '') { - mutate { id => "mutate_add_field_zeek_dstDataBytes" - add_field => { "[server][bytes]" => "%{[zeek_cols][resp_bytes]}" } } - } - if ([zeek_cols][tunnel_parents]) and ([zeek_cols][tunnel_parents] != '(empty)') and ([zeek_cols][tunnel_parents] != '-') and ([zeek_cols][tunnel_parents] != '') { - if ("_jsonparsesuccess" not in [tags]) { mutate { id => "mutate_split_zeek_tunnel_parents" - split => { "[zeek_cols][tunnel_parents]" => "," } } } - mutate { id => "mutate_add_field_zeek_conn_rootId" - add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } } - } - - } else if ([log_source] == "bacnet") { - ############################################################################################################################# - # bacnet.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet" - init => "@zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bestguess") { - ############################################################################################################################# - # bestguess.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bestguess" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][name]} %{[zeek_cols][category]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bestguess" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bestguess" - init => "@zeek_bestguess_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'name', 'category' ]" - code => "event.set('[zeek_cols]', @zeek_bestguess_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_ics_best_guess_log" - add_tag => [ "ics_best_guess" ] } - - } else if ([log_source] == "bsap_ip_header") { - ############################################################################################################################# - # bsap_ip_header.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_ip_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_ip_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_ip_header" - init => "@zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_ip_header" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_ip_rdb") { - ############################################################################################################################# - # bsap_ip_rdb.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_ip_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_ip_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_ip_rdb" - init => "@zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_ip_rdb" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_serial_header") { - ############################################################################################################################# - # bsap_serial_header.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_serial_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_serial_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_serial_header" - init => "@zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_serial_header" - add_field => { - "[zeek_cols][proto]" => "serial" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_serial_rdb") { - ############################################################################################################################# - # bsap_serial_rdb.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_serial_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_serial_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_serial_rdb" - init => "@zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_serial_rdb" - add_field => { - "[zeek_cols][proto]" => "serial" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_serial_rdb_ext") { - ############################################################################################################################# - # bsap_serial_rdb_ext.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_serial_rdb_ext" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_serial_rdb_ext" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_serial_rdb_ext" - init => "@zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_serial_rdb_ext" - add_field => { - "[zeek_cols][proto]" => "serial" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - # for now, drop hex-encoded binary data for size - if ([zeek_cols][data]) { - mutate { id => "mutate_remove_field_zeek_bsap_serial_rdb_ext_data" - remove_field => [ "[zeek_cols][data]" ] } - } - - } else if ([log_source] == "bacnet_device_control") { - ############################################################################################################################# - # bacnet_device_control.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet_device_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet_device_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet_device_control" - init => "@zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet_device_control" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bacnet_discovery") { - ############################################################################################################################# - # bacnet_discovery.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][device_id_type]} %{[zeek_cols][device_id_number]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet_discovery" - init => "@zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'device_id_type', 'device_id_number', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet_discovery" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bacnet_property") { - ############################################################################################################################# - # bacnet_property.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet_property" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet_property" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet_property" - init => "@zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet_property" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "cip") { - ############################################################################################################################# - # cip.log - # https://github.com/cisagov/ICSNPP - # - # todo: class_id, instance_id is a hex integer, should it be converted to an integer? - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cip" - init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" - code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cip" - add_field => { "[zeek_cols][service]" => "cip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "cip_identity") { - ############################################################################################################################# - # cip_identity.log - # https://github.com/cisagov/ICSNPP - # - # TODO: device_status and device_state are a hex int string, convert to int? - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cip_identity" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cip_identity" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cip_identity" - init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]" - code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cip_identity" - add_field => { "[zeek_cols][service]" => "cip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "cip_io") { - ############################################################################################################################# - # cip_io.log - # https://github.com/cisagov/ICSNPP - # - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cip_io" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cip_io" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cip_io" - init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" - code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cip_io" - add_field => { "[zeek_cols][service]" => "cip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dce_rpc") { - ############################################################################################################################# - # dce_rpc.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rtt]} %{[zeek_cols][named_pipe]} %{[zeek_cols][endpoint]} %{[zeek_cols][operation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dce_rpc" - init => "@zeek_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rtt', 'named_pipe', 'endpoint', 'operation' ]" - code => "event.set('[zeek_cols]', @zeek_dce_rpc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dce_rpc" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "dce_rpc" - } - } - - } else if ([log_source] == "dhcp") { - ############################################################################################################################# - # dhcp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_dhcp_fields" - rename => { "[zeek_cols][uids]" => "[zeek_cols][uid]" } - rename => { "[zeek_cols][client_addr]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][server_addr]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][mac]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][requested_addr]" => "[zeek_cols][requested_ip]" } - rename => { "[zeek_cols][assigned_addr]" => "[zeek_cols][assigned_ip]" } - } - - } else { - dissect { - id => "dissect_zeek_dhcp_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]} %{[zeek_cols][client_software]} %{[zeek_cols][server_software]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dhcp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dhcp" - init => "@zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration', 'client_software', 'server_software' ]" - code => "event.set('[zeek_cols]', @zeek_dhcp_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_dhcp_msg_types" - split => { "[zeek_cols][msg_types]" => "," } } - if ([zeek_cols][uid]) and - ([zeek_cols][uid] != '(empty)') and - ([zeek_cols][uid] != '') { - mutate { id => "mutate_split_zeek_dhcp_uids" - split => { "[zeek_cols][uid]" => "," } } - } - } - - if ([zeek_cols][uid] and [zeek_cols][uid][0]) { - mutate { id => "mutate_add_field_zeek_dhcp_uids" - add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } } - } - - if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) { - mutate { - id => "mutate_add_field_zeek_dhcp_ports" - add_field => { - "[zeek_cols][orig_p]" => 68 - "[zeek_cols][resp_p]" => 67 - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dhcp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "dhcp" - } - } - - } else if ([log_source] == "dnp3") { - ############################################################################################################################# - # dnp3.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dnp3" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fc_request]} %{[zeek_cols][fc_reply]} %{[zeek_cols][iin]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dnp3" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dnp3" - init => "@zeek_dnp3_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fc_request', 'fc_reply', 'iin' ]" - code => "event.set('[zeek_cols]', @zeek_dnp3_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dnp3" - add_field => { "[zeek_cols][service]" => "dnp3" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dnp3_control") { - ############################################################################################################################# - # dnp3_control.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dnp3_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dnp3_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dnp3_control" - init => "@zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]" - code => "event.set('[zeek_cols]', @zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dnp3_control" - add_field => { "[zeek_cols][service]" => "dnp3" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dnp3_objects") { - ############################################################################################################################# - # dnp3_objects.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dnp3_objects" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dnp3_objects" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dnp3_objects" - init => "@zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]" - code => "event.set('[zeek_cols]', @zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dnp3_objects" - add_field => { "[zeek_cols][service]" => "dnp3" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dns") { - ############################################################################################################################# - # dns.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dns" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][trans_id]} %{[zeek_cols][rtt]} %{[zeek_cols][query]} %{[zeek_cols][qclass]} %{[zeek_cols][qclass_name]} %{[zeek_cols][qtype]} %{[zeek_cols][qtype_name]} %{[zeek_cols][rcode]} %{[zeek_cols][rcode_name]} %{[zeek_cols][AA]} %{[zeek_cols][TC]} %{[zeek_cols][RD]} %{[zeek_cols][RA]} %{[zeek_cols][Z]} %{[zeek_cols][answers]} %{[zeek_cols][TTLs]} %{[zeek_cols][rejected]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dns" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dns" - init => "@zeek_dns_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'trans_id', 'rtt', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answers', 'TTLs', 'rejected' ]" - code => "event.set('[zeek_cols]', @zeek_dns_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_dns_commas" - split => { "[zeek_cols][TTLs]" => "," - "[zeek_cols][answers]" => "," } } - } - - # remove C_ prefix from qclass_name - mutate { id => "mutate_gsub_field_zeek_dns_qclass_name" - gsub => [ "[zeek_cols][qclass_name]", "^C_", "" ] } - - mutate { - id => "mutate_add_fields_zeek_dns" - add_field => { "[zeek_cols][service]" => "dns" } - } - - } else if ([log_source] == "dpd") { - ############################################################################################################################# - # dpd.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_dpd_fields" - rename => { "[zeek_cols][analyzer]" => "[zeek_cols][service]" } - } - - } else { - dissect { - id => "dissect_zeek_dpd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][failure_reason]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dpd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dpd" - init => "@zeek_dpd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'failure_reason' ]" - code => "event.set('[zeek_cols]', @zeek_dpd_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_lowercase_zeek_dpd_service" - lowercase => [ "[zeek_cols][service]" ] } - - # normalize service string(s) - if ([zeek_cols][service] =~ /^spicy_/) { - # if it's coming from spicy, we don't care to have that in the service name - mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_prefix" - gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } - - # some spicy services are named like blah_udp or blah_tcp, - # and we don't care about the _udp/_tcp suffix - mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_suffix" - gsub => [ "[zeek_cols][service]", "_(tcp|udp)(_hmac)?(_(sha|md)\d+)?$", "" ] } - } - - } else if ([log_source] == "enip") { - ############################################################################################################################# - # enip.log - # https://github.com/cisagov/ICSNPP - # - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_enip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_enip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_enip" - init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" - code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_enip" - add_field => { "[zeek_cols][service]" => "enip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_registers") { - ############################################################################################################################# - # ecat_registers.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_registers_fields" - rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } - rename => { "[zeek_cols][Slave_Addr]" => "[zeek_cols][server_addr]" } - rename => { "[zeek_cols][Register_Type]" => "[zeek_cols][register_type]" } - rename => { "[zeek_cols][Register_Addr]" => "[zeek_cols][register_addr]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][command]} %{[zeek_cols][server_addr]} %{[zeek_cols][register_type]} %{[zeek_cols][register_addr]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_registers" - init => "@zeek_ecat_registers_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'command', 'server_addr', 'register_type', 'register_addr', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_registers_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_registers" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_log_address") { - ############################################################################################################################# - # ecat_log_address.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_log_address_fields" - rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][Log_Addr]" => "[zeek_cols][log_addr]" } - rename => { "[zeek_cols][Length]" => "[zeek_cols][length]" } - rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_log_address" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][log_addr]} %{[zeek_cols][length]} %{[zeek_cols][command]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_log_address" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_log_address" - init => "@zeek_ecat_log_address_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'log_addr', 'length', 'command', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_log_address_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_log_address" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_dev_info") { - ############################################################################################################################# - # ecat_dev_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_dev_info_fields" - rename => { "[zeek_cols][slave_id]" => "[zeek_cols][server_id]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_dev_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][server_id]} %{[zeek_cols][revision]} %{[zeek_cols][dev_type]} %{[zeek_cols][build]} %{[zeek_cols][fmmucnt]} %{[zeek_cols][smcount]} %{[zeek_cols][ports]} %{[zeek_cols][dpram]} %{[zeek_cols][features]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_dev_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_dev_info" - init => "@zeek_ecat_dev_info_field_names = [ 'ts', 'server_id', 'revision', 'dev_type', 'build', 'fmmucnt', 'smcount', 'ports', 'dpram', 'features' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_dev_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_dev_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_aoe_info") { - ############################################################################################################################# - # ecat_aoe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_aoe_info_fields" - rename => { "[zeek_cols][targetid]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][targetport]" => "[zeek_cols][resp_port]" } - rename => { "[zeek_cols][senderid]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][senderport]" => "[zeek_cols][orig_port]" } - rename => { "[zeek_cols][cmd]" => "[zeek_cols][command]" } - rename => { "[zeek_cols][stateflags]" => "[zeek_cols][state]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_aoe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][resp_port]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][orig_port]} %{[zeek_cols][command]} %{[zeek_cols][state]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_aoe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_aoe_info" - init => "@zeek_ecat_aoe_info_field_names = [ 'ts', 'resp_l2_addr', 'resp_port', 'orig_l2_addr', 'orig_port', 'command', 'state', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_aoe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_aoe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_coe_info") { - ############################################################################################################################# - # ecat_coe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_coe_info_fields" - rename => { "[zeek_cols][Type]" => "[zeek_cols][type]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_coe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][number]} %{[zeek_cols][type]} %{[zeek_cols][req_resp]} %{[zeek_cols][index]} %{[zeek_cols][subindex]} %{[zeek_cols][dataoffset]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_coe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_coe_info" - init => "@zeek_ecat_coe_info_field_names = [ 'ts', 'number', 'type', 'req_resp', 'index', 'subindex', 'dataoffset' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_coe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_coe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_foe_info") { - ############################################################################################################################# - # ecat_foe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_foe_info_fields" - rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_foe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][reserved]} %{[zeek_cols][packet_num]} %{[zeek_cols][error_code]} %{[zeek_cols][filename]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_foe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_foe_info" - init => "@zeek_ecat_foe_info_field_names = [ 'ts', 'opcode', 'reserved', 'packet_num', 'error_code', 'filename', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_foe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_foe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_soe_info") { - ############################################################################################################################# - # ecat_soe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_soe_info_fields" - rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } - rename => { "[zeek_cols][element_flags]" => "[zeek_cols][element]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_soe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][incomplete]} %{[zeek_cols][error]} %{[zeek_cols][drive_num]} %{[zeek_cols][element]} %{[zeek_cols][index]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_soe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_soe_info" - init => "@zeek_ecat_soe_info_field_names = [ 'ts', 'opcode', 'incomplete', 'error', 'drive_num', 'element', 'index' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_soe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_soe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_arp_info") { - ############################################################################################################################# - # ecat_arp_info.log - # https://github.com/cisagov/icsnpp-ethercat - # - # NOTE: I currently have this disabled via policy hook in local.zeek, as it is including ALL arps and - # not just those from ethercat traffic which can be misleading (i.e., indicating ecat traffic where there is none) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_arp_info_fields" - rename => { "[zeek_cols][mac_src]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][mac_dst]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][SPA]" => "[zeek_cols][orig_proto_addr]" } - rename => { "[zeek_cols][SHA]" => "[zeek_cols][orig_hw_addr]" } - rename => { "[zeek_cols][TPA]" => "[zeek_cols][resp_proto_addr]" } - rename => { "[zeek_cols][THA]" => "[zeek_cols][resp_hw_addr]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_arp_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][arp_type]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][orig_proto_addr]} %{[zeek_cols][orig_hw_addr]} %{[zeek_cols][resp_proto_addr]} %{[zeek_cols][resp_hw_addr]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_arp_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_arp_info" - init => "@zeek_ecat_arp_info_field_names = [ 'ts', 'arp_type', 'orig_l2_addr', 'resp_l2_addr', 'orig_proto_addr', 'orig_hw_addr', 'resp_proto_addr', 'resp_hw_addr' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_arp_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_arp_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - } - - # TODO: check orig_proto_addr/orig_hw_addr resp_proto_addr/resp_hw_addr and convert to ip, etc. if necessary? - - } else if ([log_source] == "files") { - ############################################################################################################################# - # files.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_v51_files_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][source]} %{[zeek_cols][depth]} %{[zeek_cols][analyzers]} %{[zeek_cols][mime_type]} %{[zeek_cols][filename]} %{[zeek_cols][duration]} %{[zeek_cols][local_orig]} %{[zeek_cols][is_orig]} %{[zeek_cols][seen_bytes]} %{[zeek_cols][total_bytes]} %{[zeek_cols][missing_bytes]} %{[zeek_cols][overflow_bytes]} %{[zeek_cols][timedout]} %{[zeek_cols][parent_fuid]} %{[zeek_cols][md5]} %{[zeek_cols][sha1]} %{[zeek_cols][sha256]} %{[zeek_cols][extracted]} %{[zeek_cols][extracted_cutoff]} %{[zeek_cols][extracted_size]} %{[zeek_cols][ftime]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_files" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_files" - init => "@zeek_files_field_names = [ 'ts', 'fuid', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'source', 'depth', 'analyzers', 'mime_type', 'filename', 'duration', 'local_orig', 'is_orig', 'seen_bytes', 'total_bytes', 'missing_bytes', 'overflow_bytes', 'timedout', 'parent_fuid', 'md5', 'sha1', 'sha256', 'extracted', 'extracted_cutoff', 'extracted_size', 'ftime' ]" - code => "event.set('[zeek_cols]', @zeek_files_field_names.zip(event.get('[message]')).to_h)" - } - } - if ([zeek_cols][conn_uids]) and ([zeek_cols][conn_uids] != '(empty)') and ([zeek_cols][conn_uids] != '') { - mutate { id => "mutate_split_zeek_files_conn_uids" - split => { "[zeek_cols][conn_uids]" => "," } } - } - if ([zeek_cols][tx_hosts]) and ([zeek_cols][tx_hosts] != '(empty)') and ([zeek_cols][tx_hosts] != '') { - mutate { id => "mutate_split_zeek_files_tx_hosts" - split => { "[zeek_cols][tx_hosts]" => "," } } - } - if ([zeek_cols][rx_hosts]) and ([zeek_cols][rx_hosts] != '(empty)') and ([zeek_cols][rx_hosts] != '') { - mutate { id => "mutate_split_zeek_files_rx_hosts" - split => { "[zeek_cols][rx_hosts]" => "," } } - } - mutate { id => "mutate_split_zeek_files_parent_fuid_and_analyzers" - split => { "[zeek_cols][parent_fuid]" => "," - "[zeek_cols][analyzers]" => "," } } - } - - if ([zeek_cols][conn_uids] and [zeek_cols][conn_uids][0]) { - mutate { - id => "mutate_add_field_zeek_files_conn_uids_to_uid" - add_field => { "[rootId]" => "%{[zeek_cols][conn_uids][0]}" - "[zeek_cols][uid]" => "%{[zeek_cols][conn_uids][0]}" } - } - } else if (![zeek_cols][uid]) { - mutate { - id => "mutate_add_fields_zeek_files_fuid_to_uid" - add_field => { "[zeek_cols][uid]" => "%{[zeek_cols][fuid]}" } - } - } - - if ([zeek_cols][tx_hosts] and [zeek_cols][tx_hosts][0]) { - mutate { id => "mutate_add_field_zeek_tx_hosts" - add_field => { "[source][ip]" => "%{[zeek_cols][tx_hosts][0]}" } } - } - - if ([zeek_cols][rx_hosts] and [zeek_cols][rx_hosts][0]) { - mutate { id => "mutate_add_field_zeek_rx_hosts" - add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } } - } - - - } else if ([log_source] == "ftp") { - ############################################################################################################################# - # ftp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][command]} %{[zeek_cols][arg]} %{[zeek_cols][mime_type]} %{[zeek_cols][file_size]} %{[zeek_cols][reply_code]} %{[zeek_cols][reply_msg]} %{[zeek_cols][data_channel][passive]} %{[zeek_cols][data_channel][orig_h]} %{[zeek_cols][data_channel][resp_h]} %{[zeek_cols][data_channel][resp_p]} %{[zeek_cols][fuid]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ftp" - init => "@zeek_ftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'password', 'command', 'arg', 'mime_type', 'file_size', 'reply_code', 'reply_msg', 'data_channel.passive', 'data_channel.orig_h', 'data_channel.resp_h', 'data_channel.resp_p', 'fuid' ]" - code => "event.set('[zeek_cols]', @zeek_ftp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ftp" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ftp" - } - } - - } else if ([log_source] == "ge_srtp") { - ############################################################################################################################# - # ge_srtp_general.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ge_srtp_log" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][srtp_type]} %{[zeek_cols][sequence_number_1]} %{[zeek_cols][text_length]} %{[zeek_cols][time_seconds]} %{[zeek_cols][time_minutes]} %{[zeek_cols][time_hours]} %{[zeek_cols][sequence_number_2]} %{[zeek_cols][message_type]} %{[zeek_cols][mailbox_source]} %{[zeek_cols][mailbox_destination]} %{[zeek_cols][packet_number]} %{[zeek_cols][total_packet_number]} %{[zeek_cols][service_request_code]} %{[zeek_cols][segment_selector]} %{[zeek_cols][memory_offset]} %{[zeek_cols][data_length]} %{[zeek_cols][status_code]} %{[zeek_cols][minor_status_code]} %{[zeek_cols][data_requested]} %{[zeek_cols][control_program_number]} %{[zeek_cols][current_privilege_level]} %{[zeek_cols][last_sweep_time]} %{[zeek_cols][oversweep_flag]} %{[zeek_cols][constant_sweep_mode]} %{[zeek_cols][plc_fault_entry_last_read]} %{[zeek_cols][io_fault_entry_last_read]} %{[zeek_cols][plc_fault_entry_present]} %{[zeek_cols][io_fault_entry_present]} %{[zeek_cols][programmer_attachment]} %{[zeek_cols][front_panel_enable_switch]} %{[zeek_cols][front_panel_run_switch]} %{[zeek_cols][oem_protected]} %{[zeek_cols][plc_state]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ge_srtp_log" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ge_srtp_log" - init => "$zeek_ge_srtp_log_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'srtp_type', 'sequence_number_1', 'text_length', 'time_seconds', 'time_minutes', 'time_hours', 'sequence_number_2', 'message_type', 'mailbox_source', 'mailbox_destination', 'packet_number', 'total_packet_number', 'service_request_code', 'segment_selector', 'memory_offset', 'data_length', 'status_code', 'minor_status_code', 'data_requested', 'control_program_number', 'current_privilege_level', 'last_sweep_time', 'oversweep_flag', 'constant_sweep_mode', 'plc_fault_entry_last_read', 'io_fault_entry_last_read', 'plc_fault_entry_present', 'io_fault_entry_present', 'programmer_attachment', 'front_panel_enable_switch', 'front_panel_run_switch', 'oem_protected', 'plc_state' ]" - code => "event.set('[zeek_cols]', $zeek_ge_srtp_log_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_remove_field_ge_srtp_proto" - remove_field => [ "[zeek_cols][proto]" ] } - mutate { - id => "mutate_add_fields_zeek_ge_srtp_log" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ge_srtp" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "genisys") { - ############################################################################################################################# - # genisys.log - # https://github.com/cisagov/icsnpp-genisys - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_genisys_fields" - rename => { "[zeek_cols][payload]" => "[zeek_cols][payload_raw]" } - } - - } else { - dissect { - id => "dissect_zeek_genisys" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][header]} %{[zeek_cols][server]} %{[zeek_cols][direction]} %{[zeek_cols][crc_transmitted]} %{[zeek_cols][crc_calculated]} %{[zeek_cols][payload_raw]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_genisys" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_genisys" - init => "@zeek_genisys_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'header', 'server', 'direction', 'crc_transmitted', 'crc_calculated', 'payload_raw' ]" - code => "event.set('[zeek_cols]', @zeek_genisys_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_genisys" - add_field => { - "[zeek_cols][service]" => "genisys" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "gquic") { - ############################################################################################################################# - # gquic.log - # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_gquic" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][server_name]} %{[zeek_cols][user_agent]} %{[zeek_cols][tag_count]} %{[zeek_cols][cyu]} %{[zeek_cols][cyutags]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_gquic" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_gquic" - init => "@zeek_gquic_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'server_name', 'user_agent', 'tag_count', 'cyu', 'cyutags' ]" - code => "event.set('[zeek_cols]', @zeek_gquic_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_gquic" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "quic" - } - } - - } else if ([log_source] == "hart_ip_common_commands") { - ############################################################################################################################# - # hart_ip_common_commands.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_common_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_common_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_common_commands" - init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_common_commands" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - # The other fields are basically just placeholders we don't want to store the raw data for. - mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto" - remove_field => [ "[zeek_cols][proto]", - "[zeek][hart_ip][token_passing_pdu_contents_data_data]", - "[zeek][hart_ip][message_packet_bytes]", - "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] } - - - } else if ([log_source] == "hart_ip_direct_pdu_command") { - ############################################################################################################################# - # hart_ip_direct_pdu_command.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_direct_pdu_command" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_direct_pdu_command" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_direct_pdu_command" - init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "hart_ip") { - ############################################################################################################################# - # hart_ip.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip" - init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "hart_ip_session_record") { - ############################################################################################################################# - # hart_ip_session_record.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_session_record" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_session_record" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_session_record" - init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_session_record" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "hart_ip_universal_commands") { - ############################################################################################################################# - # hart_ip_universal_commands.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_universal_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_universal_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_universal_commands" - init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_universal_commands" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "http") { - ############################################################################################################################# - # http.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_http_fields" - rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } - } - - } else { - dissect { - id => "dissect_zeek_http_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_http" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_http" - init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" - code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_http_commas" - split => { "[zeek_cols][client_header_names]" => "," - "[zeek_cols][orig_filenames]" => "," - "[zeek_cols][orig_fuids]" => "," - "[zeek_cols][orig_mime_types]" => "," - "[zeek_cols][proxied]" => "," - "[zeek_cols][resp_filenames]" => "," - "[zeek_cols][resp_fuids]" => "," - "[zeek_cols][resp_mime_types]" => "," - "[zeek_cols][server_header_names]" => "," - "[zeek_cols][tags]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_http" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "http" - } - } - - } else if ([log_source] == "intel") { - ############################################################################################################################# - # intel.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_intel_fields" - rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" } - rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" } - rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" } - rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" } - rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" } - rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" } - rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" } - } - - } else { - dissect { - id => "dissect_zeek_intel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_intel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_intel" - init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]" - code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_intel_commas" - split => { "[zeek_cols][sources]" => "," - "[zeek_cols][matched]" => "," } } - } - - # For some reason, even in JSON, I have cif_tags strings like: - # Network activity,osint:source-type=\"block-or-filter-list\" - # so whatever reason it's not already an array. Split it here. - mutate { id => "mutate_split_zeek_intel_cif_tags" - split => { "[zeek_cols][cif_tags]" => "," } } - - } else if ([log_source] == "ipsec") { - ############################################################################################################################# - # ipsec.log - # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ipsec" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][initiator_spi]} %{[zeek_cols][responder_spi]} %{[zeek_cols][maj_ver]} %{[zeek_cols][min_ver]} %{[zeek_cols][exchange_type]} %{[zeek_cols][flag_e]} %{[zeek_cols][flag_c]} %{[zeek_cols][flag_a]} %{[zeek_cols][flag_i]} %{[zeek_cols][flag_v]} %{[zeek_cols][flag_r]} %{[zeek_cols][message_id]} %{[zeek_cols][vendor_ids]} %{[zeek_cols][notify_messages]} %{[zeek_cols][transforms]} %{[zeek_cols][ke_dh_groups]} %{[zeek_cols][proposals]} %{[zeek_cols][protocol_id]} %{[zeek_cols][certificates]} %{[zeek_cols][transform_attributes]} %{[zeek_cols][length]} %{[zeek_cols][hash]} %{[zeek_cols][doi]} %{[zeek_cols][situation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ipsec" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ipsec" - init => "@zeek_ipsec_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'initiator_spi', 'responder_spi', 'maj_ver', 'min_ver', 'exchange_type', 'flag_e', 'flag_c', 'flag_a', 'flag_i', 'flag_v', 'flag_r', 'message_id', 'vendor_ids', 'notify_messages', 'transforms', 'ke_dh_groups', 'proposals', 'protocol_id', 'certificates', 'transform_attributes', 'length', 'hash', 'doi', 'situation' ]" - code => "event.set('[zeek_cols]', @zeek_ipsec_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ipsec_commas" - split => { "[zeek_cols][vendor_ids]" => "," - "[zeek_cols][notify_messages]" => "," - "[zeek_cols][transforms]" => "," - "[zeek_cols][ke_dh_groups]" => "," - "[zeek_cols][proposals]" => "," - "[zeek_cols][certificates]" => "," - "[zeek_cols][transform_attributes]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ipsec" - add_field => { - "[zeek_cols][service]" => "ipsec" - } - } - - } else if ([log_source] == "irc") { - ############################################################################################################################# - # irc.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_irc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nick]} %{[zeek_cols][user]} %{[zeek_cols][command]} %{[zeek_cols][value]} %{[zeek_cols][addl]} %{[zeek_cols][dcc_file_name]} %{[zeek_cols][dcc_file_size]} %{[zeek_cols][dcc_mime_type]} %{[zeek_cols][fuid]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_irc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_irc" - init => "@zeek_irc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'nick', 'user', 'command', 'value', 'addl', 'dcc_file_name', 'dcc_file_size', 'dcc_mime_type', 'fuid' ]" - code => "event.set('[zeek_cols]', @zeek_irc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_irc" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "irc" - } - } - - } else if ([log_source] == "cotp") { - ############################################################################################################################# - # cotp.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cotp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cotp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cotp" - init => "@zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]" - code => "event.set('[zeek_cols]', @zeek_cotp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cotp" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "cotp" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ja4ssh") { - ############################################################################################################################# - # ja4ssh.log - # https://github.com/FoxIO-LLC/ja4 - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ja4ssh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ja4ssh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ja4ssh" - init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]" - code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ja4ssh" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ssh" - } - } - - } else if ([log_source] == "kerberos") { - ############################################################################################################################# - # kerberos.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_kerberos_fields" - rename => { "[zeek_cols][client]" => "[zeek_cols][cname]" } - rename => { "[zeek_cols][service]" => "[zeek_cols][sname]" } - } - - } else { - dissect { - id => "dissect_zeek_kerberos" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][request_type]} %{[zeek_cols][cname]} %{[zeek_cols][sname]} %{[zeek_cols][success]} %{[zeek_cols][error_msg]} %{[zeek_cols][from]} %{[zeek_cols][till]} %{[zeek_cols][cipher]} %{[zeek_cols][forwardable]} %{[zeek_cols][renewable]} %{[zeek_cols][client_cert_subject]} %{[zeek_cols][client_cert_fuid]} %{[zeek_cols][server_cert_subject]} %{[zeek_cols][server_cert_fuid]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_kerberos" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_kerberos" - init => "@zeek_kerberos_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'request_type', 'cname', 'sname', 'success', 'error_msg', 'from', 'till', 'cipher', 'forwardable', 'renewable', 'client_cert_subject', 'client_cert_fuid', 'server_cert_subject', 'server_cert_fuid' ]" - code => "event.set('[zeek_cols]', @zeek_kerberos_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_kerberos_commas" - split => { "[zeek_cols][client_cert_fuid]" => "," - "[zeek_cols][server_cert_fuid]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_krb5" - add_field => { "[zeek_cols][service]" => "krb" } - } - - } else if ([log_source] == "known_certs") { - ############################################################################################################################# - # known_certs.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_certs_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][port_num]" => "[zeek_cols][orig_p]" } - } - - } else { - dissect { - id => "dissect_zeek_known_certs" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_certs" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_certs" - init => "@zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]" - code => "event.set('[zeek_cols]', @zeek_known_certs_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_known_certs" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tls" - } - } - - } else if ([log_source] == "known_hosts") { - ############################################################################################################################# - # known_hosts.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_hosts_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - } - - } else { - dissect { - id => "dissect_zeek_known_hosts" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_hosts" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_hosts" - init => "@zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]" - code => "event.set('[zeek_cols]', @zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "known_modbus") { - ############################################################################################################################# - # known_modbus.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_modbus_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - } - - } else { - dissect { - id => "dissect_zeek_known_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_modbus" - init => "@zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]" - code => "event.set('[zeek_cols]', @zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_gsub_zeek_known_modbus_device_type" - gsub => [ "[zeek_cols][device_type]", "Known::", "" ] } - - mutate { id => "mutate_gsub_zeek_known_modbus_master" - gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] } - - mutate { id => "mutate_gsub_zeek_known_modbus_slave" - gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] } - - mutate { id => "mutate_add_tag_ics_known_modbus_log" - add_tag => [ "ics" ] } - - } else if ([log_source] == "known_routers") { - ############################################################################################################################# - # known_routers.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_known_routers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_routers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_routers" - init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]" - code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "known_services") { - ############################################################################################################################# - # known_services.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_services_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][resp_h]" } - rename => { "[zeek_cols][port_num]" => "[zeek_cols][resp_p]" } - rename => { "[zeek_cols][port_proto]" => "[zeek_cols][proto]" } - } - - } else { - dissect { - id => "dissect_zeek_known_services" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_services" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_services" - init => "@zeek_known_services_field_names = [ 'ts', 'resp_h', 'resp_p', 'proto', 'service' ]" - code => "event.set('[zeek_cols]', @zeek_known_services_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_lowercase_zeek_known_services_service" - lowercase => [ "[zeek_cols][service]" ] } - - # normalize service string(s) - - # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix - mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix" - gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } - - if ([zeek_cols][service] =~ /^spicy_/) { - # if it's coming from spicy, we don't care to have that in the service name - mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix" - gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } - - # some spicy services are named like blah_udp or blah_tcp, - # and we don't care about the _udp/_tcp suffix - mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix" - gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } - - } - - } else if ([log_source] == "ldap") { - ############################################################################################################################# - # ldap.log - # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ldap_fields" - rename => { "[zeek_cols][arguments]" => "[zeek_cols][argument]" } - rename => { "[zeek_cols][opcode]" => "[zeek_cols][operation]" } - rename => { "[zeek_cols][opcodes]" => "[zeek_cols][operation]" } - rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } - rename => { "[zeek_cols][diagnostic_messages]" => "[zeek_cols][result_message]" } - } - - } else { - dissect { - id => "dissect_zeek_ldap" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][version]} %{[zeek_cols][operation]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][object]} %{[zeek_cols][argument]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ldap" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ldap" - init => "@zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]" - code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ldap" - add_field => { - "[zeek_cols][service]" => "ldap" - } - - } - - } else if ([log_source] == "ldap_search") { - ############################################################################################################################# - # ldap_search.log - # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ldap_search_fields" - rename => { "[zeek_cols][base_objects]" => "[zeek_cols][base_object]" } - rename => { "[zeek_cols][deref_aliases]" => "[zeek_cols][deref]" } - rename => { "[zeek_cols][derefs]" => "[zeek_cols][deref]" } - rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } - rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][scopes]" => "[zeek_cols][scope]" } - } - - } else { - dissect { - id => "dissect_zeek_ldap_search" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ldap_search" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ldap_search" - init => "@zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]" - code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ldap_search" - add_field => { - "[zeek_cols][service]" => "ldap" - } - - } - - } else if ([log_source] == "login") { - ############################################################################################################################# - # login.log - # custom login.log module (rudimentary, telnet/rlogin/rsh analyzers are old and not the greatest) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_login" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_login" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_login" - init => "@zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]" - code => "event.set('[zeek_cols]', @zeek_login_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "modbus") { - ############################################################################################################################# - # modbus.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][exception]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus" - init => "@zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus" - add_field => { "[zeek_cols][service]" => "modbus" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_detailed") { - ############################################################################################################################# - # modbus_detailed.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_detailed_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_detailed" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_detailed" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_detailed" - init => "@zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_modbus_detailed_values" - split => { "[zeek_cols][values]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_detailed" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_mask_write_register") { - ############################################################################################################################# - # modbus_mask_write_register.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_mask_write_register_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_mask_write_register" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_mask_write_register" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_mask_write_register" - init => "@zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_mask_write_register" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_read_device_identification") { - ############################################################################################################################# - # modbus_read_device_identification.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_read_device_identification_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_read_device_identification" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_read_device_identification" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_read_device_identification" - init => "@zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_read_device_identification" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_read_write_multiple_registers") { - ############################################################################################################################# - # modbus_read_write_multiple_registers.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_read_write_multiple_registers_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_read_write_multiple_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_read_write_multiple_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_read_write_multiple_registers" - init => "@zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_commas" - split => { "[zeek_cols][read_registers]" => "," - "[zeek_cols][write_registers]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "mqtt_connect") { - ############################################################################################################################# - # mqtt_connect.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mqtt_connect" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mqtt_connect" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mqtt_connect" - init => "@zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]" - code => "event.set('[zeek_cols]', @zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_mqtt_connect" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "mqtt" - } - } - - } else if ([log_source] == "mqtt_publish") { - ############################################################################################################################# - # mqtt_publish.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mqtt_publish" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mqtt_publish" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mqtt_publish" - init => "@zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]" - code => "event.set('[zeek_cols]', @zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_mqtt_publish" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "mqtt" - } - } - - } else if ([log_source] == "mqtt_subscribe") { - ############################################################################################################################# - # mqtt_subscribe.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mqtt_subscribe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mqtt_subscribe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mqtt_subscribe" - init => "@zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]" - code => "event.set('[zeek_cols]', @zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_mqtt_subscribe_commas" - split => { "[zeek_cols][topics]" => "," - "[zeek_cols][qos_levels]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_mqtt_subscribe" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "mqtt" - } - } - - mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action" - gsub => [ "[zeek_cols][action]", "MQTT::", "" ] } - - } else if ([log_source] == "mysql") { - ############################################################################################################################# - # mysql.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mysql" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mysql" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mysql" - init => "@zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]" - code => "event.set('[zeek_cols]', @zeek_mysql_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_mysql" - add_field => { "[zeek_cols][service]" => "mysql" } - } - - } else if ([log_source] == "notice") { - ############################################################################################################################# - # notice.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_notice_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][email_dest]} %{[zeek_cols][suppress_for]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][community_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_notice" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_notice" - init => "@zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'email_dest', 'suppress_for', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'community_id' ]" - code => "event.set('[zeek_cols]', @zeek_notice_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_notice_actions" - split => { "[zeek_cols][actions]" => "," } } - } - - if ([zeek_cols][src]) and ((![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or - ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '')) { - mutate { id => "mutate_replace_zeek_notice_orig_h" - replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } } - } - if ([zeek_cols][dst]) and ((![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or - ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '')) { - mutate { id => "mutate_replace_zeek_notice_resp_h" - replace => { "[zeek_cols][resp_h]" => "%{[zeek_cols][dst]}" } } - } - if [zeek_cols][p] and ((![zeek_cols][resp_p]) or ([zeek_cols][resp_p] == '(empty)') or - ([zeek_cols][resp_p] == '-') or ([zeek_cols][resp_p] == '')) { - mutate { id => "mutate_replace_zeek_resp_p" - replace => { "[zeek_cols][resp_p]" => "%{[zeek_cols][p]}" } } - } - - } else if ([log_source] == "ntlm") { - ############################################################################################################################# - # ntlm.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ntlm_fields" - rename => { "[zeek_cols][hostname]" => "[zeek_cols][host]" } - rename => { "[zeek_cols][domainname]" => "[zeek_cols][domain]" } - rename => { "[zeek_cols][server_nb_computer_name]" => "[zeek_cols][server_nb_computer]" } - rename => { "[zeek_cols][server_dns_computer_name]" => "[zeek_cols][server_dns_computer]" } - rename => { "[zeek_cols][server_tree_name]" => "[zeek_cols][server_tree]" } - rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } - } - - } else { - dissect { - id => "dissect_zeek_ntlm_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][host]} %{[zeek_cols][domain]} %{[zeek_cols][server_nb_computer]} %{[zeek_cols][server_dns_computer]} %{[zeek_cols][server_tree]} %{[zeek_cols][success]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ntlm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ntlm" - init => "@zeek_ntlm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'host', 'domain', 'server_nb_computer', 'server_dns_computer', 'server_tree', 'success' ]" - code => "event.set('[zeek_cols]', @zeek_ntlm_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ntlm" - add_field => { "[zeek_cols][service]" => "ntlm" } - } - - } else if ([log_source] == "ntp") { - ############################################################################################################################# - # ntp.log - # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ntp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ntp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ntp" - init => "@zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]" - code => "event.set('[zeek_cols]', @zeek_ntp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ntp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "ntp" - } - } - - } else if ([log_source] == "ocsp") { - ############################################################################################################################# - # ocsp.log - # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ocsp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][hashAlgorithm]} %{[zeek_cols][issuerNameHash]} %{[zeek_cols][issuerKeyHash]} %{[zeek_cols][serialNumber]} %{[zeek_cols][certStatus]} %{[zeek_cols][revoketime]} %{[zeek_cols][revokereason]} %{[zeek_cols][thisUpdate]} %{[zeek_cols][nextUpdate]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ocsp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - - ruby { - id => "ruby_zip_zeek_ocsp" - init => "@zeek_ocsp_field_names = [ 'ts', 'fuid', 'hashAlgorithm', 'issuerNameHash', 'issuerKeyHash', 'serialNumber', 'certStatus', 'revoketime', 'revokereason', 'thisUpdate', 'nextUpdate' ]" - code => "event.set('[zeek_cols]', @zeek_ocsp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_fields_zeek_service_ocsp" - add_field => { "[zeek_cols][service]" => "X.509" } } - - } else if ([log_source] == "ospf") { - ############################################################################################################################# - # ospf.log - # https://github.com/corelight/zeek-spicy-ospf - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ospf_fields" - rename => { "[zeek_cols][ip_dst]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][ip_src]" => "[zeek_cols][resp_h]" } - } - - } else { - dissect { - id => "dissect_zeek_ospf" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][ospf_type]} %{[zeek_cols][version]} %{[zeek_cols][router_id]} %{[zeek_cols][area_id]} %{[zeek_cols][interface_id]} %{[zeek_cols][netmask]} %{[zeek_cols][desig_router]} %{[zeek_cols][backup_router]} %{[zeek_cols][neighbors]} %{[zeek_cols][lsa_type]} %{[zeek_cols][link_state_id]} %{[zeek_cols][advert_router]} %{[zeek_cols][routers]} %{[zeek_cols][link_id]} %{[zeek_cols][link_data]} %{[zeek_cols][link_type]} %{[zeek_cols][neighbor_router_id]} %{[zeek_cols][metrics]} %{[zeek_cols][fwd_addrs]} %{[zeek_cols][route_tags]} %{[zeek_cols][neighbor_interface_id]} %{[zeek_cols][prefix]} %{[zeek_cols][metric]} %{[zeek_cols][dest_router_id]} %{[zeek_cols][link_prefixes]} %{[zeek_cols][intra_prefixes]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ospf" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - - ruby { - id => "ruby_zip_zeek_ospf" - init => "@zeek_ospf_field_names = [ 'ts', 'orig_h', 'resp_h', 'ospf_type', 'version', 'router_id', 'area_id', 'interface_id', 'netmask', 'desig_router', 'backup_router', 'neighbors', 'lsa_type', 'link_state_id', 'advert_router', 'routers', 'link_id', 'link_data', 'link_type', 'neighbor_router_id', 'metrics', 'fwd_addrs', 'route_tags', 'neighbor_interface_id', 'prefix', 'metric', 'dest_router_id', 'link_prefixes', 'intra_prefixes' ]" - code => "event.set('[zeek_cols]', @zeek_ospf_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ospf_commas" - split => { "[zeek_cols][neighbors]" => "," - "[zeek_cols][routers]" => "," - "[zeek_cols][metrics]" => "," - "[zeek_cols][fwd_addrs]" => "," - "[zeek_cols][route_tags]" => "," - "[zeek_cols][link_prefixes]" => "," - "[zeek_cols][intra_prefixes]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ospf" - add_field => { - "[zeek_cols][proto]" => "ospf" - "[zeek_cols][service]" => "ospf" - } - } - - } else if ([log_source] == "pe") { - ############################################################################################################################# - # pe.log - # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_pe_fields" - rename => { "[zeek_cols][id]" => "[zeek_cols][fuid]" } - } - - } else { - dissect { - id => "dissect_zeek_pe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][machine]} %{[zeek_cols][compile_ts]} %{[zeek_cols][os]} %{[zeek_cols][subsystem]} %{[zeek_cols][is_exe]} %{[zeek_cols][is_64bit]} %{[zeek_cols][uses_aslr]} %{[zeek_cols][uses_dep]} %{[zeek_cols][uses_code_integrity]} %{[zeek_cols][uses_seh]} %{[zeek_cols][has_import_table]} %{[zeek_cols][has_export_table]} %{[zeek_cols][has_cert_table]} %{[zeek_cols][has_debug_data]} %{[zeek_cols][section_names]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_pe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_pe" - init => "@zeek_pe_field_names = [ 'ts', 'fuid', 'machine', 'compile_ts', 'os', 'subsystem', 'is_exe', 'is_64bit', 'uses_aslr', 'uses_dep', 'uses_code_integrity', 'uses_seh', 'has_import_table', 'has_export_table', 'has_cert_table', 'has_debug_data', 'section_names' ]" - code => "event.set('[zeek_cols]', @zeek_pe_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_pe_section_names" - split => { "[zeek_cols][section_names]" => "," } } - } - - } else if ([log_source] == "profinet") { - ############################################################################################################################# - # profinet.log - # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_profinet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_profinet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_profinet" - init => "@zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]" - code => "event.set('[zeek_cols]', @zeek_profinet_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_profinet" - add_field => { "[zeek_cols][service]" => "profinet" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "profinet_dce_rpc") { - ############################################################################################################################# - # profinet_dce_rpc.log - # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_profinet_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_profinet_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_profinet_dce_rpc" - init => "@zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]" - code => "event.set('[zeek_cols]', @zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_profinet_dce_rpc" - add_field => { "[zeek_cols][service]" => "profinet_dce_rpc" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "profinet_io_cm") { - ############################################################################################################################# - # profinet_io_cm.log - # https://github.com/cisagov/icsnpp-profinet-io-cm - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_profinet_io_cm_fields" - rename => { "[zeek_cols][array_of_sel_ack]" => "[zeek_cols][sel_ack]" } - rename => { "[zeek_cols][operation_num]" => "[zeek_cols][operation]" } - } - - } else { - dissect { - id => "dissect_zeek_profinet_io_cm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][rpc_version]} %{[zeek_cols][packet_type]} %{[zeek_cols][reserved_for_impl_1]} %{[zeek_cols][last_fragment]} %{[zeek_cols][fragment]} %{[zeek_cols][no_fragment_requested]} %{[zeek_cols][maybe]} %{[zeek_cols][idempotent]} %{[zeek_cols][broadcast]} %{[zeek_cols][reserved_for_impl_2]} %{[zeek_cols][cancel_was_pending_at_call_end]} %{[zeek_cols][integer_encoding]} %{[zeek_cols][character_encoding]} %{[zeek_cols][floating_point_encoding]} %{[zeek_cols][serial_high]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][interface_vers_major]} %{[zeek_cols][interface_vers_minor]} %{[zeek_cols][sequence_num]} %{[zeek_cols][operation]} %{[zeek_cols][interface_hint]} %{[zeek_cols][activity_hint]} %{[zeek_cols][len_of_body]} %{[zeek_cols][fragment_num]} %{[zeek_cols][auth_protocol]} %{[zeek_cols][serial_low]} %{[zeek_cols][vers_fack]} %{[zeek_cols][window_size]} %{[zeek_cols][max_tsdu]} %{[zeek_cols][max_frag_size]} %{[zeek_cols][serial_number]} %{[zeek_cols][sel_ack_len]} %{[zeek_cols][sel_ack]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_profinet_io_cm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_profinet_io_cm" - init => "$zeek_profinet_io_cm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'rpc_version', 'packet_type', 'reserved_for_impl_1', 'last_fragment', 'fragment', 'no_fragment_requested', 'maybe', 'idempotent', 'broadcast', 'reserved_for_impl_2', 'cancel_was_pending_at_call_end', 'integer_encoding', 'character_encoding', 'floating_point_encoding', 'serial_high', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'interface_vers_major', 'interface_vers_minor', 'sequence_num', 'operation', 'interface_hint', 'activity_hint', 'len_of_body', 'fragment_num', 'auth_protocol', 'serial_low', 'vers_fack', 'window_size', 'max_tsdu', 'max_frag_size', 'serial_number', 'sel_ack_len', 'sel_ack' ]" - code => "event.set('[zeek_cols]', $zeek_profinet_io_cm_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_profinet_io_cm_commas" - split => { "[zeek_cols][sel_ack]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_profinet_io_cm" - add_field => { - "[zeek_cols][proto]" => "udp" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "radius") { - ############################################################################################################################# - # radius.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_radius_fields" - rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } - } - - } else { - dissect { - id => "dissect_zeek_radius" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_radius" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_radius" - init => "@zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]" - code => "event.set('[zeek_cols]', @zeek_radius_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_radius" - add_field => { "[zeek_cols][service]" => "radius" } - } - - } else if ([log_source] == "rdp") { - ############################################################################################################################# - # rdp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_rdp_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_rdp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_rdp" - init => "@zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]" - code => "event.set('[zeek_cols]', @zeek_rdp_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_rdp_client_channels" - split => { "[zeek_cols][client_channels]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_rdp" - add_field => { "[zeek_cols][service]" => "rdp" } - } - - # remove RDP prefix from client_build (version) - mutate { id => "mutate_gsub_field_zeek_rdp_client_build" - gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] } - - } else if ([log_source] == "rfb") { - ############################################################################################################################# - # rfb.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_rfb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_rfb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_rfb" - init => "@zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]" - code => "event.set('[zeek_cols]', @zeek_rfb_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_rfb" - add_field => { "[zeek_cols][service]" => "rfb" } - } - - } else if ([log_source] == "s7comm") { - ############################################################################################################################# - # s7comm.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_s7comm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm" - init => "@zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "s7comm_plus") { - ############################################################################################################################# - # s7comm_plus.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_s7comm_plus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm_plus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm_plus" - init => "@zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm_plus" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm_plus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "s7comm_read_szl") { - ############################################################################################################################# - # s7comm_read_szl.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_s7comm_read_szl" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm_read_szl" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm_read_szl" - init => "@zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm_read_szl" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "s7comm_upload_download") { - ############################################################################################################################# - # s7comm_upload_download.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_s7comm_upload_download_fields" - rename => { "[zeek_cols][rosctr]" => "[zeek_cols][rosctr_name]" } - } - - } else { - dissect { - id => "dissect_zeek_s7comm_upload_download" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm_upload_download" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm_upload_download" - init => "@zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm_upload_download" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "signatures") { - ############################################################################################################################# - # signatures.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_signatures" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_signatures" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_signatures" - init => "@zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]" - code => "event.set('[zeek_cols]', @zeek_signatures_field_names.zip(event.get('[message]')).to_h)" - } - } - if ("_carved" in [tags]) { - # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it: - # - _carved signature logs' sub_message contains fuid(s) comma-separated - mutate { id => "mutate_split_zeek_signatures_sub_message" - split => { "[zeek_cols][sub_message]" => "," } } - } - } - - } else if ([log_source] == "sip") { - ############################################################################################################################# - # sip.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_sip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][uri]} %{[zeek_cols][date]} %{[zeek_cols][request_from]} %{[zeek_cols][request_to]} %{[zeek_cols][response_from]} %{[zeek_cols][response_to]} %{[zeek_cols][reply_to]} %{[zeek_cols][call_id]} %{[zeek_cols][seq]} %{[zeek_cols][subject]} %{[zeek_cols][request_path]} %{[zeek_cols][response_path]} %{[zeek_cols][user_agent]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][warning]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][content_type]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_sip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_sip" - init => "@zeek_sip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'uri', 'date', 'request_from', 'request_to', 'response_from', 'response_to', 'reply_to', 'call_id', 'seq', 'subject', 'request_path', 'response_path', 'user_agent', 'status_code', 'status_msg', 'warning', 'request_body_len', 'response_body_len', 'content_type' ]" - code => "event.set('[zeek_cols]', @zeek_sip_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_sip_commas" - split => { "[zeek_cols][request_path]" => "," - "[zeek_cols][response_path]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_sip" - add_field => { "[zeek_cols][service]" => "sip" } - } - - } else if ([log_source] == "smb_cmd") { - ############################################################################################################################# - # smb_cmd.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo - # - # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be - # merged up as its own top-level entity so I don't have to duplicate the parsing effort below - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_smb_cmd_referenced_file_fields" - rename => { "[zeek_cols][referenced_file.id.orig_h]" => "[zeek_cols][referenced_file][orig_h]" } - rename => { "[zeek_cols][referenced_file.id.orig_p]" => "[zeek_cols][referenced_file][orig_p]" } - rename => { "[zeek_cols][referenced_file.id.resp_h]" => "[zeek_cols][referenced_file][resp_h]" } - rename => { "[zeek_cols][referenced_file.id.resp_p]" => "[zeek_cols][referenced_file][resp_p]" } - } - - } else { - dissect { - id => "dissect_zeek_smb_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smb_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smb_cmd" - init => "@zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]" - code => "event.set('[zeek_cols]', @zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_smb_cmd" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smb" - } - } - - # remove SMB prefix from version - mutate { id => "mutate_gsub_field_zeek_smb_cmd_version" - gsub => [ "[zeek_cols][version]", "^SMB", "" ] } - - mutate { id => "mutate_gsub_zeek_smb_cmd_command" - gsub => [ "[zeek_cols][command]", "^SMB::", "" ] } - - } else if ([log_source] == "smb_files") { - ############################################################################################################################# - # smb_files.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_smb_files_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][action]} %{[zeek_cols][path]} %{[zeek_cols][name]} %{[zeek_cols][size]} %{[zeek_cols][prev_name]} %{[zeek_cols][times_modified]} %{[zeek_cols][times_accessed]} %{[zeek_cols][times_created]} %{[zeek_cols][times_changed]} %{[zeek_cols][data_offset_req]} %{[zeek_cols][data_len_req]} %{[zeek_cols][data_len_rsp]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smb_files" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smb_files" - init => "@zeek_smb_files_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'action', 'path', 'name', 'size', 'prev_name', 'times_modified', 'times_accessed', 'times_created', 'times_changed', 'data_offset_req', 'data_len_req', 'data_len_rsp' ]" - code => "event.set('[zeek_cols]', @zeek_smb_files_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_smb_files" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smb" - } - } - - mutate { id => "mutate_gsub_zeek_smb_files_action" - gsub => [ "[zeek_cols][action]", "^SMB::", "" ] } - - } else if ([log_source] == "smb_mapping") { - ############################################################################################################################# - # smb_mapping.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_smb_mapping" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][path]} %{[zeek_cols][resource_type]} %{[zeek_cols][native_file_system]} %{[zeek_cols][share_type]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smb_mapping" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smb_mapping" - init => "@zeek_smb_mapping_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'path', 'resource_type', 'native_file_system', 'share_type' ]" - code => "event.set('[zeek_cols]', @zeek_smb_mapping_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_smb_mapping" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smb" - } - } - - } else if ([log_source] == "smtp") { - ############################################################################################################################# - # smtp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_smtp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smtp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smtp" - init => "@zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]" - code => "event.set('[zeek_cols]', @zeek_smtp_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_smtp_commas" - split => { "[zeek_cols][rcptto]" => "," - "[zeek_cols][to]" => "," - "[zeek_cols][cc]" => "," - "[zeek_cols][path]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_smtp" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smtp" - } - } - - } else if ([log_source] == "snmp") { - ############################################################################################################################# - # snmp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_snmp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][duration]} %{[zeek_cols][version]} %{[zeek_cols][community]} %{[zeek_cols][get_requests]} %{[zeek_cols][get_bulk_requests]} %{[zeek_cols][get_responses]} %{[zeek_cols][set_requests]} %{[zeek_cols][display_string]} %{[zeek_cols][up_since]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_snmp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_snmp" - init => "@zeek_snmp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'duration', 'version', 'community', 'get_requests', 'get_bulk_requests', 'get_responses', 'set_requests', 'display_string', 'up_since' ]" - code => "event.set('[zeek_cols]', @zeek_snmp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_snmp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "snmp" - } - } - - } else if ([log_source] == "socks") { - ############################################################################################################################# - # socks.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_socks" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][server_status]} %{[zeek_cols][request_host]} %{[zeek_cols][request_name]} %{[zeek_cols][request_port]} %{[zeek_cols][bound_host]} %{[zeek_cols][bound_name]} %{[zeek_cols][bound_port]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_socks" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_socks" - init => "@zeek_socks_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'user', 'password', 'server_status', 'request_host', 'request_name', 'request_port', 'bound_host', 'bound_name', 'bound_port' ]" - code => "event.set('[zeek_cols]', @zeek_socks_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_socks" - add_field => { "[zeek_cols][service]" => "socks" } - } - - } else if ([log_source] == "software") { - ############################################################################################################################# - # software.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_software_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][host_p]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][version.major]" => "[zeek_cols][version_major]" } - rename => { "[zeek_cols][version.minor]" => "[zeek_cols][version_minor]" } - rename => { "[zeek_cols][version.minor2]" => "[zeek_cols][version_minor2]" } - rename => { "[zeek_cols][version.minor3]" => "[zeek_cols][version_minor3]" } - rename => { "[zeek_cols][version.addl]" => "[zeek_cols][version_addl]" } - } - - } else { - dissect { - id => "dissect_zeek_software" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_software" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_software" - init => "@zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]" - code => "event.set('[zeek_cols]', @zeek_software_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "wireguard") { - ############################################################################################################################# - # wireguard.log - # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_wireguard" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][established]} %{[zeek_cols][initiations]} %{[zeek_cols][responses]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_wireguard" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_wireguard" - init => "@zeek_wireguard_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'established', 'initiations', 'responses' ]" - code => "event.set('[zeek_cols]', @zeek_wireguard_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_gsub_zeek_wireguard_packet_type" - gsub => [ "[zeek_cols][packet_type]", "Wireguard::WG_", "" ] } - - mutate { - id => "mutate_add_field_zeek_service_wireguard" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "wireguard" - } - } - - } else if ([log_source] == "ssh") { - ############################################################################################################################# - # ssh.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ssh_fields" - rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" } - } - - } else { - dissect { - id => "dissect_zeek_ssh_with_all_fields_with_hassh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][auth_success]} %{[zeek_cols][auth_attempts]} %{[zeek_cols][direction]} %{[zeek_cols][client]} %{[zeek_cols][server]} %{[zeek_cols][cipher_alg]} %{[zeek_cols][mac_alg]} %{[zeek_cols][compression_alg]} %{[zeek_cols][kex_alg]} %{[zeek_cols][host_key_alg]} %{[zeek_cols][host_key]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][hasshVersion]} %{[zeek_cols][hassh]} %{[zeek_cols][hasshServer]} %{[zeek_cols][cshka]} %{[zeek_cols][hasshAlgorithms]} %{[zeek_cols][sshka]} %{[zeek_cols][hasshServerAlgorithms]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ssh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ssh" - init => "@zeek_ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'auth_success', 'auth_attempts', 'direction', 'client', 'server', 'cipher_alg', 'mac_alg', 'compression_alg', 'kex_alg', 'host_key_alg', 'host_key', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'hasshVersion', 'hassh', 'hasshServer', 'cshka', 'hasshAlgorithms', 'sshka', 'hasshServerAlgorithms' ]" - code => "event.set('[zeek_cols]', @zeek_ssh_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ssh_commas" - split => { "[zeek_cols][hasshAlgorithms]" => "," - "[zeek_cols][hasshServerAlgorithms]" => "," - "[zeek_cols][cshka]" => "," - "[zeek_cols][sshka]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ssh" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ssh" - } - } - - } else if ([log_source] == "ssl") { - ############################################################################################################################# - # ssl.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ssl_fields" - rename => { "[zeek_cols][version]" => "[zeek_cols][ssl_version]" } - } - - } else { - dissect { - id => "dissect_zeek_ssl_v1_with_ja4" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ssl_version]} %{[zeek_cols][cipher]} %{[zeek_cols][curve]} %{[zeek_cols][server_name]} %{[zeek_cols][resumed]} %{[zeek_cols][last_alert]} %{[zeek_cols][next_protocol]} %{[zeek_cols][established]} %{[zeek_cols][ssl_history]} %{[zeek_cols][cert_chain_fps]} %{[zeek_cols][client_cert_chain_fps]} %{[zeek_cols][sni_matches_cert]} %{[zeek_cols][validation_status]} %{[zeek_cols][ja4]} %{[zeek_cols][ja4s]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ssl" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ssl" - init => "@zeek_ssl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ssl_version', 'cipher', 'curve', 'server_name', 'resumed', 'last_alert', 'next_protocol', 'established', 'ssl_history', 'cert_chain_fps', 'client_cert_chain_fps', 'sni_matches_cert', 'validation_status', 'ja4', 'ja4s' ]" - code => "event.set('[zeek_cols]', @zeek_ssl_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ssl_commas" - split => { "[zeek_cols][cert_chain_fuids]" => "," - "[zeek_cols][client_cert_chain_fuids]" => "," - "[zeek_cols][cert_chain_fps]" => "," - "[zeek_cols][client_cert_chain_fps]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ssl" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tls" - } - } - - } else if ([log_source] == "stun") { - ############################################################################################################################# - # stun.log - # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_stun_fields" - rename => { "[zeek_cols][attr_types]" => "[zeek_cols][attr_type]" } - rename => { "[zeek_cols][attr_vals]" => "[zeek_cols][attr_val]" } - } - - } else { - dissect { - id => "dissect_zeek_stun" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][trans_id]} %{[zeek_cols][method]} %{[zeek_cols][class]} %{[zeek_cols][attr_type]} %{[zeek_cols][attr_val]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_stun" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_stun" - init => "@zeek_stun_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'trans_id', 'method', 'class', 'attr_type', 'attr_val' ]" - code => "event.set('[zeek_cols]', @zeek_stun_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_field_zeek_stun_commas" - split => { "[zeek_cols][attr_type]" => "," - "[zeek_cols][attr_val]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_stun" - add_field => { - "[zeek_cols][service]" => "stun" - } - } - - } else if ([log_source] == "stun_nat") { - ############################################################################################################################# - # stun.log - # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_stun_nat_fields" - rename => { "[zeek_cols][wan_addrs]" => "[zeek_cols][wan_addr]" } - rename => { "[zeek_cols][wan_ports]" => "[zeek_cols][wan_port]" } - rename => { "[zeek_cols][lan_addrs]" => "[zeek_cols][lan_addr]" } - } - - } else { - dissect { - id => "dissect_zeek_stun_nat" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][wan_addr]} %{[zeek_cols][wan_port]} %{[zeek_cols][lan_addr]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_stun_nat" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_stun_nat" - init => "@zeek_stun_nat_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'wan_addr', 'wan_port', 'lan_addr' ]" - code => "event.set('[zeek_cols]', @zeek_stun_nat_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_field_zeek_stun_nat_commas" - split => { "[zeek_cols][wan_addrs]" => "," - "[zeek_cols][wan_ports]" => "," - "[zeek_cols][lan_addrs]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_stun_nat" - add_field => { - "[zeek_cols][service]" => "stun" - } - } - - } else if ([log_source] == "synchrophasor") { - ############################################################################################################################# - # synchrophasor.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor" - init => "@zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - - } else if ([log_source] == "synchrophasor_cmd") { - ############################################################################################################################# - # synchrophasor_cmd.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_cmd" - init => "@zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_cmd" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_cfg") { - ############################################################################################################################# - # synchrophasor_cfg.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_cfg" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_cfg" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_cfg" - init => "@zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_cfg" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_cfg_detail") { - ############################################################################################################################# - # synchrophasor_cfg_detail.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_cfg_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_cfg_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_cfg_detail" - init => "@zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_cfg_detail" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_data") { - ############################################################################################################################# - # synchrophasor_data.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_data" - init => "@zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_data" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_data_detail") { - ############################################################################################################################# - # synchrophasor_data_detail.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_data_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_data_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_data_detail" - init => "@zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_data_detail" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_hdr") { - ############################################################################################################################# - # synchrophasor_hdr.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_hdr" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_hdr" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_hdr" - init => "@zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_hdr" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "syslog") { - ############################################################################################################################# - # syslog.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_syslog" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_syslog" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_syslog" - init => "@zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]" - code => "event.set('[zeek_cols]', @zeek_syslog_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_syslog" - add_field => { "[zeek_cols][service]" => "syslog" } - } - - } else if ([log_source] == "tds") { - ############################################################################################################################# - # tds.log - # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tds" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tds" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tds" - init => "@zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]" - code => "event.set('[zeek_cols]', @zeek_tds_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tds" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tds" - } - } - - } else if ([log_source] == "tds_rpc") { - ############################################################################################################################# - # tds_rpc.log - # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_tds_rpc_fields" - rename => { "[zeek_cols][parameters]" => "[zeek_cols][parameter]" } - } - - } else { - dissect { - id => "dissect_zeek_tds_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tds_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tds_rpc" - init => "@zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]" - code => "event.set('[zeek_cols]', @zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tds_rpc" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tds" - } - } - - } else if ([log_source] == "tds_sql_batch") { - ############################################################################################################################# - # tds_sql_batch.log - # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tds_sql_batch" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tds_sql_batch" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tds_sql_batch" - init => "@zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]" - code => "event.set('[zeek_cols]', @zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tds_sql_batch" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tds" - } - } - - } else if ([log_source] == "tftp") { - ############################################################################################################################# - # tftp.log - # https://github.com/zeek/spicy-tftp - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][wrq]} %{[zeek_cols][fname]} %{[zeek_cols][mode]} %{[zeek_cols][uid_data]} %{[zeek_cols][size]} %{[zeek_cols][block_sent]} %{[zeek_cols][block_acked]} %{[zeek_cols][error_code]} %{[zeek_cols][error_msg]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tftp" - init => "@zeek_tftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'wrq', 'fname', 'mode', 'uid_data', 'size', 'block_sent', 'block_acked', 'error_code', 'error_msg' ]" - code => "event.set('[zeek_cols]', @zeek_tftp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tftp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "tftp" - } - } - - } else if ([log_source] == "tunnel") { - ############################################################################################################################# - # tunnel.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tunnel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][tunnel_type]} %{[zeek_cols][action]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tunnel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tunnel" - init => "@zeek_tunnel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'tunnel_type', 'action' ]" - code => "event.set('[zeek_cols]', @zeek_tunnel_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_gsub_zeek_tunnel_action" - gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] } - - mutate { id => "mutate_gsub_zeek_tunnel_type" - gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] } - - mutate { - id => "mutate_add_fields_zeek_tunnel" - add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" } - } - - mutate { id => "mutate_lowercase_zeek_tunnel_service" - lowercase => [ "[zeek_cols][service]" ] } - - } else if ([log_source] == "weird") { - ############################################################################################################################# - # weird.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_weird" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][name]} %{[zeek_cols][addl]} %{[zeek_cols][notice]} %{[zeek_cols][peer]} %{[zeek_cols][source]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_weird" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_weird" - init => "@zeek_weird_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'name', 'addl', 'notice', 'peer', 'source' ]" - code => "event.set('[zeek_cols]', @zeek_weird_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "x509") { - ############################################################################################################################# - # x509.log - # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_x509_fields" - rename => { "[zeek_cols][certificate.version]" => "[zeek_cols][certificate_version]" } - rename => { "[zeek_cols][certificate.serial]" => "[zeek_cols][certificate_serial]" } - rename => { "[zeek_cols][certificate.subject]" => "[zeek_cols][certificate_subject]" } - rename => { "[zeek_cols][certificate.issuer]" => "[zeek_cols][certificate_issuer]" } - rename => { "[zeek_cols][certificate.not_valid_before]" => "[zeek_cols][certificate_not_valid_before]" } - rename => { "[zeek_cols][certificate.not_valid_after]" => "[zeek_cols][certificate_not_valid_after]" } - rename => { "[zeek_cols][certificate.key_alg]" => "[zeek_cols][certificate_key_alg]" } - rename => { "[zeek_cols][certificate.sig_alg]" => "[zeek_cols][certificate_sig_alg]" } - rename => { "[zeek_cols][certificate.key_type]" => "[zeek_cols][certificate_key_type]" } - rename => { "[zeek_cols][certificate.key_length]" => "[zeek_cols][certificate_key_length]" } - rename => { "[zeek_cols][certificate.exponent]" => "[zeek_cols][certificate_exponent]" } - rename => { "[zeek_cols][certificate.curve]" => "[zeek_cols][certificate_curve]" } - rename => { "[zeek_cols][san.dns]" => "[zeek_cols][san_dns]" } - rename => { "[zeek_cols][san.uri]" => "[zeek_cols][san_uri]" } - rename => { "[zeek_cols][san.email]" => "[zeek_cols][san_email]" } - rename => { "[zeek_cols][san.ip]" => "[zeek_cols][san_ip]" } - rename => { "[zeek_cols][basic_constraints.ca]" => "[zeek_cols][basic_constraints_ca]" } - rename => { "[zeek_cols][basic_constraints.path_len]" => "[zeek_cols][basic_constraints_path_len]" } - } - - } else { - dissect { - id => "dissect_zeek_x509_v1" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fingerprint]} %{[zeek_cols][certificate_version]} %{[zeek_cols][certificate_serial]} %{[zeek_cols][certificate_subject]} %{[zeek_cols][certificate_issuer]} %{[zeek_cols][certificate_not_valid_before]} %{[zeek_cols][certificate_not_valid_after]} %{[zeek_cols][certificate_key_alg]} %{[zeek_cols][certificate_sig_alg]} %{[zeek_cols][certificate_key_type]} %{[zeek_cols][certificate_key_length]} %{[zeek_cols][certificate_exponent]} %{[zeek_cols][certificate_curve]} %{[zeek_cols][san_dns]} %{[zeek_cols][san_uri]} %{[zeek_cols][san_email]} %{[zeek_cols][san_ip]} %{[zeek_cols][basic_constraints_ca]} %{[zeek_cols][basic_constraints_path_len]} %{[zeek_cols][host_cert]} %{[zeek_cols][client_cert]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_x509" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_x509" - init => "@zeek_x509_field_names = [ 'ts', 'fuid', 'certificate_version', 'certificate_serial', 'certificate_subject', 'certificate_issuer', 'certificate_not_valid_before', 'certificate_not_valid_after', 'certificate_key_alg', 'certificate_sig_alg', 'certificate_key_type', 'certificate_key_length', 'certificate_exponent', 'certificate_curve', 'san_dns', 'san_uri', 'san_email', 'san_ip', 'basic_constraints_ca', 'basic_constraints_path_len', 'host_cert', 'client_cert' ]" - code => "event.set('[zeek_cols]', @zeek_x509_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_x509_san_ip" - split => { "[zeek_cols][san_ip]" => "," - "[zeek_cols][fingerprint]" => "," } } - } - - mutate { id => "mutate_add_fields_zeek_x509" - add_field => { "[zeek_cols][service]" => "X.509" } } - - } else if ([log_source] =~ /^opcua_binary/) { - - if ([log_source] == "opcua_binary") { - ############################################################################################################################# - # opcua_binary.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary" - init => "@zeek_opcua_binary_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_activate_session") { - ############################################################################################################################# - # opcua_binary_activate_session.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_activate_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_activate_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_activate_session" - init => "@zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'opcua_locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_activate_session" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") { - ############################################################################################################################# - # opcua_binary_activate_session_client_software_cert.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_activate_session_client_software_cert" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert" - init => "@zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_activate_session_client_software_cert" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_activate_session_locale_id") { - ############################################################################################################################# - # opcua_binary_activate_session_locale_id.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_activate_session_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][local_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_activate_session_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id" - init => "@zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_locale_link_id', 'local_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_activate_session_locale_id" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_aggregate_filter") { - ############################################################################################################################# - # opcua_binary_aggregate_filter.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_aggregate_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][start_time]} %{[zeek_cols][start_time_str]} %{[zeek_cols][aggregate_type_encoding_mask]} %{[zeek_cols][aggregate_type_namespace_idx]} %{[zeek_cols][aggregate_type_numeric]} %{[zeek_cols][aggregate_type_string]} %{[zeek_cols][aggregate_type_guid]} %{[zeek_cols][aggregate_type_opaque]} %{[zeek_cols][processing_interval]} %{[zeek_cols][use_server_capabilities_default]} %{[zeek_cols][treat_uncertain_as_bad]} %{[zeek_cols][percent_data_good]} %{[zeek_cols][percent_data_bad]} %{[zeek_cols][use_slopped_extrapolation]} %{[zeek_cols][revised_start_time]} %{[zeek_cols][revised_start_time_str]} %{[zeek_cols][revised_processing_interval]} %{[zeek_cols][revised_use_server_capabilities_default]} %{[zeek_cols][revised_treat_uncertain_as_bad]} %{[zeek_cols][revised_percent_data_good]} %{[zeek_cols][revised_percent_data_bad]} %{[zeek_cols][revised_use_slopped_extrapolation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_aggregate_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_aggregate_filter" - init => "@zeek_opcua_binary_aggregate_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'start_time', 'start_time_str', 'aggregate_type_encoding_mask', 'aggregate_type_namespace_idx', 'aggregate_type_numeric', 'aggregate_type_string', 'aggregate_type_guid', 'aggregate_type_opaque', 'processing_interval', 'use_server_capabilities_default', 'treat_uncertain_as_bad', 'percent_data_good', 'percent_data_bad', 'use_slopped_extrapolation', 'revised_start_time', 'revised_start_time_str', 'revised_processing_interval', 'revised_use_server_capabilities_default', 'revised_treat_uncertain_as_bad', 'revised_percent_data_good', 'revised_percent_data_bad', 'revised_use_slopped_extrapolation' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_aggregate_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_aggregate_filter" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_attribute_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_attribute_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][alias]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][attribute]} %{[zeek_cols][index_range]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand" - init => "@zeek_opcua_binary_event_filter_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'alias', 'browse_path_element_link_id', 'attribute', 'index_range' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_attribute_operand_browse_paths") { - ############################################################################################################################# - # opcua_binary_event_filter_attribute_operand_browse_paths.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][is_inverse]} %{[zeek_cols][include_subtypes]} %{[zeek_cols][target_name_namespace_idx]} %{[zeek_cols][target_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - init => "@zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_path_element_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'is_inverse', 'include_subtypes', 'target_name_namespace_idx', 'target_name' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse") { - ############################################################################################################################# - # opcua_binary_browse.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse" - init => "@zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_response_link_id', 'browse_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_description") { - ############################################################################################################################# - # opcua_binary_browse_description.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_description" - init => "@zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_description" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_response_references") { - ############################################################################################################################# - # opcua_binary_browse_response_references.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_response_references" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_response_references" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_response_references" - init => "@zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_response_references" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_request_continuation_point") { - ############################################################################################################################# - # opcua_binary_browse_request_continuation_point.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_request_continuation_point" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point" - init => "@zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_next_link_id', 'continuation_point' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_request_continuation_point" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_result") { - ############################################################################################################################# - # opcua_binary_browse_result.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_result" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_result" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_result" - init => "@zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_result" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_close_session") { - ############################################################################################################################# - # opcua_binary_close_session.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_close_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][del_subscriptions]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_close_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_close_session" - init => "@zeek_opcua_binary_close_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'del_subscriptions' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_close_session_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_close_session" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_where_clause") { - ############################################################################################################################# - # opcua_binary_event_filter_where_clause.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_where_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][where_clause_link_id]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][content_filter_status_code_link_id]} %{[zeek_cols][content_filter_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_where_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause" - init => "@zeek_opcua_binary_event_filter_where_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'where_clause_link_id', 'content_filter_element_link_id', 'content_filter_status_code_link_id', 'content_filter_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_where_clause_elements") { - ############################################################################################################################# - # opcua_binary_event_filter_where_clause_elements.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_where_clause_elements" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][filter_operator]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_encoding_mask]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_namespace_idx]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_numeric]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_guid]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_opaque]} %{[zeek_cols][content_filter_filter_operand_type_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_encoding]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][content_filter_operand_status_code_link_id]} %{[zeek_cols][content_filter_operand_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_where_clause_elements" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause_elements" - init => "@zeek_opcua_binary_event_filter_where_clause_elements_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_element_link_id', 'filter_operator', 'content_filter_filter_operand_type_id_node_id_encoding_mask', 'content_filter_filter_operand_type_id_node_id_namespace_idx', 'content_filter_filter_operand_type_id_node_id_numeric', 'content_filter_filter_operand_type_id_node_id_string', 'content_filter_filter_operand_type_id_node_id_guid', 'content_filter_filter_operand_type_id_node_id_opaque', 'content_filter_filter_operand_type_id_string', 'content_filter_filter_operand_type_id_encoding', 'content_filter_filter_operand_link_id', 'content_filter_operand_status_code_link_id', 'content_filter_operand_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_elements_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause_elements" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_monitored_items") { - ############################################################################################################################# - # opcua_binary_create_monitored_items.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_monitored_items" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][subscription_id]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][create_monitored_items_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_monitored_items" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_monitored_items" - init => "@zeek_opcua_binary_create_monitored_items_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'subscription_id', 'timestamps_to_return', 'timestamps_to_return_str', 'create_item_link_id', 'create_monitored_items_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_monitored_items_create_item") { - ############################################################################################################################# - # opcua_binary_create_monitored_items_create_item.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_monitored_items_create_item" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][item_to_monitor_node_id_encoding_mask]} %{[zeek_cols][item_to_monitor_node_id_namespace_idx]} %{[zeek_cols][item_to_monitor_node_id_numeric]} %{[zeek_cols][item_to_monitor_node_id_string]} %{[zeek_cols][item_to_monitor_node_id_guid]} %{[zeek_cols][item_to_monitor_node_id_opaque]} %{[zeek_cols][item_to_monitor_attribute_id]} %{[zeek_cols][item_to_monitor_index_range]} %{[zeek_cols][item_to_monitor_namespace_idx]} %{[zeek_cols][item_to_monitor_name]} %{[zeek_cols][monitoring_mode]} %{[zeek_cols][monitoring_parameters_client_handle]} %{[zeek_cols][monitoring_parameters_sampling_interval]} %{[zeek_cols][monitoring_parameters_queue_size]} %{[zeek_cols][monitoring_parameters_discard_oldest]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_encoding_mask]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_namespace_idx]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_numeric]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_guid]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_opaque]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_encoding]} %{[zeek_cols][filter_info_details_link_id]} %{[zeek_cols][monitoring_parameters_status_code_link_id]} %{[zeek_cols][monitored_item_index_id]} %{[zeek_cols][monitoring_parameters_revised_sampling_interval]} %{[zeek_cols][monitoring_parameters_revised_queue_size]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_monitored_items_create_item" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_monitored_items_create_item" - init => "@zeek_opcua_binary_create_monitored_items_create_item_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'create_item_link_id', 'item_to_monitor_node_id_encoding_mask', 'item_to_monitor_node_id_namespace_idx', 'item_to_monitor_node_id_numeric', 'item_to_monitor_node_id_string', 'item_to_monitor_node_id_guid', 'item_to_monitor_node_id_opaque', 'item_to_monitor_attribute_id', 'item_to_monitor_index_range', 'item_to_monitor_namespace_idx', 'item_to_monitor_name', 'monitoring_mode', 'monitoring_parameters_client_handle', 'monitoring_parameters_sampling_interval', 'monitoring_parameters_queue_size', 'monitoring_parameters_discard_oldest', 'monitoring_parameters_filter_info_type_id_node_id_encoding_mask', 'monitoring_parameters_filter_info_type_id_node_id_namespace_idx', 'monitoring_parameters_filter_info_type_id_node_id_numeric', 'monitoring_parameters_filter_info_type_id_node_id_string', 'monitoring_parameters_filter_info_type_id_node_id_guid', 'monitoring_parameters_filter_info_type_id_node_id_opaque', 'monitoring_parameters_filter_info_type_id_string', 'monitoring_parameters_filter_info_type_id_encoding', 'filter_info_details_link_id', 'monitoring_parameters_status_code_link_id', 'monitored_item_index_id', 'monitoring_parameters_revised_sampling_interval', 'monitoring_parameters_revised_queue_size' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_create_item_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items_create_item" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session") { - ############################################################################################################################# - # opcua_binary_create_session.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session" - init => "@zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session_discovery") { - ############################################################################################################################# - # opcua_binary_create_session_discovery.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session_discovery" - init => "@zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session_discovery" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session_endpoints") { - ############################################################################################################################# - # opcua_binary_create_session_endpoints.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session_endpoints" - init => "@zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session_endpoints" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session_user_token") { - ############################################################################################################################# - # opcua_binary_create_session_user_token.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session_user_token" - init => "@zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session_user_token" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_subscription") { - ############################################################################################################################# - # opcua_binary_create_subscription.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_subscription" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_subscription" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_subscription" - init => "@zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_subscription" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_data_change_filter") { - ############################################################################################################################# - # opcua_binary_data_change_filter.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_data_change_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][trigger]} %{[zeek_cols][deadband_type]} %{[zeek_cols][deadband_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_data_change_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_data_change_filter" - init => "@zeek_opcua_binary_data_change_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'trigger', 'deadband_type', 'deadband_value' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_data_change_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_data_change_filter" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_diag_info_detail") { - ############################################################################################################################# - # opcua_binary_diag_info_detail.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_diag_info_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][root_object_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_diag_info_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_diag_info_detail" - init => "@zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'diag_info_link_id', 'root_object_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_diag_info_detail" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_element_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_element_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_element_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][element_index]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_element_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_element_operand" - init => "@zeek_opcua_binary_event_filter_element_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'element_index' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_element_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_element_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter") { - ############################################################################################################################# - # opcua_binary_event_filter.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][where_clause_content_filter_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter" - init => "@zeek_opcua_binary_event_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'select_clause_link_id', 'where_clause_content_filter_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints") { - ############################################################################################################################# - # opcua_binary_get_endpoints.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints" - init => "@zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_description") { - ############################################################################################################################# - # opcua_binary_get_endpoints_description.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_description" - init => "@zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_description" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_discovery") { - ############################################################################################################################# - # opcua_binary_get_endpoints_discovery.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery" - init => "@zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_discovery" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") { - ############################################################################################################################# - # opcua_binary_get_endpoints_locale_id.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id" - init => "@zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'locale_link_id', 'locale_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_locale_id" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") { - ############################################################################################################################# - # opcua_binary_get_endpoints_profile_uri.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri" - init => "@zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_profile_uri" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_user_token") { - ############################################################################################################################# - # opcua_binary_get_endpoints_user_token.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token" - init => "@zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_user_token" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_literal_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_literal_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_literal_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][literal_operand_variant_link]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_literal_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_literal_operand" - init => "@zeek_opcua_binary_event_filter_literal_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'literal_operand_variant_link' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_literal_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_literal_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_opensecure_channel") { - ############################################################################################################################# - # opcua_binary_opensecure_channel.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_opensecure_channel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_opensecure_channel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_opensecure_channel" - init => "@zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_opensecure_channel" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_read") { - ############################################################################################################################# - # opcua_binary_read.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][max_age]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][read_results_link_id]} %{[zeek_cols][diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_read" - init => "@zeek_opcua_binary_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'max_age', 'timestamps_to_return', 'timestamps_to_return_str', 'nodes_to_read_link_id', 'read_results_link_id', 'diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_read" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_read_nodes_to_read") { - ############################################################################################################################# - # opcua_binary_read_nodes_to_read.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_read_nodes_to_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][attribute_id]} %{[zeek_cols][attribute_id_str]} %{[zeek_cols][index_range]} %{[zeek_cols][data_encoding_name_idx]} %{[zeek_cols][data_encoding_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_read_nodes_to_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_read_nodes_to_read" - init => "@zeek_opcua_binary_read_nodes_to_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'nodes_to_read_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_encoding_name_idx', 'data_encoding_name' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_nodes_to_read_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_read_nodes_to_read" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_read_results") { - ############################################################################################################################# - # opcua_binary_read_results.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_read_results" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][results_link_id]} %{[zeek_cols][level]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][read_results_variant_metadata_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_read_results" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_read_results" - init => "@zeek_opcua_binary_read_results_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'results_link_id', 'level', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'read_results_variant_metadata_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_results_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_read_results" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_select_clause") { - ############################################################################################################################# - # opcua_binary_event_filter_select_clause.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_select_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]} %{[zeek_cols][select_clause_status_code_link_id]} %{[zeek_cols][select_clause_diagnostic_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_select_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_select_clause" - init => "@zeek_opcua_binary_event_filter_select_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'select_clause_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range', 'select_clause_status_code_link_id', 'select_clause_diagnostic_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_select_clause_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_select_clause" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_simple_attribute_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand" - init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand_browse_paths") { - ############################################################################################################################# - # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][browse_path_src]} %{[zeek_cols][namespace_index]} %{[zeek_cols][name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'simple_attribute_operand_browse_path_link_id', 'browse_path_src', 'namespace_index', 'name' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_status_code_detail") { - ############################################################################################################################# - # opcua_binary_status_code_detail.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_status_code_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianpartial]} %{[zeek_cols][historianextradata]} %{[zeek_cols][historianmultivalue]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_status_code_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_status_code_detail" - init => "@zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianpartial', 'historianextradata', 'historianmultivalue' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_status_code_detail" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_array_dims") { - ############################################################################################################################# - # opcua_binary_variant_array_dims.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_array_dims" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][array_dim_link_id]} %{[zeek_cols][dimension]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_array_dims" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_array_dims" - init => "@zeek_opcua_binary_variant_array_dims_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'array_dim_link_id', 'dimension' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_array_dims_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_array_dims" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_data") { - ############################################################################################################################# - # opcua_binary_variant_data.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_value_signed_numeric]} %{[zeek_cols][variant_data_value_unsigned_numeric]} %{[zeek_cols][variant_data_value_string]} %{[zeek_cols][variant_data_node_id_encoding_mask]} %{[zeek_cols][variant_data_node_id_namespace_idx]} %{[zeek_cols][variant_data_node_id_numeric]} %{[zeek_cols][variant_data_node_id_string]} %{[zeek_cols][variant_data_node_id_guid]} %{[zeek_cols][variant_data_node_id_opaque]} %{[zeek_cols][variant_data_node_id_namespace_uri]} %{[zeek_cols][variant_data_node_id_server_idx]} %{[zeek_cols][variant_data_value_time]} %{[zeek_cols][variant_data_encoding_name_idx]} %{[zeek_cols][variant_data_encoding_name]} %{[zeek_cols][variant_data_mask]} %{[zeek_cols][variant_data_locale]} %{[zeek_cols][variant_data_text]} %{[zeek_cols][variant_data_value_decimal]} %{[zeek_cols][variant_data_status_code_link_id]} %{[zeek_cols][variant_data_diag_info_link_id]} %{[zeek_cols][variant_data_ext_obj_link_id]} %{[zeek_cols][variant_metadata_data_link_id]} %{[zeek_cols][variant_data_value_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_data" - init => "@zeek_opcua_binary_variant_data_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_link_id', 'variant_data_value_signed_numeric', 'variant_data_value_unsigned_numeric', 'variant_data_value_string', 'variant_data_node_id_encoding_mask', 'variant_data_node_id_namespace_idx', 'variant_data_node_id_numeric', 'variant_data_node_id_string', 'variant_data_node_id_guid', 'variant_data_node_id_opaque', 'variant_data_node_id_namespace_uri', 'variant_data_node_id_server_idx', 'variant_data_value_time', 'variant_data_encoding_name_idx', 'variant_data_encoding_name', 'variant_data_mask', 'variant_data_locale', 'variant_data_text', 'variant_data_value_decimal', 'variant_data_status_code_link_id', 'variant_data_diag_info_link_id', 'variant_data_ext_obj_link_id', 'variant_metadata_data_link_id', 'variant_data_value_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_data" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_data_value") { - ############################################################################################################################# - # opcua_binary_variant_data_value.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_data_value" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_value_source_link]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][variant_metadata_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_data_value" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_data_value" - init => "@zeek_opcua_binary_variant_data_value_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_value_source_link', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'variant_metadata_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_value_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_data_value" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_extension_object") { - ############################################################################################################################# - # opcua_binary_variant_extension_object.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_extension_object" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ext_obj_link_id]} %{[zeek_cols][ext_obj_node_id_encoding_mask]} %{[zeek_cols][ext_obj_node_id_namespace_idx]} %{[zeek_cols][ext_obj_node_id_numeric]} %{[zeek_cols][ext_obj_node_id_string]} %{[zeek_cols][ext_obj_node_id_guid]} %{[zeek_cols][ext_obj_node_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_extension_object" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_extension_object" - init => "@zeek_opcua_binary_variant_extension_object_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'ext_obj_link_id', 'ext_obj_node_id_encoding_mask', 'ext_obj_node_id_namespace_idx', 'ext_obj_node_id_numeric', 'ext_obj_node_id_string', 'ext_obj_node_id_guid', 'ext_obj_node_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_extension_object_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_extension_object" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_metadata") { - ############################################################################################################################# - # opcua_binary_variant_metadata.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_metadata" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_source_data_link_id]} %{[zeek_cols][variant_data_source]} %{[zeek_cols][variant_data_source_str]} %{[zeek_cols][dara_variant_encoding_mask]} %{[zeek_cols][data_variant_data_type]} %{[zeek_cols][data_variant_data_type_str]} %{[zeek_cols][built_in_data_type]} %{[zeek_cols][built_in_data_type_str]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_array_dim]} %{[zeek_cols][variant_data_array_multi_dim_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_metadata" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_metadata" - init => "@zeek_opcua_binary_variant_metadata_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_source_data_link_id', 'variant_data_source', 'variant_data_source_str', 'dara_variant_encoding_mask', 'data_variant_data_type', 'data_variant_data_type_str', 'built_in_data_type', 'built_in_data_type_str', 'variant_data_link_id', 'variant_data_array_dim', 'variant_data_array_multi_dim_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_metadata_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_metadata" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else { - # some other unknown zeek opcua- log file. should start with ts at least! - - if ("_jsonparsesuccess" not in [tags]) { - csv { - id => "csv_zeek_unknown_opcua" - columns => ["ts"] - - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - separator => " " - # there's no way to *disable* the csv quote char, so set it to something we'll never see - quote_char => " " - - target => "[zeek_cols]" - } - } - - mutate { id => "mutate_add_tag_zeek_unknown_opcua" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "_unknown_log_type" ] - } - - } # if / else if for opcua log types - - } else if ([log_source] == "analyzer") { - ############################################################################################################################# - # analyzer.log - # Zeek Logging analyzer confirmations and violations into analyzer.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/logging.zeek.html - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_analyzer" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][cause]} %{[zeek_cols][analyzer_kind]} %{[zeek_cols][analyzer_name]} %{[zeek_cols][uid]} %{[zeek_cols][fuid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][failure_reason]} %{[zeek_cols][failure_data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_analyzer" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_analyzer" - init => "@zeek_diagnostic_analyzer_field_names = [ 'ts', 'cause', 'analyzer_kind', 'analyzer_name', 'uid', 'fuid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'failure_reason', 'failure_data' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_analyzer_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - # we are *not* adding the _zeekdiagnostic even though it could arguably be classified as such, the reason being that - # the UID/FUID and IP/ports make it suitable to be searched with the network data - - } else if ([log_source] == "broker") { - ############################################################################################################################# - # broker.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_broker_fields" - rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" } - rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" } - rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" } - rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" } - rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" } - } - - } else { - dissect { - id => "dissect_zeek_diagnostic_broker" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][event_type]} %{[zeek_cols][event_action]} %{[zeek_cols][peer_ip]} %{[zeek_cols][peer_port]} %{[zeek_cols][peer_message]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_broker" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_broker" - init => "@zeek_diagnostic_broker_field_names = [ 'ts', 'event_type', 'event_action', 'peer_ip', 'peer_port', 'peer_message' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_broker_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_broker" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "capture_loss") { - ############################################################################################################################# - # capture_loss.log - # Reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers. - # https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_capture_loss" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][ts_delta]} %{[zeek_cols][peer]} %{[zeek_cols][gaps]} %{[zeek_cols][acks]} %{[zeek_cols][percent_lost]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_capture_loss" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_capture_loss" - init => "@zeek_diagnostic_capture_loss_field_names = [ 'ts', 'ts_delta', 'peer', 'gaps', 'acks', 'percent_lost' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_capture_loss_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_capture_loss" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "cluster") { - ############################################################################################################################# - # cluster.log - # Logging for establishing and controlling a cluster of Zeek instances - # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_cluster_fields" - rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" } - } - - } else { - dissect { - id => "dissect_zeek_diagnostic_cluster" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][node_message]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_cluster" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_cluster" - init => "@zeek_diagnostic_cluster_field_names = [ 'ts', 'node', 'node_message' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_cluster_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_cluster" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "config") { - ############################################################################################################################# - # config.log - # Logging for Zeek configuration changes - # https://docs.zeek.org/en/master/scripts/base/frameworks/config/main.zeek.html#type-Config::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_config" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][value_name]} %{[zeek_cols][value_old]} %{[zeek_cols][value_new]} %{[zeek_cols][location]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_config" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_config" - init => "@zeek_diagnostic_config_field_names = [ 'ts', 'value_name', 'value_old', 'value_new', 'location' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_config_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_config" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "packet_filter") { - ############################################################################################################################# - # packet_filter.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/packet-filter/main.zeek.html#type-PacketFilter::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_packet_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][filter]} %{[zeek_cols][init]} %{[zeek_cols][success]} %{[zeek_cols][failure_reason]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_packet_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_packet_filter" - init => "@zeek_diagnostic_packet_filter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_packet_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_packet_filter" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "print") { - ############################################################################################################################# - # print.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/logging/main.zeek.html#type-Log::PrintLogInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_print" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][vals]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_print" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_print" - init => "@zeek_diagnostic_print_field_names = [ 'ts', 'vals' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_print_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "split_zeek_diagnostic_print_vals" - split => { "[zeek_cols][vals]" => "," } } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_print" - add_tag => [ "_zeekdiagnostic" ] } - - - } else if ([log_source] == "reporter") { - ############################################################################################################################# - # reporter.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_reporter_fields" - rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" } - } - - } else { - dissect { - id => "dissect_zeek_diagnostic_reporter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][level]} %{[zeek_cols][msg]} %{[zeek_cols][location]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_reporter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_reporter" - init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_reporter" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "stats") { - ############################################################################################################################# - # stats.log - # https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html#type-Stats::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_stats" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][peer]} %{[zeek_cols][mem]} %{[zeek_cols][pkts_proc]} %{[zeek_cols][bytes_recv]} %{[zeek_cols][pkts_dropped]} %{[zeek_cols][pkts_link]} %{[zeek_cols][pkt_lag]} %{[zeek_cols][pkts_filtered]} %{[zeek_cols][events_proc]} %{[zeek_cols][events_queued]} %{[zeek_cols][active_tcp_conns]} %{[zeek_cols][active_udp_conns]} %{[zeek_cols][active_icmp_conns]} %{[zeek_cols][tcp_conns]} %{[zeek_cols][udp_conns]} %{[zeek_cols][icmp_conns]} %{[zeek_cols][timers]} %{[zeek_cols][active_timers]} %{[zeek_cols][files]} %{[zeek_cols][active_files]} %{[zeek_cols][dns_requests]} %{[zeek_cols][active_dns_requests]} %{[zeek_cols][reassem_tcp_size]} %{[zeek_cols][reassem_file_size]} %{[zeek_cols][reassem_frag_size]} %{[zeek_cols][reassem_unknown_size]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_stats" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_stats" - init => "@zeek_diagnostic_stats_field_names = [ 'ts', 'peer', 'mem', 'pkts_proc', 'bytes_recv', 'pkts_dropped', 'pkts_link', 'pkt_lag', 'pkts_filtered', 'events_proc', 'events_queued', 'active_tcp_conns', 'active_udp_conns', 'active_icmp_conns', 'tcp_conns', 'udp_conns', 'icmp_conns', 'timers', 'active_timers', 'files', 'active_files', 'dns_requests', 'active_dns_requests', 'reassem_tcp_size', 'reassem_file_size', 'reassem_frag_size', 'reassem_unknown_size' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_stats_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_stats" - add_tag => [ "_zeekdiagnostic" ] } - - } else { - - if ("_jsonparsesuccess" not in [tags]) { - # some other unknown zeek log file. should start with ts at least! - csv { - id => "csv_zeek_unknown" - columns => ["ts"] - - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - separator => " " - # there's no way to *disable* the csv quote char, so set it to something we'll never see - quote_char => " " - - target => "[zeek_cols]" - } - } - - mutate { id => "mutate_add_tag_zeek_unknown" - add_tag => [ "_unknown_log_type" ] } - - } # if / else if for source type (conn.log, dns.log, etc.) - -} # end Filter diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/1200_zeek_mutate.conf similarity index 99% rename from logstash/pipelines/zeek/12_zeek_mutate.conf rename to logstash/pipelines/zeek/1200_zeek_mutate.conf index 182adb633..434e62eae 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/1200_zeek_mutate.conf @@ -1937,7 +1937,7 @@ filter { } } - # collect referenced file UIDs(s)/FUID(s) at parent level (here rather than in 13_zeek_normalize.conf because + # collect referenced file UIDs(s)/FUID(s) at parent level (here rather than in 1300_zeek_normalize.conf because # this would have already been done as a root-level fuid array in the main "rename" above if we # had not had to move it up a level just now) if ([zeek][smb_files][uid]) { diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf similarity index 99% rename from logstash/pipelines/zeek/13_zeek_normalize.conf rename to logstash/pipelines/zeek/1300_zeek_normalize.conf index 9774603f8..c4b77e920 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf @@ -1262,7 +1262,7 @@ filter { # FUIDs ############################################################################################################# # collect all other FUIDs under parent [zeek][fuid] array (some were already done at the root level in - # the "rename" in 12_zeek_mutate.conf) + # the "rename" in 1200_zeek_mutate.conf) if ([zeek][files][parent_fuid]) { mutate { id => "mutate_merge_normalize_zeek_files_parent_fuid" merge => { "[zeek][fuid]" => "[zeek][files][parent_fuid]" } } } diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/1400_zeek_convert.conf similarity index 100% rename from logstash/pipelines/zeek/14_zeek_convert.conf rename to logstash/pipelines/zeek/1400_zeek_convert.conf diff --git a/logstash/pipelines/zeek/19_severity.conf b/logstash/pipelines/zeek/1900_severity.conf similarity index 100% rename from logstash/pipelines/zeek/19_severity.conf rename to logstash/pipelines/zeek/1900_severity.conf diff --git a/logstash/pipelines/zeek/99_zeek_forward.conf b/logstash/pipelines/zeek/9900_zeek_forward.conf similarity index 100% rename from logstash/pipelines/zeek/99_zeek_forward.conf rename to logstash/pipelines/zeek/9900_zeek_forward.conf diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index 35df19c66..d752f5fc3 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -123,6 +123,11 @@ find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_O find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_PRIMARY_DATASTORE_TYPE_/${OPENSEARCH_PRIMARY_TYPE}/g" "{}" \; 2>/dev/null find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_SECONDARY_DATASTORE_TYPE_/${OPENSEARCH_SECONDARY_TYPE}/g" "{}" \; 2>/dev/null +# make sure that the delimiter for zeek TSV parsing is set correctly in that pipeline (i.e., spaces to tabs) +if [[ -d "$PIPELINES_DIR"/zeek ]]; then + sed -i -E 's/(split\s*=>\s*\{\s*"\[message\]"\s*=>\s*"\s*)\s+("\s*\})/\1\t\2/g' "$PIPELINES_DIR"/zeek/*.conf + sed -i -E 's/\s\s*(%\{\[zeek_cols\]\[)/\t\1/g' "$PIPELINES_DIR"/zeek/*.conf +fi # import trusted CA certificates if necessary /usr/local/bin/jdk-cacerts-auto-import.sh || true diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py index d93323d77..4f6a9f5a5 100755 --- a/scripts/zeek_script_to_malcolm_boilerplate.py +++ b/scripts/zeek_script_to_malcolm_boilerplate.py @@ -10,13 +10,12 @@ # The scripts are parsed into their constitutent records and &log fields. # # Each record is then printed out in the formats used by Malcolm for parsing and defining Zeek logs: -# - Logstash (https://idaholab.github.io/Malcolm/docs/contributing-logstash.html#LogstashZeek), for ./logstash/pipelines/zeek/11_zeek_parse.conf +# - Logstash (https://idaholab.github.io/Malcolm/docs/contributing-logstash.html#LogstashZeek), for ./logstash/pipelines/zeek/1001_zeek_parse.conf # - Arkime (https://idaholab.github.io/Malcolm/docs/contributing-new-log-fields.html#NewFields), for ./arkime/etc/config.ini # - OpenSearch tndex templates (https://idaholab.github.io/Malcolm/docs/contributing-new-log-fields.html#NewFields), for ./dashboards/templates/composable/component/zeek*.json # -# For Logstash boilerplate, pay close attention to the comment in the logstash filter: -# # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP -# If you are copy/pasting, ensure your editor doesn't lose the TAB characters. +# The logstash/scripts/logstash-start.sh container startup script should automatically fix any issues +# with parsing the Zeek tab delimiter (e.g., converting spaces in the `dissect` and `split` filters to tabs) # import argparse @@ -490,7 +489,6 @@ def main(): f' if ("_jsonparsesuccess" not in [tags]) {{', f' dissect {{', f' id => "dissect_zeek_{rName}"', - f" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP", f' mapping => {{', f' "[message]" => "{rFieldsDissect}"', f' }}', @@ -499,7 +497,6 @@ def main(): f' if ("_dissectfailure" in [tags]) {{', f' mutate {{', f' id => "mutate_split_zeek_{rName}"', - f" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP", f' split => {{ "[message]" => "{ZEEK_DELIMITER_CHAR}" }}', f' }}', f' ruby {{', diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py index 2ab20dadd..8eeb9b69f 100755 --- a/shared/bin/zeek_carve_logger.py +++ b/shared/bin/zeek_carve_logger.py @@ -155,7 +155,7 @@ def main(): broSigLogSpec = args.broSigLogSpec if broSigLogSpec is not None: if os.path.isdir(broSigLogSpec): - # _carved tag will be recognized by 12_zeek_mutate.conf in logstash + # _carved tag will be recognized by 1200_zeek_mutate.conf in logstash broSigLogSpec = os.path.join(broSigLogSpec, "signatures(_carved).log") else: # make sure path to write to zeek signatures log file exists before we start writing @@ -265,9 +265,9 @@ def main(): note=ZEEK_SIGNATURE_NOTICE, signature_id=scanResult[FILE_SCAN_RESULT_MESSAGE], event_message=scanResult[FILE_SCAN_RESULT_DESCRIPTION], - sub_message=fileSpecFields.fid - if fileSpecFields.fid is not None - else os.path.basename(fileName), + sub_message=( + fileSpecFields.fid if fileSpecFields.fid is not None else os.path.basename(fileName) + ), signature_count=scanResult[FILE_SCAN_RESULT_HITS], host_count=scanResult[FILE_SCAN_RESULT_ENGINES], ) @@ -321,7 +321,9 @@ def main(): else: # delete the file os.remove(fileName) - logging.debug(f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})") + logging.debug( + f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})" + ) # graceful shutdown logging.info(f"{scriptName}: shutting down...") From 5040313f9f679428e0498b379bdc7c86ff7371b1 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 12:19:47 -0600 Subject: [PATCH 20/65] support websocket.log; idaholab/Malcolm#593 --- arkime/etc/config.ini | 11 + arkime/wise/source.zeeklogs.js | 7 + .../b8cf5890-87ed-11ef-ae18-dbcd34795edb.json | 421 ++++++++++++++++++ .../templates/composable/component/zeek.json | 7 + logstash/maps/zeek_log_ecs_categories.yaml | 1 + .../pipelines/zeek/1069_zeek_websocket.conf | 56 +++ .../pipelines/zeek/1300_zeek_normalize.conf | 8 + 7 files changed, 511 insertions(+) create mode 100644 dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json create mode 100644 logstash/pipelines/zeek/1069_zeek_websocket.conf diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 4a5ad775c..78c93ac50 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -2669,6 +2669,16 @@ zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;viewerOnly:true;fr zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Tunnel Type;help:Tunnel Type zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Action;help:Action +# websocket.log +# https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info +zeek.websocket.host=db:zeek.websocket.host;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Host;help:Websocket Host +zeek.websocket.uri=db:zeek.websocket.uri;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket URI;help:Websocket URI +zeek.websocket.user_agent=db:zeek.websocket.user_agent;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket User Agent;help:Websocket User Agent +zeek.websocket.subprotocol=db:zeek.websocket.subprotocol;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Subprotocol;help:Websocket Subprotocol +zeek.websocket.client_protocols=db:zeek.websocket.client_protocols;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Protocol;help:Websocket Client Protocol +zeek.websocket.server_extensions=db:zeek.websocket.server_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Server Extension;help:Websocket Server Extension +zeek.websocket.client_extensions=db:zeek.websocket.client_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Extension;help:Websocket Client Extension + # weird.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Additional Info;help:Additional Info @@ -3395,6 +3405,7 @@ o_zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.p o_zeek_tds_sql_batch=require:zeek.tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek.tds_sql_batch.header_type,zeek.tds_sql_batch.query o_zeek_tftp=require:zeek.tftp;title:Zeek tftp.log;fields:zeek.tftp.block_acked,zeek.tftp.block_sent,zeek.tftp.error_code,zeek.tftp.error_msg,zeek.tftp.fname,zeek.tftp.mode,zeek.tftp.size,zeek.tftp.uid_data,zeek.tftp.wrq o_zeek_tunnel=require:zeek.tunnel;title:Zeek tunnel.log;fields:zeek.tunnel.tunnel_type,zeek.tunnel.action +o_zeek_websocket=require:zeek.websocket;title:Zeek websocket.log;fields:zeek.websocket.host,zeek.websocket.uri,zeek.websocket.user_agent,zeek.websocket.subprotocol,zeek.websocket.client_protocols,zeek.websocket.server_extensions,zeek.websocket.client_extensions o_zeek_weird=require:zeek.weird;title:Zeek weird.log;fields:rule.name,zeek.weird.addl,zeek.weird.notice,zeek.weird.source o_zeek_wireguard=require:zeek.wireguard;title:Zeek wireguard.log;fields:zeek.wireguard.established,zeek.wireguard.initiations,zeek.wireguard.responses o_zeek_x509=require:zeek.x509;title:Zeek x509.log;fields:zeek.x509.certificate_version,zeek.x509.certificate_serial,zeek.x509.certificate_subject.CN,zeek.x509.certificate_subject.C,zeek.x509.certificate_subject.O,zeek.x509.certificate_subject.OU,zeek.x509.certificate_subject.ST,zeek.x509.certificate_subject.SN,zeek.x509.certificate_subject.L,zeek.x509.certificate_subject.DC,zeek.x509.certificate_subject.GN,zeek.x509.certificate_subject.pseudonym,zeek.x509.certificate_subject.serialNumber,zeek.x509.certificate_subject.title,zeek.x509.certificate_subject.initials,zeek.x509.certificate_subject.emailAddress,zeek.x509.certificate_subject.description,zeek.x509.certificate_subject.postalCode,zeek.x509.certificate_subject.street,zeek.x509.certificate_issuer.CN,zeek.x509.certificate_issuer.DC,zeek.x509.certificate_issuer.C,zeek.x509.certificate_issuer.O,zeek.x509.certificate_issuer.OU,zeek.x509.certificate_issuer.ST,zeek.x509.certificate_issuer.SN,zeek.x509.certificate_issuer.L,zeek.x509.certificate_issuer.GN,zeek.x509.certificate_issuer.pseudonym,zeek.x509.certificate_issuer.serialNumber,zeek.x509.certificate_issuer.title,zeek.x509.certificate_issuer.initials,zeek.x509.certificate_issuer.emailAddress,zeek.x509.certificate_not_valid_before,zeek.x509.certificate_not_valid_after,zeek.x509.certificate_key_alg,zeek.x509.certificate_sig_alg,zeek.x509.certificate_key_type,zeek.x509.certificate_key_length,zeek.x509.certificate_exponent,zeek.x509.certificate_curve,zeek.x509.client_cert,zeek.x509.fingerprint,zeek.x509.host_cert,zeek.x509.san_dns,zeek.x509.san_uri,zeek.x509.san_email,zeek.x509.san_ip,zeek.x509.basic_constraints_ca,zeek.x509.basic_constraints_path_len diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 01b43601b..33e520ca9 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -2780,6 +2780,13 @@ class MalcolmSource extends WISESource { "zeek.tunnel.action", "zeek.tunnel.tunnel_type", "zeek.uid", + "zeek.websocket.host", + "zeek.websocket.uri", + "zeek.websocket.user_agent", + "zeek.websocket.subprotocol", + "zeek.websocket.client_protocols", + "zeek.websocket.server_extensions", + "zeek.websocket.client_extensions", "zeek.weird.addl", "zeek.weird.notice", "zeek.weird.source", diff --git a/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json new file mode 100644 index 000000000..4b78b0072 --- /dev/null +++ b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json @@ -0,0 +1,421 @@ +{ + "version": "2.17.1", + "objects": [ + { + "id": "b8cf5890-87ed-11ef-ae18-dbcd34795edb", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T17:02:30.091Z", + "version": "WzEwNzAsMV0=", + "attributes": { + "title": "WebSocket", + "hits": 0, + "description": "", + "panelsJSON": "[{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"96fb92c4-8fee-4b32-8e65-f115368a3686\"},\"panelIndex\":\"96fb92c4-8fee-4b32-8e65-f115368a3686\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"8e99a0d5-1955-4263-aa3b-3b07b968e5be\"},\"panelIndex\":\"8e99a0d5-1955-4263-aa3b-3b07b968e5be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":8,\"y\":10,\"w\":9,\"h\":20,\"i\":\"4a7d9663-6af5-4579-8273-cbf14ee2361f\"},\"panelIndex\":\"4a7d9663-6af5-4579-8273-cbf14ee2361f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":17,\"y\":10,\"w\":11,\"h\":20,\"i\":\"32fc8c0d-5c67-4488-b05c-7a3676194673\"},\"panelIndex\":\"32fc8c0d-5c67-4488-b05c-7a3676194673\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":28,\"y\":10,\"w\":10,\"h\":20,\"i\":\"a1be25ce-d4f3-48ae-b3a5-2f8a1d32bc1b\"},\"panelIndex\":\"a1be25ce-d4f3-48ae-b3a5-2f8a1d32bc1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":38,\"y\":10,\"w\":10,\"h\":20,\"i\":\"fa514b51-405f-4f2f-a375-ca24ae77481c\"},\"panelIndex\":\"fa514b51-405f-4f2f-a375-ca24ae77481c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":20,\"i\":\"4f37a284-5d04-4d97-a27f-36826d134a6f\"},\"panelIndex\":\"4f37a284-5d04-4d97-a27f-36826d134a6f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":40,\"i\":\"a2ce753a-13c8-4c13-8782-498e57c63d98\"},\"panelIndex\":\"a2ce753a-13c8-4c13-8782-498e57c63d98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":50,\"w\":24,\"h\":20,\"i\":\"c7377072-c314-4e11-b024-e8214b88df52\"},\"panelIndex\":\"c7377072-c314-4e11-b024-e8214b88df52\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":31,\"i\":\"fc52ef3e-1957-41e3-a0a2-5449a4a14739\"},\"panelIndex\":\"fc52ef3e-1957-41e3-a0a2-5449a4a14739\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", + "optionsJSON": "{\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "8ad18d90-87ee-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "f2ef4cf0-87ee-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "16f1e5e0-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "45abdf80-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_5", + "type": "visualization", + "id": "4fb477b0-87f1-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_6", + "type": "visualization", + "id": "46127ea0-87f1-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "f6560220-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_8", + "type": "visualization", + "id": "95bbefb0-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_9", + "type": "visualization", + "id": "0ba78ca0-87f2-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_10", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "dashboard": "7.9.3" + } + }, + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:19:29.056Z", + "version": "WzkxNywxXQ==", + "attributes": { + "title": "Navigation", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "8ad18d90-87ee-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:33:27.273Z", + "version": "WzEwNTQsMV0=", + "attributes": { + "title": "WebSocket - Log Count", + "visState": "{\"title\":\"WebSocket - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "f2ef4cf0-87ee-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:36:21.951Z", + "version": "WzEwNTYsMV0=", + "attributes": { + "title": "WebSocket - Logs Over Time", + "visState": "{\"title\":\"WebSocket - Logs Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"timeRange\":{\"from\":\"2020-09-22T13:59:01.098Z\",\"to\":\"2021-09-08T03:14:05.363Z\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "16f1e5e0-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:37:22.366Z", + "version": "WzEwNTgsMV0=", + "attributes": { + "title": "WebSocket - Source IP", + "visState": "{\"title\":\"WebSocket - Source IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "45abdf80-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:38:40.760Z", + "version": "WzEwNTksMV0=", + "attributes": { + "title": "WebSocket - Destination IP", + "visState": "{\"title\":\"WebSocket - Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "4fb477b0-87f1-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:53:50.300Z", + "version": "WzEwNjYsMV0=", + "attributes": { + "title": "WebSocket - Client Extensions", + "visState": "{\"title\":\"WebSocket - Client Extensions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.client_extensions\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Client Extensions\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "46127ea0-87f1-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:53:00.426Z", + "version": "WzEwNjQsMV0=", + "attributes": { + "title": "WebSocket - Server Extensions", + "visState": "{\"title\":\"WebSocket - Server Extensions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.server_extensions\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Server Extensions\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "f6560220-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:46:03.481Z", + "version": "WzEwNjMsMV0=", + "attributes": { + "title": "WebSocket - Protocols", + "visState": "{\"title\":\"WebSocket - Protocols\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.subprotocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subprotocol\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.client_protocols\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Client Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.websocket.subprotocol:* OR zeek.websocket.client_protocol:*\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "95bbefb0-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:40:55.083Z", + "version": "WzEwNjAsMV0=", + "attributes": { + "title": "WebSocket - User Agent Name", + "visState": "{\"title\":\"WebSocket - User Agent Name\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"User Agent Name\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "0ba78ca0-87f2-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T17:02:11.630Z", + "version": "WzEwNjksMV0=", + "attributes": { + "title": "WebSocket - URI", + "visState": "{\"title\":\"WebSocket - URI\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.hosts\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Host\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"url.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"URI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:32:16.552Z", + "version": "WzEwNTMsMV0=", + "attributes": { + "title": "WebSocket - Logs", + "description": "", + "hits": 0, + "columns": [ + "source.ip", + "destination.ip", + "destination.port", + "related.hosts", + "url.original", + "user_agent.original", + "zeek.websocket.subprotocol", + "zeek.websocket.client_protocols", + "zeek.websocket.client_extensions", + "zeek.websocket.server_extensions", + "event.id" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:websocket\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + } + ] +} \ No newline at end of file diff --git a/dashboards/templates/composable/component/zeek.json b/dashboards/templates/composable/component/zeek.json index 1c8b30860..83b43e30e 100644 --- a/dashboards/templates/composable/component/zeek.json +++ b/dashboards/templates/composable/component/zeek.json @@ -611,6 +611,13 @@ "zeek.tunnel.action": { "type": "keyword" }, "zeek.tunnel.tunnel_type": { "type": "keyword" }, "zeek.uid": { "type": "keyword" }, + "zeek.websocket.host": { "type": "keyword" }, + "zeek.websocket.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.websocket.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.websocket.subprotocol": { "type": "keyword" }, + "zeek.websocket.client_protocols": { "type": "keyword" }, + "zeek.websocket.server_extensions": { "type": "keyword" }, + "zeek.websocket.client_extensions": { "type": "keyword" }, "zeek.weird.addl": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, "zeek.weird.notice": { "type": "keyword" }, "zeek.weird.source": { "type": "keyword" }, diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml index 0c3235d98..cd8883b6b 100644 --- a/logstash/maps/zeek_log_ecs_categories.yaml +++ b/logstash/maps/zeek_log_ecs_categories.yaml @@ -102,6 +102,7 @@ "tds_rpc": ["database", "network"] "tds_sql_batch": ["database", "network"] "tunnel": ["network"] +"websocket": ["web", "network"] "weird": ["intrusion_detection", "network"] "wireguard": ["network"] "x509": ["file", "network"] \ No newline at end of file diff --git a/logstash/pipelines/zeek/1069_zeek_websocket.conf b/logstash/pipelines/zeek/1069_zeek_websocket.conf new file mode 100644 index 000000000..14fc61b97 --- /dev/null +++ b/logstash/pipelines/zeek/1069_zeek_websocket.conf @@ -0,0 +1,56 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "websocket") { + ############################################################################################################################# + # websocket.log + # https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_websocket" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][user_agent]} %{[zeek_cols][subprotocol]} %{[zeek_cols][client_protocols]} %{[zeek_cols][server_extensions]} %{[zeek_cols][client_extensions]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_websocket" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_websocket" + init => "@zeek_websocket_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'host', 'uri', 'user_agent', 'subprotocol', 'client_protocols', 'server_extensions', 'client_extensions' ]" + code => "event.set('[zeek_cols]', @zeek_websocket_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + # zeek says it's a vector, but I'm seeing semicolon-separated as well + mutate { id => "mutate_split_zeek_websocket_commas" + split => { "[zeek_cols][client_protocols]" => "," + "[zeek_cols][server_extensions]" => "," + "[zeek_cols][client_extensions]" => "," } } + mutate { id => "mutate_split_zeek_websocket_semicolons" + split => { "[zeek_cols][client_protocols]" => ";" + "[zeek_cols][server_extensions]" => ";" + "[zeek_cols][client_extensions]" => ";" } } + mutate { id => "mutate_strip_zeek_websocket" + strip => [ "[zeek_cols][client_protocols]", + "[zeek_cols][server_extensions]", + "[zeek_cols][client_extensions]" ] } + + mutate { + id => "mutate_add_field_zeek_service_websocket" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "websocket" + } + } + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1300_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf index c4b77e920..c7b1c8bc2 100644 --- a/logstash/pipelines/zeek/1300_zeek_normalize.conf +++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf @@ -1430,6 +1430,8 @@ filter { merge => { "[user_agent][original]" => "[zeek][sip][user_agent]" } } } if ([zeek][smtp][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_smtp" merge => { "[user_agent][original]" => "[zeek][smtp][user_agent]" } } } + if ([zeek][websocket][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_websocket" + merge => { "[user_agent][original]" => "[zeek][websocket][user_agent]" } } } # Hashes ############################################################################################################ # ECS - various -> related.hash (accumulate all hash/fingerprint fields into related.hash) @@ -1470,6 +1472,9 @@ filter { if ([zeek][smtp][helo]) { mutate { id => "mutate_merge_field_zeek_smtp_helo_related_hosts" merge => { "[related][hosts]" => "[zeek][smtp][helo]" } } } + if ([zeek][websocket][host]) { mutate { id => "mutate_merge_field_zeek_websocket_related_hosts" + merge => { "[related][hosts]" => "[zeek][websocket][host]" } } } + # URLs/URIs ######################################################################################################### # ECS - various -> url.original @@ -1499,6 +1504,9 @@ filter { if ([zeek][sip][uri]) { mutate { id => "mutate_merge_field_zeek_sip_uri_url_original" merge => { "[url][original]" => "[zeek][sip][uri]" } } } + if ([zeek][websocket][uri]) { mutate { id => "mutate_merge_field_zeek_websocket_uri_url_original" + merge => { "[url][original]" => "[zeek][websocket][uri]" } } } + if ([zeek][x509][san_uri]) { mutate { id => "mutate_merge_field_zeek_x509_san_uri_url_original" merge => { "[url][original]" => "[zeek][x509][san_uri]" } } } From f59ff493b921d76eb29c3c0736a3c6d1076e8447 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 12:48:59 -0600 Subject: [PATCH 21/65] support websocket.log; idaholab/Malcolm#593 --- .../pipelines/zeek/1069_zeek_websocket.conf | 34 ++++++++++++------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/logstash/pipelines/zeek/1069_zeek_websocket.conf b/logstash/pipelines/zeek/1069_zeek_websocket.conf index 14fc61b97..5d0bbc0b6 100644 --- a/logstash/pipelines/zeek/1069_zeek_websocket.conf +++ b/logstash/pipelines/zeek/1069_zeek_websocket.conf @@ -30,19 +30,27 @@ filter { } } - # zeek says it's a vector, but I'm seeing semicolon-separated as well - mutate { id => "mutate_split_zeek_websocket_commas" - split => { "[zeek_cols][client_protocols]" => "," - "[zeek_cols][server_extensions]" => "," - "[zeek_cols][client_extensions]" => "," } } - mutate { id => "mutate_split_zeek_websocket_semicolons" - split => { "[zeek_cols][client_protocols]" => ";" - "[zeek_cols][server_extensions]" => ";" - "[zeek_cols][client_extensions]" => ";" } } - mutate { id => "mutate_strip_zeek_websocket" - strip => [ "[zeek_cols][client_protocols]", - "[zeek_cols][server_extensions]", - "[zeek_cols][client_extensions]" ] } + # split some vector fields (on , and ;) a few fields and trim spaces + ruby { + id => "ruby_websocket_split_and_clean" + code => " + if (client_protocols = event.get('[zeek_cols][client_protocols]')) then + client_protocols = client_protocols.split(/[,;]/) + client_protocols.collect{ |e| e ? e.strip : e } + event.set('[zeek_cols][client_protocols]', client_protocols) + end + if (server_extensions = event.get('[zeek_cols][server_extensions]')) then + server_extensions = server_extensions.split(/[,;]/) + server_extensions.collect{ |e| e ? e.strip : e } + event.set('[zeek_cols][server_extensions]', server_extensions) + end + if (client_extensions = event.get('[zeek_cols][client_extensions]')) then + client_extensions = client_extensions.split(/[,;]/) + client_extensions.collect{ |e| e ? e.strip : e } + event.set('[zeek_cols][client_extensions]', client_extensions) + end + " + } mutate { id => "mutate_add_field_zeek_service_websocket" From bbdca12ce350b60f535291ec09d622edac73f91c Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 14:03:58 -0600 Subject: [PATCH 22/65] support websocket.log; idaholab/Malcolm#593 --- dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json | 2 +- dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json | 2 +- dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json | 2 +- dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json | 2 +- dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json | 2 +- dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json | 2 +- dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json | 2 +- dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json | 2 +- dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json | 2 +- dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json | 2 +- dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json | 2 +- dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json | 2 +- dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json | 2 +- dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json | 2 +- dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json | 2 +- dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json | 2 +- dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json | 2 +- dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json | 2 +- dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json | 2 +- dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json | 2 +- dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json | 2 +- dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json | 2 +- dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json | 2 +- dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json | 2 +- dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json | 2 +- dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json | 2 +- dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json | 2 +- dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json | 2 +- dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json | 2 +- dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json | 2 +- dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json | 2 +- dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json | 2 +- dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json | 2 +- dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json | 2 +- dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json | 2 +- dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json | 2 +- dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json | 2 +- dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json | 2 +- dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json | 2 +- dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json | 2 +- dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json | 2 +- dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json | 2 +- dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json | 2 +- dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json | 2 +- dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json | 2 +- dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json | 2 +- dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json | 2 +- dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json | 2 +- dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json | 2 +- dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json | 2 +- dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json | 2 +- dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json | 2 +- dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json | 2 +- dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json | 2 +- dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json | 2 +- dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json | 2 +- dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json | 2 +- dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json | 2 +- dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json | 2 +- dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json | 2 +- dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json | 2 +- dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json | 2 +- dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json | 2 +- dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json | 2 +- dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json | 2 +- dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json | 2 +- dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json | 2 +- dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json | 2 +- dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json | 2 +- dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json | 2 +- 77 files changed, 77 insertions(+), 77 deletions(-) diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index e434649ee..1b8548b27 100644 --- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -112,7 +112,7 @@ "version": "Wzc0MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json index 50001dea6..7e1c6df4a 100644 --- a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json +++ b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json @@ -87,7 +87,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json index cab9dbd70..4359662f0 100644 --- a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json +++ b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json @@ -92,7 +92,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json index 28b70ce36..b886de969 100644 --- a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json +++ b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index 27db8f8a9..f99475f9f 100644 --- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -87,7 +87,7 @@ "version": "WzkzNiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json index 161be0c69..54a52681f 100644 --- a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json +++ b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json @@ -87,7 +87,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json index ab4e6e4b2..cff8454a3 100644 --- a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json +++ b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json index e977131e7..39609ea04 100644 --- a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json +++ b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index a6fd63905..4e143685b 100644 --- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -82,7 +82,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index 2e2f64890..1a15e9b7b 100644 --- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json index d3336dc49..44a0e8231 100644 --- a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json +++ b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json @@ -82,7 +82,7 @@ "version": "Wzc1NSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index 326d68591..9d29d5d34 100644 --- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -127,7 +127,7 @@ "version": "Wzg1NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json index 2317d148d..fcd8b6a6a 100644 --- a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json +++ b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json @@ -92,7 +92,7 @@ "version": "WzkzNiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json index 24ae0643e..1fe910058 100644 --- a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 6750c90bd..81517ff8a 100644 --- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -72,7 +72,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json index 55b56a2b0..5b36aced7 100644 --- a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -112,7 +112,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index 3789273ac..990a0956d 100644 --- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -122,7 +122,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json index 95d2e37df..fc0d3c29d 100644 --- a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json +++ b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json @@ -122,7 +122,7 @@ "version": "Wzg0OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index 23bd223d4..d2f40a6ca 100644 --- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -107,7 +107,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json index 63f13a019..eb0c70932 100644 --- a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json +++ b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json @@ -117,7 +117,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json index e19515bff..bcd6b5ee6 100644 --- a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json @@ -72,7 +72,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index 1485445a6..d55123c06 100644 --- a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -97,7 +97,7 @@ "version": "Wzc2OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json index 0386519c9..da2caaa25 100644 --- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json +++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json @@ -127,7 +127,7 @@ "version": "Wzg1OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json index e4d6458b2..92a846722 100644 --- a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json b/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json index 73d1d4cf9..d09bf994f 100644 --- a/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json +++ b/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json @@ -162,7 +162,7 @@ "version": "WzkxNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json index 72326fc58..9825403ca 100644 --- a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json +++ b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json @@ -102,7 +102,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index a48786060..e534438e4 100644 --- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json index 38480910d..ef5d30e15 100644 --- a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json +++ b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json @@ -82,7 +82,7 @@ "version": "Wzg4MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json index a0a2eae4a..afec24b5a 100644 --- a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json +++ b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json @@ -97,7 +97,7 @@ "version": "Wzg4OCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json index ac154935b..02da0c856 100644 --- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json +++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json @@ -87,7 +87,7 @@ "version": "Wzg1OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index d5fd80bc8..bb9b463df 100644 --- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index 5f4c65802..20b1f3a71 100644 --- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json index acdbf661c..b6adfbceb 100644 --- a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json @@ -47,7 +47,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json index b5565607e..93985be75 100644 --- a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json +++ b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json @@ -97,7 +97,7 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json index 3198f0e9e..caecd428f 100644 --- a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json +++ b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json index 95f464233..5980f5917 100644 --- a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json +++ b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json @@ -77,7 +77,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json index f271925b6..06a3088ab 100644 --- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json +++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json @@ -122,7 +122,7 @@ "version": "Wzg4NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json index b58dd7b02..a1d23dd8a 100644 --- a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json +++ b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json @@ -82,7 +82,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json index 43509ff54..023608ba5 100644 --- a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index 462e488b4..04ddf68dd 100644 --- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json index 595d4f9cd..218212ed9 100644 --- a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json +++ b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json @@ -117,7 +117,7 @@ "version": "Wzg1OCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json index c26c0d9f5..ebac43e5f 100644 --- a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json +++ b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json index 94994fe52..f3b7887fc 100644 --- a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json +++ b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json index c339ed35c..69104c4cf 100644 --- a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json +++ b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json index d339fb53a..5c20800ed 100644 --- a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json +++ b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json @@ -62,7 +62,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json index cd9be901f..790ca8f43 100644 --- a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json +++ b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json @@ -102,7 +102,7 @@ "version": "WzgzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index 374bb560d..91f8cee9e 100644 --- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json index 8ede6bef5..73c8287de 100644 --- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json +++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json @@ -102,7 +102,7 @@ "version": "Wzg1NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json index 78474a3b9..085de5b44 100644 --- a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json +++ b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json @@ -122,7 +122,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json index 8d25b5a6b..3e476026e 100644 --- a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json index 3495f67eb..2bb2faa17 100644 --- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json +++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json @@ -82,7 +82,7 @@ "version": "Wzg1OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index 2a94b378b..a32c7a731 100644 --- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -87,7 +87,7 @@ "version": "Wzg2MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json index 8db78e921..70e3f286d 100644 --- a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json +++ b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json @@ -167,7 +167,7 @@ "version": "Wzc4NiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json index 91aca6cf2..b04cb2712 100644 --- a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json +++ b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json @@ -87,7 +87,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json index 0eeab6b94..a334a8d2d 100644 --- a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json +++ b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json index 6ba462415..d0b14ce92 100644 --- a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json +++ b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json index 4b78b0072..5bbbde47e 100644 --- a/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json +++ b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json @@ -92,7 +92,7 @@ "version": "WzkxNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json index 198595474..5a2a6ba77 100644 --- a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json index 1d94d12a9..33a318225 100644 --- a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json +++ b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json index e5c206731..fc1d849b4 100644 --- a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json @@ -72,7 +72,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json index b793a3092..04ce976bd 100644 --- a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json +++ b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json @@ -82,7 +82,7 @@ "version": "WzY5MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json index bdafb1f1e..539aa8471 100644 --- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json +++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json @@ -77,7 +77,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json index b6215b367..43542d1b8 100644 --- a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json +++ b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index 84da7d3be..cc018dc9c 100644 --- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json index d0b785710..2d4747a48 100644 --- a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json +++ b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json @@ -112,7 +112,7 @@ "version": "WzczOSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json index 13b9588c5..f81e16734 100644 --- a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json index f203dc194..0d71c4bfd 100644 --- a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json +++ b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json index 816986635..58a136fa4 100644 --- a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json +++ b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json @@ -107,7 +107,7 @@ "version": "WzgzOCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json index 57fd769eb..46b24e2fe 100644 --- a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json +++ b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json b/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json index 082c58868..10c215df4 100644 --- a/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json +++ b/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json @@ -127,7 +127,7 @@ "version": "Wzg3NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index ecfd7f99d..128be831c 100644 --- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -97,7 +97,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json index e5fe54a1a..c4f0415d5 100644 --- a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json @@ -47,7 +47,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json index 6479af002..20b6d2d85 100644 --- a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json +++ b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json @@ -137,7 +137,7 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json index 1bb8e62d1..2c6e42db1 100644 --- a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json +++ b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json index e3aaae309..d12be8426 100644 --- a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json +++ b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json index 917cc227e..079fc82ff 100644 --- a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json @@ -77,7 +77,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json index a5193063e..1b9d541f7 100644 --- a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json +++ b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json @@ -102,7 +102,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, From e3fbb488437a91acbda2a4c6505928eddf04166e Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 14:33:11 -0600 Subject: [PATCH 23/65] support websocket.log; idaholab/Malcolm#593 --- docs/protocols.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/protocols.md b/docs/protocols.md index 7e69f78f2..ee1c40768 100644 --- a/docs/protocols.md +++ b/docs/protocols.md @@ -53,6 +53,7 @@ Malcolm uses [Zeek](https://docs.zeek.org/en/stable/script-reference/proto-analy |Tabular Data Stream (TDS)|[🔗](https://en.wikipedia.org/wiki/Tabular_Data_Stream)|[🔗](https://www.freetds.org/tds.html) [🔗](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/b46a581a-39de-4745-b076-ec4dbb7d13ec)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/tds.c)|[✓](https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek)| |Telnet / remote shell (rsh) / remote login (rlogin)|[🔗](https://en.wikipedia.org/wiki/Telnet)[🔗](https://en.wikipedia.org/wiki/Berkeley_r-commands)|[🔗](https://tools.ietf.org/html/rfc854)[🔗](https://tools.ietf.org/html/rfc1282)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/misc.c#L336)|[✓](https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html)[❋]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/login.zeek)| |TFTP (Trivial File Transfer Protocol)|[🔗](https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol)|[🔗](https://tools.ietf.org/html/rfc1350)||[✓](https://github.com/zeek/spicy-analyzers/blob/main/analyzer/protocol/tftp/tftp.zeek)| +|WebSocket|[🔗](https://en.wikipedia.org/wiki/WebSocket)|[🔗](https://datatracker.ietf.org/doc/html/rfc6455)||[✓](https://docs.zeek.org/en/current/scripts/base/protocols/websocket/main.zeek.html)| |WireGuard|[🔗](https://en.wikipedia.org/wiki/WireGuard)|[🔗](https://www.wireguard.com/protocol/)[🔗](https://www.wireguard.com/papers/wireguard.pdf)||[✓](https://github.com/corelight/zeek-spicy-wireguard)| |various tunnel protocols (e.g., GTP, GRE, Teredo, AYIYA, IP-in-IP, etc.)|[🔗](https://en.wikipedia.org/wiki/Tunneling_protocol)||[✓](https://github.com/arkime/arkime/blob/master/capture/packet.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info)| From 55530570d5cb2671cdf920b42b48865490f8ee61 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 15 Oct 2024 07:42:07 -0600 Subject: [PATCH 24/65] put copy of github_download_counts.py in repo --- .../github_download_counts.py | 344 ++++++++++++++++++ .../github-download-counts/requirements.txt | 4 + 2 files changed, 348 insertions(+) create mode 100755 scripts/github-download-counts/github_download_counts.py create mode 100644 scripts/github-download-counts/requirements.txt diff --git a/scripts/github-download-counts/github_download_counts.py b/scripts/github-download-counts/github_download_counts.py new file mode 100755 index 000000000..59b170f1c --- /dev/null +++ b/scripts/github-download-counts/github_download_counts.py @@ -0,0 +1,344 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import argparse +import github3 as github +import json +import logging +import mmguero +import os +import re +import requests +import sys + +from collections import defaultdict +from dateparser import parse as ParseDate +from datetime import datetime +from tzlocal import get_localzone +from bs4 import BeautifulSoup + +################################################################################################### +script_name = os.path.basename(__file__) +script_path = os.path.dirname(os.path.realpath(__file__)) + +GITHUB_API_REQUESTS_PER_PAGE = 30 + + +################################################################################################### +# main +def main(): + parser = argparse.ArgumentParser( + description='\n'.join( + [ + 'Display download statistics from GitHub repositories', + '', + '* Access to the GitHub API is done using your personal access token (PAT).' + 'See https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens', + 'for information about PATs.', + '', + ] + ), + formatter_class=argparse.RawTextHelpFormatter, + add_help=False, + usage=f'{script_name} ', + ) + parser.add_argument( + '--verbose', + '-v', + action='count', + default=1, + help='Increase verbosity (e.g., -v, -vv, etc.)', + ) + parser.add_argument( + '-t', + '--token', + dest='githubToken', + help=f'GitHub API token', + metavar='', + type=str, + default=os.getenv('GITHUB_TOKEN', os.getenv('GITHUB_OAUTH_TOKEN', '')), + ) + parser.add_argument( + '--token-file', + dest='githubTokenFile', + help=f'GitHub API token (read from filename)', + metavar='', + type=str, + default=os.getenv('GITHUB_TOKEN_FILE', os.getenv('GITHUB_OAUTH_TOKEN_FILE', '')), + ) + parser.add_argument( + '-r', + '--repo', + dest='repos', + nargs='*', + type=str, + default=[], + help="One or more GitHub repository/repositories (e.g., org/repo)", + ) + parser.add_argument( + '--date-from', + dest='dateFromStr', + metavar='', + type=str, + default='Jan 1 1970', + help="Human readable date expression for beginning of search time frame (default: Jan 1 1970)", + ) + parser.add_argument( + '--date-to', + dest='dateToStr', + metavar='', + type=str, + default='now', + help="Human readable date expression for ending of search time frame (default: now)", + ) + parser.add_argument( + '--release', + dest='releaseRegexes', + nargs='*', + type=str, + default=[], + help="List of regular expressions against which to match releases (e.g., ^v24\\.10)", + ) + parser.add_argument( + '-a', + '--asset', + dest='assetRegexes', + nargs='*', + type=str, + default=[], + help="List of regular expressions against which to match release assets (e.g., ^\\w+.+\\.iso\\.01$, ^foobar_.*\\.tar\\.gz$", + ) + parser.add_argument( + '-i', + '--image', + dest='imageRegexes', + nargs='*', + type=str, + default=[], + help="List of regular expressions against which to match container images (e.g., ^foobar/barbaz$)", + ) + parser.add_argument( + '--image-tag', + dest='imageTagRegexes', + nargs='*', + type=str, + default=[], + help="List of regular expressions against which to match container image tags (e.g., ^24\\.10)", + ) + try: + parser.error = parser.exit + args = parser.parse_args() + except SystemExit: + parser.print_help() + sys.exit(2) + + # if the GitHub token was not obtained from environment variable or as an argument, + # see if it can be loaded from a file + if (not args.githubToken) and os.path.isfile(args.githubTokenFile): + with open(args.githubTokenFile) as f: + args.githubToken = f.readline().strip() + + args.verbose = logging.CRITICAL - (10 * args.verbose) if args.verbose > 0 else 0 + logging.basicConfig( + level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S' + ) + logging.info(os.path.join(script_path, script_name)) + logging.info("Arguments: {}".format(sys.argv[1:])) + logging.info("Arguments: {}".format(args)) + if args.verbose > logging.DEBUG: + sys.tracebacklimit = 0 + + # resolve the start and end times for searching + dateFrom = ParseDate(args.dateFromStr) + dateTo = ParseDate(args.dateToStr) + localZone = get_localzone() + if dateFrom.tzinfo is None: + dateFrom = dateFrom.replace(tzinfo=localZone) + if dateTo.tzinfo is None: + dateTo = dateTo.replace(tzinfo=localZone) + logging.info(f'Searching {dateFrom} to {dateTo}') + + # objects to hold our final results + finalResults = {} + imagePulls = defaultdict(lambda: 0) + assetDownloads = defaultdict(lambda: 0) + packages = [] + + # compile the regular expressions used for matching asset download counts + assetRegexes = {} + for reStr in args.assetRegexes: + assetRegexes[reStr] = re.compile(reStr) + releaseRegexes = {} + for reStr in args.releaseRegexes: + releaseRegexes[reStr] = re.compile(reStr) + imageRegexes = {} + for reStr in args.imageRegexes: + imageRegexes[reStr] = re.compile(reStr) + imageTagRegexes = {} + for reStr in args.imageTagRegexes: + imageTagRegexes[reStr] = re.compile(reStr) + + # log in to GitHub given the token provided + gh = github.login(token=args.githubToken) + logging.info(gh) + + # unfortunately not all of the APIs we need are covered by github3 ಠ_ಥ + # so we have to do some manual API pulling with requests, and even (gasp) + # some web scraping with bs4 + ghSession = requests.Session() + ghSession.headers = { + 'Accept': 'application/vnd.github.v3+json', + 'Authorization': f'token {args.githubToken}', + 'X-GitHub-Api-Version': '2022-11-28', + } + ghHTMLSession = requests.Session() + + # loop over the repos provided + orgsPolledForImages = set() + for repoSpec in args.repos: + repoParts = repoSpec.split('/') + if len(repoParts) == 2: + if repo := gh.repository(repoParts[0], repoParts[1]): + + # loop over the releases for this repo, examining those in the search time frame + if assetRegexes: + for release in repo.releases(): + if dateFrom <= release.published_at <= dateTo and ( + ( + (not releaseRegexes) + or any([v.match(release.tag_name) for k, v in releaseRegexes.items()]) + ) + ): + logging.debug(f'{repo.full_name} {release.tag_name} at {release.published_at}') + # aggregate download counts for assets matching the regular expressions provided + for asset in release.assets(): + for reStr, reObj in assetRegexes.items(): + if reObj.match(asset.name): + assetDownloads[f"{repoParts[0]}/{reStr}"] = ( + assetDownloads[f"{repoParts[0]}/{reStr}"] + asset.download_count + ) + + if imageRegexes and (repoParts[0] not in orgsPolledForImages): + # make requests to list container images in the ghcr.io repository for this organization + page = 0 + orgsPolledForImages.add(repoParts[0]) + while True: + try: + page = page + 1 + params = { + 'package_type': 'container', + 'page': page, + 'per_page': GITHUB_API_REQUESTS_PER_PAGE, + } + pkgsResponse = ghSession.get( + f'https://api.github.com/orgs/{repoParts[0]}/packages', + params=params, + allow_redirects=True, + ) + pkgsResponse.raise_for_status() + if (packagesJson := mmguero.LoadStrIfJson(pkgsResponse.content)) and isinstance( + packagesJson, list + ): + packages.extend( + [x for x in packagesJson if any([v.match(x['name']) for k, v in imageRegexes.items()])] + ) + if len(packagesJson) < GITHUB_API_REQUESTS_PER_PAGE: + break + else: + break + except Exception as e: + logging.error(f"Listing packages: {e}") + break + + # for the packages we accumulated earlier, put together a list of matching image tags + for packageInfo in packages: + versions = [] + page = 0 + while True: + try: + page = page + 1 + params = { + 'page': page, + 'per_page': GITHUB_API_REQUESTS_PER_PAGE, + } + versionsResponse = ghSession.get( + f"https://api.github.com/orgs/{mmguero.DeepGet(packageInfo, ['owner', 'login'])}/packages/container/{mmguero.AggressiveUrlEncode(packageInfo['name'])}/versions", + params=params, + allow_redirects=True, + ) + versionsResponse.raise_for_status() + if (versionsJson := mmguero.LoadStrIfJson(versionsResponse.content)) and isinstance(versionsJson, list): + # only consider versions where the tag creation date is in our search time frame, and + # the tag name(s) match the regex filter (if specified) + versions.extend( + [ + x + for x in versionsJson + if (dateFrom <= ParseDate(x.get('created_at')) <= dateTo) + and ( + ( + (not imageTagRegexes) + or any( + [ + v.match(t) + for t in mmguero.DeepGet(x, ['metadata', 'container', 'tags']) + for k, v in imageTagRegexes.items() + ] + ) + ) + ) + ] + ) + if len(versionsJson) < GITHUB_API_REQUESTS_PER_PAGE: + break + else: + break + except Exception as e: + # give up + logging.error(f"Listing package versions: {e}") + break + + # the GitHub packages API apparently doesn't surface pull counts, so we've got to do some scraping to get that number + for version in versions: + try: + if 'html_url' in version: + tmpResponse = ghHTMLSession.get( + version['html_url'], + allow_redirects=True, + ) + tmpResponse.raise_for_status() + soup = BeautifulSoup(tmpResponse.text, 'html.parser') + # look for the "Total downloads" , then get the contents of its next sibling + if totalDownloadsLabel := soup.find('span', string="Total downloads"): + if tags := mmguero.DeepGet(version, ['metadata', 'container', 'tags']): + tagsStr = f':{"(" if len(tags) > 1 else ""}{"|".join(tags)}{")" if len(tags) > 1 else ""}' + else: + tagsStr = '@' + version['name'] + if pullCount := int(totalDownloadsLabel.find_next('span').text.replace(",", "")): + imagePulls[ + f"{mmguero.DeepGet(packageInfo, ['owner', 'login'])}/{packageInfo['name']}{tagsStr}" + ] = int(pullCount) + except Exception as e: + logging.error(f"Parsing HTML page for package: {e}") + + # put things together for the final output + if assetDownloads: + finalResults['release_assets'] = assetDownloads + if imagePulls: + finalResults['image_pulls'] = imagePulls + + # add a total to each sub-dictionary + for key, subDict in finalResults.items(): + subDict["total"] = sum(subDict.values()) + + print(json.dumps(finalResults)) + + return 0 + + +################################################################################################### +if __name__ == '__main__': + if main() > 0: + sys.exit(0) + else: + sys.exit(1) diff --git a/scripts/github-download-counts/requirements.txt b/scripts/github-download-counts/requirements.txt new file mode 100644 index 000000000..c593b6fdf --- /dev/null +++ b/scripts/github-download-counts/requirements.txt @@ -0,0 +1,4 @@ +beautifulsoup4 +dateparser +github3.py +mmguero \ No newline at end of file From 23a4c12051e0d1370c9d5c9e9c68504c270800a9 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 15 Oct 2024 10:38:31 -0600 Subject: [PATCH 25/65] Set trivy-action to v0.28.0 --- .github/workflows/api-build-and-push-ghcr.yml | 2 +- .github/workflows/arkime-build-and-push-ghcr.yml | 2 +- .github/workflows/dashboards-build-and-push-ghcr.yml | 2 +- .github/workflows/dashboards-helper-build-and-push-ghcr.yml | 2 +- .github/workflows/dirinit-build-and-push-ghcr.yml | 2 +- .github/workflows/file-monitor-build-and-push-ghcr.yml | 2 +- .github/workflows/file-upload-build-and-push-ghcr.yml | 2 +- .github/workflows/filebeat-build-and-push-ghcr.yml | 2 +- .github/workflows/freq-build-and-push-ghcr.yml | 2 +- .github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml | 2 +- .github/workflows/htadmin-build-and-push-ghcr.yml | 2 +- .github/workflows/logstash-build-and-push-ghcr.yml | 2 +- .github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml | 2 +- .github/workflows/netbox-build-and-push-ghcr.yml | 2 +- .github/workflows/nginx-build-and-push-ghcr.yml | 2 +- .github/workflows/opensearch-build-and-push-ghcr.yml | 2 +- .github/workflows/pcap-capture-build-and-push-ghcr.yml | 2 +- .github/workflows/pcap-monitor-build-and-push-ghcr.yml | 2 +- .github/workflows/postgresql-build-and-push-ghcr.yml | 2 +- .github/workflows/redis-build-and-push-ghcr.yml | 2 +- .github/workflows/suricata-build-and-push-ghcr.yml | 2 +- .github/workflows/zeek-build-and-push-ghcr.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index b8fae021e..37a047487 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index 0c297098c..be04c764a 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -115,7 +115,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index a63b7bbdf..3d1d2920d 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index 440920dc7..e5a1b5ec4 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dirinit-build-and-push-ghcr.yml b/.github/workflows/dirinit-build-and-push-ghcr.yml index 92048e9ee..a9a6d42d7 100644 --- a/.github/workflows/dirinit-build-and-push-ghcr.yml +++ b/.github/workflows/dirinit-build-and-push-ghcr.yml @@ -100,7 +100,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index b8c794493..f45f9fb33 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -110,7 +110,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index ee7871190..ed4218bd7 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index 2f9185c17..2709bf39e 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index a54409528..a87bc2e1e 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml index 6a16d715e..718033682 100644 --- a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml @@ -141,7 +141,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'fs' scan-ref: './hedgehog-iso' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index c1525370b..80211a6ee 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index 4a1eca3b3..b95397938 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index 75f1849fe..c3c65064d 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -148,7 +148,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'fs' scan-ref: './malcolm-iso' diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index ffe49b832..1bb83012a 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index 66d10788a..da13854b6 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -120,7 +120,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index 80804d1e2..d26cd92a0 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 5ef3dd924..1dc03a712 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index a6f4a14ab..724cc2615 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index d5530c898..6e2ea78a5 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index baf497fe5..0a3050c93 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index a185fe477..5df7e1084 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index 26fac60b3..cba988b57 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -114,7 +114,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@v0.28.0 with: scan-type: 'image' scanners: 'vuln' From 5f8649d62552f673df7515ffc82d820ca16c363e Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 15 Oct 2024 10:40:48 -0600 Subject: [PATCH 26/65] Set trivy-action to v0.28.0 --- .github/workflows/api-build-and-push-ghcr.yml | 2 +- .github/workflows/arkime-build-and-push-ghcr.yml | 2 +- .github/workflows/dashboards-build-and-push-ghcr.yml | 2 +- .github/workflows/dashboards-helper-build-and-push-ghcr.yml | 2 +- .github/workflows/dirinit-build-and-push-ghcr.yml | 2 +- .github/workflows/file-monitor-build-and-push-ghcr.yml | 2 +- .github/workflows/file-upload-build-and-push-ghcr.yml | 2 +- .github/workflows/filebeat-build-and-push-ghcr.yml | 2 +- .github/workflows/freq-build-and-push-ghcr.yml | 2 +- .github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml | 2 +- .github/workflows/htadmin-build-and-push-ghcr.yml | 2 +- .github/workflows/logstash-build-and-push-ghcr.yml | 2 +- .github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml | 2 +- .github/workflows/netbox-build-and-push-ghcr.yml | 2 +- .github/workflows/nginx-build-and-push-ghcr.yml | 2 +- .github/workflows/opensearch-build-and-push-ghcr.yml | 2 +- .github/workflows/pcap-capture-build-and-push-ghcr.yml | 2 +- .github/workflows/pcap-monitor-build-and-push-ghcr.yml | 2 +- .github/workflows/postgresql-build-and-push-ghcr.yml | 2 +- .github/workflows/redis-build-and-push-ghcr.yml | 2 +- .github/workflows/suricata-build-and-push-ghcr.yml | 2 +- .github/workflows/zeek-build-and-push-ghcr.yml | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index 37a047487..b3b80ad35 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index be04c764a..6202c0138 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -115,7 +115,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index 3d1d2920d..52706f552 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index e5a1b5ec4..4afffa301 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dirinit-build-and-push-ghcr.yml b/.github/workflows/dirinit-build-and-push-ghcr.yml index a9a6d42d7..5cf0424fd 100644 --- a/.github/workflows/dirinit-build-and-push-ghcr.yml +++ b/.github/workflows/dirinit-build-and-push-ghcr.yml @@ -100,7 +100,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index f45f9fb33..867e8ebc8 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -110,7 +110,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index ed4218bd7..727280a0f 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index 2709bf39e..e43152c86 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index a87bc2e1e..acdc4f6e8 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml index 718033682..50a19f596 100644 --- a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml @@ -141,7 +141,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'fs' scan-ref: './hedgehog-iso' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index 80211a6ee..dbcb71779 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index b95397938..407c302ae 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index c3c65064d..01b4ff5a1 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -148,7 +148,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'fs' scan-ref: './malcolm-iso' diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index 1bb83012a..5063f5787 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index da13854b6..eb8d89012 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -120,7 +120,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index d26cd92a0..d3c1f52b5 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 1dc03a712..3d0bf4e7f 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index 724cc2615..f66cb71a1 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -113,7 +113,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index 6e2ea78a5..9369feff2 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index 0a3050c93..635728f2f 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index 5df7e1084..ec6ebadc6 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -112,7 +112,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index cba988b57..8d2dda621 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -114,7 +114,7 @@ jobs: name: Run Trivy vulnerability scanner if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'image' scanners: 'vuln' From 71d84db6fae7ea6624fbfe074cd5e5ef578e8505 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 15 Oct 2024 13:01:49 -0600 Subject: [PATCH 27/65] Technical Changes --- Dockerfiles/zeek.Dockerfile | 2 +- config/zeek.env.example | 4 +++- shared/bin/zeek-deb-download.sh | 2 +- zeek/config/local.zeek | 14 +++----------- 4 files changed, 8 insertions(+), 14 deletions(-) diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index bc9034125..dd8030dad 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -33,7 +33,7 @@ USER root # see PUSER_CHOWN at the bottom of the file (after the other environment variables it references) # for download and install -ARG ZEEK_VERSION=7.0.1-0 +ARG ZEEK_VERSION=7.0.3-0 ENV ZEEK_VERSION $ZEEK_VERSION # put Zeek and Spicy in PATH diff --git a/config/zeek.env.example b/config/zeek.env.example index ee73ef729..5741adf2d 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -62,6 +62,8 @@ EXTRACTED_FILE_HTTP_SERVER_ZIP=false EXTRACTED_FILE_HTTP_SERVER_MAGIC=false # HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved") EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true +# Adjust how often the JA4SSH hash is calculated. +ZEEK_JA4SSH_PACKET_COUNT=200 # Environment variables for tweaking Zeek at runtime (see local.zeek) # Set to true to disable the corresponding feature ZEEK_DISABLE_HASH_ALL_FILES= @@ -79,7 +81,7 @@ ZEEK_DISABLE_SPICY_WIREGUARD= ZEEK_DISABLE_ICS_ALL= ZEEK_DISABLE_ICS_BACNET= ZEEK_DISABLE_ICS_BSAP= -ZEEK_DISABLE_ICS_DNP3= +ZEEK_DISABLE_ICS_DNP3= ZEEK_DISABLE_ICS_ENIP= ZEEK_DISABLE_ICS_ETHERCAT= ZEEK_DISABLE_ICS_GENISYS=true diff --git a/shared/bin/zeek-deb-download.sh b/shared/bin/zeek-deb-download.sh index cbe8e6fcf..119ef017a 100755 --- a/shared/bin/zeek-deb-download.sh +++ b/shared/bin/zeek-deb-download.sh @@ -6,7 +6,7 @@ unset VERBOSE command -v dpkg >/dev/null 2>&1 && ARCH="$(dpkg --print-architecture)" || ARCH=amd64 DISTRO=Debian_12 OUTPUT_DIR=/tmp -ZEEK_VERSION=7.0.1-0 +ZEEK_VERSION=7.0.3-0 while getopts a:d:o:vz: opts; do case ${opts} in diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 8ccc2d0ee..7b6cf34a1 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -4,8 +4,7 @@ ##! https://docs.zeek.org/en/stable/script-reference/scripts.html ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek -global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; -global +global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; global disable_stats = (getenv("ZEEK_DISABLE_STATS") == true_regex) ? T : F; global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == true_regex) ? T : F; @@ -17,7 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global enip_ports_str = getenv("ZEEK_ENIP_PORTS"); -global zeek_ja4_ssh_packet_count = getenv("ZEEK_JA4SSH_PACKET_COUNT") +global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT")); global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS"); global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F; @@ -116,7 +115,6 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; @load custom event zeek_init() &priority=-5 { - if (zeek_local_nets_str != "") { local nets_strs = split_string(zeek_local_nets_str, /,/); if (|nets_strs| > 0) { @@ -284,14 +282,8 @@ event zeek_init() &priority=-5 { redef SNIFFPASS::log_password_plaintext = T; redef LDAP::default_capture_password = T; @endif -@if (is_num(zeek_ja4_ssh_packet_count)) - redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; -@else - redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = 200; -@endif - -redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; From 0f3aa65d5c03c5c8cfec025098f48d44cf08a2f6 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:30:46 -0600 Subject: [PATCH 28/65] Update zeek.env.example --- config/zeek.env.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/zeek.env.example b/config/zeek.env.example index 130553949..ff3b192da 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -82,7 +82,7 @@ ZEEK_DISABLE_SPICY_WIREGUARD= ZEEK_DISABLE_ICS_ALL= ZEEK_DISABLE_ICS_BACNET= ZEEK_DISABLE_ICS_BSAP= -ZEEK_DISABLE_ICS_DNP3= +ZEEK_DISABLE_ICS_DNP3= ZEEK_DISABLE_ICS_ENIP= ZEEK_DISABLE_ICS_ETHERCAT= ZEEK_DISABLE_ICS_GENISYS=true @@ -98,4 +98,4 @@ ZEEK_SYNCHROPHASOR_PORTS= ZEEK_SYNCHROPHASOR_DETAILED= ZEEK_GENISYS_PORTS= ZEEK_ENIP_PORTS= -ZEEK_DISABLE_BEST_GUESS_ICS=true \ No newline at end of file +ZEEK_DISABLE_BEST_GUESS_ICS=true From 3953d1aa42eaa15b407cb4afa51d8bc21a02dd2b Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:31:12 -0600 Subject: [PATCH 29/65] Update local.zeek --- .../config/includes.chroot/usr/local/etc/zeek/local.zeek | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index e9825fa6b..3222e99f8 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -284,7 +284,7 @@ event zeek_init() &priority=-5 { redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; redef HTTP::log_client_header_names = T; -redef HTTP::log_server_header_names = T +redef HTTP::log_server_header_names = T; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; From f04a9c3944ebd46466319897f1a4f1549487d1e2 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:46:48 -0600 Subject: [PATCH 30/65] Fix whitespace --- shared/bin/zeek-deb-download.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/shared/bin/zeek-deb-download.sh b/shared/bin/zeek-deb-download.sh index 90e9a8308..c695ccad2 100755 --- a/shared/bin/zeek-deb-download.sh +++ b/shared/bin/zeek-deb-download.sh @@ -11,7 +11,6 @@ PRESERVE_HIERARCHY=false ZEEK_DEB_ALTERNATE_DOWNLOAD_URL=${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-} ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE=${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE:-} - while getopts a:d:f:ho:u:vz: opts; do case ${opts} in a) ARCH=${OPTARG} ;; From 8d12544d31dc82510c98260823344462da56dc55 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:01:35 -0600 Subject: [PATCH 31/65] Update zeek.env.example From 2df70976e460bb5a35d4743059e987d55d7b1117 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:01:59 -0600 Subject: [PATCH 32/65] Update zeek.env.example From a21a440351534929cc8f0be2df09acf094a7d405 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:02:53 -0600 Subject: [PATCH 33/65] Update local.zeek --- zeek/config/local.zeek | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index d4d35af9b..a2fef6e6c 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -4,7 +4,7 @@ ##! https://docs.zeek.org/en/stable/script-reference/scripts.html ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek -global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; +global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; global disable_stats = (getenv("ZEEK_DISABLE_STATS") == true_regex) ? T : F; global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == true_regex) ? T : F; @@ -44,7 +44,6 @@ global disable_ics_profinet_io_cm = (getenv("ZEEK_DISABLE_ICS_PROFINET_IO_CM") = global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == true_regex) ? T : F; global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == true_regex) ? T : F; - redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @@ -115,6 +114,7 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; @load custom event zeek_init() &priority=-5 { + if (zeek_local_nets_str != "") { local nets_strs = split_string(zeek_local_nets_str, /,/); if (|nets_strs| > 0) { From 8493a437f27563e7a7218c9b4866126e3a76d4f9 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:05:14 -0600 Subject: [PATCH 34/65] Update local.zeek --- .../config/includes.chroot/usr/local/etc/zeek/local.zeek | 1 + 1 file changed, 1 insertion(+) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 3222e99f8..89cf9cd59 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -16,6 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global enip_ports_str = getenv("ZEEK_ENIP_PORTS"); +global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT")); global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS"); global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F; From f8e89d72d2622e644bd11db439dab28aaabb5a52 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 15 Oct 2024 16:11:54 -0600 Subject: [PATCH 35/65] idaholab/Malcolm#596, fix creation of opensearch anomaly detectors (?) --- dashboards/scripts/shared-object-creation.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/dashboards/scripts/shared-object-creation.sh b/dashboards/scripts/shared-object-creation.sh index 8f150b5da..2697518b3 100755 --- a/dashboards/scripts/shared-object-creation.sh +++ b/dashboards/scripts/shared-object-creation.sh @@ -470,8 +470,19 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then # if the file to import is newer than the existing anomaly detector, then update it if (( $DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME )); then - [[ "$DETECTOR_NAME" != "$DUMMY_DETECTOR_NAME" ]] && \ + + # If the detectors have never been started before, we need to import the "dummy" one, + # but only this first time, not on subsequent runs of this script. We can do that + # by checking for the existence of the .opendistro-anomaly-detection-state index. + curl "${CURL_CONFIG_PARAMS[@]}" --head --location --fail --silent --output /dev/null \ + "$OPENSEARCH_URL_TO_USE"/.opendistro-anomaly-detection-state && \ + DETECTORS_STARTED=1 || \ + DETECTORS_STARTED=0 + + # Import the anomaly detector + ( [[ $DETECTORS_STARTED == 0 ]] || [[ "$DETECTOR_NAME" != "$DUMMY_DETECTOR_NAME" ]] ) && \ echo "Importing detector \"${DETECTOR_NAME}\" ($DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME) ..." + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors" \ -H "$XSRF_HEADER:true" -H 'Content-type:application/json' \ @@ -480,7 +491,7 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then done rm -rf "${ANOMALY_IMPORT_DIR}" - # trigger a start/stop for the dummy detector to make sure the .opendistro-anomaly-detection-state index gets created + # Trigger a start/stop for the dummy detector to make sure the .opendistro-anomaly-detection-state index gets created # see: # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/109 # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/155 From 0766fd409023f608d086955710042b17bfd1a58d Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 15 Oct 2024 17:20:37 -0600 Subject: [PATCH 36/65] Documentation addition --- docs/malcolm-config.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 941a2880e..efc206f64 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,6 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) + - `ZEEK_JA4SSH_PACKET_COUNT` - the zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets. This sets the value of x (defaults to 200). - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local From f1efb7df0c5858cce5efeb4af0c40dd1519959d5 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 15 Oct 2024 17:48:17 -0600 Subject: [PATCH 37/65] Add to hedgehog --- hedgehog-iso/interface/sensor_ctl/control_vars.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/hedgehog-iso/interface/sensor_ctl/control_vars.conf b/hedgehog-iso/interface/sensor_ctl/control_vars.conf index 4dd4eac96..d7c9ec680 100644 --- a/hedgehog-iso/interface/sensor_ctl/control_vars.conf +++ b/hedgehog-iso/interface/sensor_ctl/control_vars.conf @@ -145,6 +145,7 @@ export ZEEK_DISABLE_ICS_PROFINET= export ZEEK_DISABLE_ICS_PROFINET_IO_CM= export ZEEK_DISABLE_ICS_S7COMM= export ZEEK_DISABLE_ICS_SYNCHROPHASOR= +export ZEEK_JA4SSH_PACKET_COUNT=200 export ZEEK_SYNCHROPHASOR_PORTS= export ZEEK_SYNCHROPHASOR_DETAILED= export ZEEK_GENISYS_PORTS= From 78e4da9c681001d9748d6a884c9bf60497684b46 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:50:33 -0600 Subject: [PATCH 38/65] Update malcolm-config.md --- docs/malcolm-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index efc206f64..539d2a0b0 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,7 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - - `ZEEK_JA4SSH_PACKET_COUNT` - the zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets. This sets the value of x (defaults to 200). + - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets as set here (defaults to 200). - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local @@ -177,4 +177,4 @@ In instances where Malcolm is deployed with the intention of running indefinitel - `EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS` - the interval between checking the prune conditions, in seconds (default `300`) * [Index management policies](index-management.md) can be handled via plugins provided as part of the OpenSearch and Elasticsearch platforms, respectively. In addition to those tools, the `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` variable in **`dashboards-helper.env`** defines a maximum cumulative that OpenSearch indices are allowed to consume before the oldest indices [are deleted]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/opensearch_index_size_prune.py), specified as either as a human-readable data size (e.g., `250G`) or as a percentage of the total disk size (e.g., `70%`): e.g., a value of `500G` means "delete the oldest OpenSearch indices if the total space consumed by Malcolm's indices exceeds five hundred gigabytes." -Similar settings exist on for managing disk usage [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage). \ No newline at end of file +Similar settings exist on for managing disk usage [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage). From 07916b63f8011598d0235affe7620cc261d216b3 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:51:14 -0600 Subject: [PATCH 39/65] Update malcolm-config.md --- docs/malcolm-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 539d2a0b0..e21a45da2 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,7 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets as set here (defaults to 200). + - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200). - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local From abcbdf078c7e201e7f5b8b42a4411f6a1d015d48 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:51:40 -0600 Subject: [PATCH 40/65] Update malcolm-config.md --- docs/malcolm-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index e21a45da2..b80aad384 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,7 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200). + - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200) - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local From cbb716238e83fa457d137efceeca050b0791f971 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:53:12 -0600 Subject: [PATCH 41/65] Update malcolm-config.md From baf41e938ecf3c62656c5a4f3ffecd76ef61b6a7 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Oct 2024 07:56:56 -0600 Subject: [PATCH 42/65] fix idaholab/Malcolm#596, anomaly detection default detectors are not being created two issues were present: 1. opensearch_status.sh -w was no longer behaving as previously, as now an empty index is being created that doesn't have any events in it (see idaholab/Malcolm#527 and idaholab/Malcolm#567). It's been adjusted so that now it waits for an index with docs.count > 0. 2. The shared_object_creation.sh script needed to create the dummy detector if the .opendistro-anomaly-detection-state doesn't exist, so this check has been put in place --- Dockerfiles/api.Dockerfile | 2 +- Dockerfiles/dashboards.Dockerfile | 2 +- Dockerfiles/dirinit.Dockerfile | 2 +- Dockerfiles/file-upload.Dockerfile | 1 + Dockerfiles/freq.Dockerfile | 1 + Dockerfiles/htadmin.Dockerfile | 1 + Dockerfiles/logstash.Dockerfile | 1 + Dockerfiles/opensearch.Dockerfile | 2 +- Dockerfiles/pcap-capture.Dockerfile | 1 + Dockerfiles/pcap-monitor.Dockerfile | 1 + Dockerfiles/postgresql.Dockerfile | 2 +- Dockerfiles/redis.Dockerfile | 2 +- shared/bin/opensearch_status.sh | 25 ++++++++++++++----------- 13 files changed, 26 insertions(+), 17 deletions(-) diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile index 2542529a2..3793d1d2a 100644 --- a/Dockerfiles/api.Dockerfile +++ b/Dockerfiles/api.Dockerfile @@ -68,7 +68,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic RUN apt-get -q update \ && apt-get -y -q --no-install-recommends upgrade \ - && apt-get -y -q --no-install-recommends install curl netcat-openbsd rsync tini \ + && apt-get -y -q --no-install-recommends install curl jq netcat-openbsd rsync tini \ && python3 -m pip install --upgrade pip \ && python3 -m pip install --no-cache /wheels/* \ && groupadd --gid ${DEFAULT_GID} ${PGROUP} \ diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile index 42bf5ae4d..6a82cfe9f 100644 --- a/Dockerfiles/dashboards.Dockerfile +++ b/Dockerfiles/dashboards.Dockerfile @@ -36,7 +36,7 @@ ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSF RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ yum upgrade -y && \ - yum install -y curl-minimal psmisc findutils util-linux openssl rsync python3 zip unzip && \ + yum install -y curl-minimal psmisc findutils util-linux jq openssl rsync python3 zip unzip && \ yum remove -y vim-* && \ usermod -a -G tty ${PUSER} && \ # Malcolm manages authentication and encryption via NGINX reverse proxy diff --git a/Dockerfiles/dirinit.Dockerfile b/Dockerfiles/dirinit.Dockerfile index 060bff7c6..41fdc98eb 100644 --- a/Dockerfiles/dirinit.Dockerfile +++ b/Dockerfiles/dirinit.Dockerfile @@ -25,7 +25,7 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ RUN apk update --no-cache && \ apk upgrade --no-cache && \ - apk --no-cache add bash psmisc rsync shadow tini && \ + apk --no-cache add bash jq psmisc rsync shadow tini && \ addgroup -g ${DEFAULT_GID} ${PGROUP} ; \ adduser -D -H -u ${DEFAULT_UID} -h /nonexistant -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} ; \ addgroup ${PUSER} tty ; \ diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index dea33cfad..c421bceee 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -74,6 +74,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') ca-certificates \ curl \ file \ + jq \ less \ nginx-light \ openssh-server \ diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile index 0ec0786d2..65b90d4ae 100644 --- a/Dockerfiles/freq.Dockerfile +++ b/Dockerfiles/freq.Dockerfile @@ -34,6 +34,7 @@ RUN apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get -y --no-install-recommends install \ curl \ + jq \ procps \ psmisc \ python3 \ diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index 2002411f2..acc8fd560 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -39,6 +39,7 @@ RUN apt-get -q update && \ apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --no-install-recommends install \ ca-certificates \ curl \ + jq \ libmcrypt-dev \ libmcrypt4 \ make \ diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index b400879ae..11e065e68 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -49,6 +49,7 @@ RUN set -x && \ curl \ gettext \ git \ + jq \ patch \ python3-setuptools \ python3-pip \ diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile index f793630b7..2daa274a5 100644 --- a/Dockerfiles/opensearch.Dockerfile +++ b/Dockerfiles/opensearch.Dockerfile @@ -44,7 +44,7 @@ USER root # Remove the performance-analyzer plugin - Reduce resources in docker image RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ yum upgrade -y && \ - yum install -y openssl util-linux procps rsync findutils && \ + yum install -y openssl util-linux procps jq rsync findutils && \ yum remove -y vim-* && \ /usr/share/opensearch/bin/opensearch-plugin remove opensearch-security --purge && \ /usr/share/opensearch/bin/opensearch-plugin remove opensearch-performance-analyzer --purge && \ diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile index 595d0683a..6f08e70df 100644 --- a/Dockerfiles/pcap-capture.Dockerfile +++ b/Dockerfiles/pcap-capture.Dockerfile @@ -67,6 +67,7 @@ RUN apt-get -q update && \ apt-get install --no-install-recommends -y -q \ bc \ ethtool \ + jq \ libcap2-bin \ netsniff-ng \ openssl \ diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index b9cafb981..6b62df402 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -48,6 +48,7 @@ RUN apt-get -q update && \ apt-get install --no-install-recommends -y -q \ file \ inotify-tools \ + jq \ libzmq5 \ procps \ psmisc \ diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index 8a0b2f815..9b30308d9 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -28,7 +28,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic RUN apk update --no-cache && \ apk upgrade --no-cache && \ - apk add --no-cache bash procps psmisc rsync shadow tini && \ + apk add --no-cache bash jq procps psmisc rsync shadow tini && \ apk add --no-cache --virtual .build-deps rsync && \ rsync -a /usr/local/bin/ /usr/bin/ && \ rsync -a /usr/local/share/ /usr/share/ && \ diff --git a/Dockerfiles/redis.Dockerfile b/Dockerfiles/redis.Dockerfile index 863b8f01b..0d45b35ef 100644 --- a/Dockerfiles/redis.Dockerfile +++ b/Dockerfiles/redis.Dockerfile @@ -27,7 +27,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic RUN apk update --no-cache && \ apk upgrade --no-cache && \ - apk --no-cache add bash psmisc rsync shadow tini && \ + apk --no-cache add bash jq psmisc rsync shadow tini && \ addgroup ${PUSER} tty WORKDIR /home/${PUSER} diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh index fb79d34a8..c33d03e5b 100755 --- a/shared/bin/opensearch_status.sh +++ b/shared/bin/opensearch_status.sh @@ -102,21 +102,24 @@ if (( $WAIT_FOR_LOG_DATA == 1 )); then echo "Waiting until $OPENSEARCH_PRIMARY has logs..." >&2 - # wait until at least one network traffic log index exists + # wait until at least one network traffic log index exists (get index count where docs.count > 0) FOUND_INDEX= while true; do - if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$MALCOLM_NETWORK_INDEX_PATTERN" 2>/dev/null | wc -l) > 0 )); then - FOUND_INDEX="$MALCOLM_NETWORK_INDEX_PATTERN" - elif [[ "$MALCOLM_NETWORK_INDEX_PATTERN" != "$ARKIME_NETWORK_INDEX_PATTERN" ]] && (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$ARKIME_NETWORK_INDEX_PATTERN" 2>/dev/null | wc -l) > 0 )); then - FOUND_INDEX="$ARKIME_NETWORK_INDEX_PATTERN" + # use jq if it's available to parse the machine-readable index list as JSON, fall back to awk if it's not + if command -v jq >/dev/null 2>&1; then + if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$MALCOLM_NETWORK_INDEX_PATTERN?format=json" 2>/dev/null | jq '[.[] | select(.["docs.count"] != "0")] | length' 2>/dev/null) > 0 )); then + FOUND_INDEX="$MALCOLM_NETWORK_INDEX_PATTERN" + elif [[ "$MALCOLM_NETWORK_INDEX_PATTERN" != "$ARKIME_NETWORK_INDEX_PATTERN" ]] && (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$ARKIME_NETWORK_INDEX_PATTERN?format=json" 2>/dev/null | jq '[.[] | select(.["docs.count"] != "0")] | length' 2>/dev/null) > 0 )); then + FOUND_INDEX="$ARKIME_NETWORK_INDEX_PATTERN" + fi + else + if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$MALCOLM_NETWORK_INDEX_PATTERN" 2>/dev/null | awk '$7 != "0"' | wc -l) > 0 )); then + FOUND_INDEX="$MALCOLM_NETWORK_INDEX_PATTERN" + elif [[ "$MALCOLM_NETWORK_INDEX_PATTERN" != "$ARKIME_NETWORK_INDEX_PATTERN" ]] && (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$ARKIME_NETWORK_INDEX_PATTERN" 2>/dev/null | awk '$7 != "0"' | wc -l) > 0 )); then + FOUND_INDEX="$ARKIME_NETWORK_INDEX_PATTERN" + fi fi [[ -n "$FOUND_INDEX" ]] && break || sleep 5 done - echo "Log indices exist." >&2 - - # wait until at least one record with @timestamp exists - until curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XPOST "$OPENSEARCH_URL/$FOUND_INDEX/_search" -d'{ "sort": { "@timestamp" : "desc" }, "size" : 1 }' >/dev/null 2>&1 ; do - sleep 5 - done echo "Logs exist." >&2 fi \ No newline at end of file From a8ce42c021ed3f4302c8889cb89c7544187e3974 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Oct 2024 08:22:40 -0600 Subject: [PATCH 43/65] final tweak for idaholab/Maclolm#596, fixing anomaly detector creation --- dashboards/scripts/shared-object-creation.sh | 68 ++++++++++---------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/dashboards/scripts/shared-object-creation.sh b/dashboards/scripts/shared-object-creation.sh index 2697518b3..bc966504f 100755 --- a/dashboards/scripts/shared-object-creation.sh +++ b/dashboards/scripts/shared-object-creation.sh @@ -447,6 +447,14 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then echo "Creating $DATASTORE_TYPE anomaly detectors..." + # If the detectors have never been started before, we need to import the "dummy" one, + # but only this first time, not on subsequent runs of this script. We can do that + # by checking for the existence of the .opendistro-anomaly-detection-state index. + curl "${CURL_CONFIG_PARAMS[@]}" --head --location --fail --silent --output /dev/null \ + "$OPENSEARCH_URL_TO_USE"/.opendistro-anomaly-detection-state && \ + DETECTORS_STARTED=1 || \ + DETECTORS_STARTED=0 + # Create anomaly detectors here ANOMALY_IMPORT_DIR="$(mktemp -d -t anomaly-XXXXXX)" rsync -a /opt/anomaly_detectors/ "$ANOMALY_IMPORT_DIR"/ @@ -471,22 +479,13 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then # if the file to import is newer than the existing anomaly detector, then update it if (( $DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME )); then - # If the detectors have never been started before, we need to import the "dummy" one, - # but only this first time, not on subsequent runs of this script. We can do that - # by checking for the existence of the .opendistro-anomaly-detection-state index. - curl "${CURL_CONFIG_PARAMS[@]}" --head --location --fail --silent --output /dev/null \ - "$OPENSEARCH_URL_TO_USE"/.opendistro-anomaly-detection-state && \ - DETECTORS_STARTED=1 || \ - DETECTORS_STARTED=0 - # Import the anomaly detector ( [[ $DETECTORS_STARTED == 0 ]] || [[ "$DETECTOR_NAME" != "$DUMMY_DETECTOR_NAME" ]] ) && \ - echo "Importing detector \"${DETECTOR_NAME}\" ($DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME) ..." - - curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ - -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors" \ - -H "$XSRF_HEADER:true" -H 'Content-type:application/json' \ - -d "@$i" + echo "Importing detector \"${DETECTOR_NAME}\" ($DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME) ..." && \ + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' \ + -d "@$i" fi done rm -rf "${ANOMALY_IMPORT_DIR}" @@ -497,25 +496,28 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/155 # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/156 # - https://discuss.opendistrocommunity.dev/t/errors-opening-anomaly-detection-plugin-for-dashboards-after-creation-via-api/7711 - set +e - DUMMY_DETECTOR_ID="" - until [[ -n "$DUMMY_DETECTOR_ID" ]]; do - sleep 5 - DUMMY_DETECTOR_ID="$(curl "${CURL_CONFIG_PARAMS[@]}" --location --fail --silent -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/_search" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "{ \"query\": { \"match\": { \"name\": \"$DUMMY_DETECTOR_NAME\" } } }" | jq '.. | ._id? // empty' 2>/dev/null | head -n 1 | tr -d '"')" - done - set -e - if [[ -n "$DUMMY_DETECTOR_ID" ]]; then - curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error -XPOST \ - "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_start" \ - -H "$XSRF_HEADER:true" -H 'Content-type:application/json' - sleep 10 - curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ - -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_stop" \ - -H "$XSRF_HEADER:true" -H 'Content-type:application/json' - sleep 10 - curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ - -XDELETE "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID" \ - -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + if [[ $DETECTORS_STARTED == 0 ]]; then + set +e + DUMMY_DETECTOR_ID="" + until [[ -n "$DUMMY_DETECTOR_ID" ]]; do + sleep 5 + DUMMY_DETECTOR_ID="$(curl "${CURL_CONFIG_PARAMS[@]}" --location --fail --silent -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/_search" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "{ \"query\": { \"match\": { \"name\": \"$DUMMY_DETECTOR_NAME\" } } }" | jq '.. | ._id? // empty' 2>/dev/null | head -n 1 | tr -d '"')" + done + set -e + if [[ -n "$DUMMY_DETECTOR_ID" ]]; then + echo "Starting $DUMMY_DETECTOR_NAME to initialize anomaly detector engine..." + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error -XPOST \ + "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_start" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + sleep 10 + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_stop" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + sleep 10 + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XDELETE "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + fi fi echo "$DATASTORE_TYPE anomaly detectors creation complete!" From 412dc1d184dcab31c539f6dcb7c1c74e304c8413 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Oct 2024 11:19:37 -0600 Subject: [PATCH 44/65] some code cleanup, moving things out of 'shared' that don't need to be in 'shared' --- .github/workflows/api-build-and-push-ghcr.yml | 3 --- .github/workflows/arkime-build-and-push-ghcr.yml | 3 --- .github/workflows/dashboards-build-and-push-ghcr.yml | 3 --- .github/workflows/dashboards-helper-build-and-push-ghcr.yml | 3 --- .github/workflows/file-monitor-build-and-push-ghcr.yml | 3 --- .github/workflows/file-upload-build-and-push-ghcr.yml | 3 --- .github/workflows/filebeat-build-and-push-ghcr.yml | 3 --- .github/workflows/freq-build-and-push-ghcr.yml | 3 --- .github/workflows/htadmin-build-and-push-ghcr.yml | 3 --- .github/workflows/logstash-build-and-push-ghcr.yml | 3 --- .github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml | 1 - .github/workflows/netbox-build-and-push-ghcr.yml | 3 --- .github/workflows/nginx-build-and-push-ghcr.yml | 3 --- .github/workflows/opensearch-build-and-push-ghcr.yml | 3 --- .github/workflows/pcap-capture-build-and-push-ghcr.yml | 3 --- .github/workflows/pcap-monitor-build-and-push-ghcr.yml | 3 --- .github/workflows/postgresql-build-and-push-ghcr.yml | 3 --- .github/workflows/redis-build-and-push-ghcr.yml | 3 --- .github/workflows/suricata-build-and-push-ghcr.yml | 3 --- .github/workflows/zeek-build-and-push-ghcr.yml | 3 --- Dockerfiles/dashboards-helper.Dockerfile | 2 -- Dockerfiles/logstash.Dockerfile | 1 - .../bin => dashboards/scripts}/opensearch_index_size_prune.py | 0 {shared/bin => dashboards/scripts}/opensearch_read_only.py | 0 docs/malcolm-config.md | 2 +- .../config/includes.chroot/usr/local}/bin/configure-capture.py | 0 .../config/includes.chroot/usr/local}/bin/sensor-init.sh | 0 .../includes.chroot/usr/local}/bin/ufw_allow_requests.sh | 0 {shared/bin => logstash/scripts}/manuf-oui-parse.py | 0 .../config/includes.chroot/usr/local}/bin/agg-init.sh | 0 .../config/includes.chroot/usr/local}/bin/docker-load-wait.sh | 0 .../usr/local}/bin/malcolm-first-run-configure.sh | 0 .../includes.chroot/usr/local}/bin/set-malcolm-gtk-bookmark.sh | 0 {shared/bin => scripts}/ics-oui-parse.py | 0 shared/bin/capa-build.sh | 0 shared/bin/keystore-bootstrap.sh | 0 36 files changed, 1 insertion(+), 62 deletions(-) rename {shared/bin => dashboards/scripts}/opensearch_index_size_prune.py (100%) rename {shared/bin => dashboards/scripts}/opensearch_read_only.py (100%) rename {shared => hedgehog-iso/config/includes.chroot/usr/local}/bin/configure-capture.py (100%) rename {shared => hedgehog-iso/config/includes.chroot/usr/local}/bin/sensor-init.sh (100%) rename {shared => hedgehog-iso/config/includes.chroot/usr/local}/bin/ufw_allow_requests.sh (100%) rename {shared/bin => logstash/scripts}/manuf-oui-parse.py (100%) rename {shared => malcolm-iso/config/includes.chroot/usr/local}/bin/agg-init.sh (100%) rename {shared => malcolm-iso/config/includes.chroot/usr/local}/bin/docker-load-wait.sh (100%) rename {shared => malcolm-iso/config/includes.chroot/usr/local}/bin/malcolm-first-run-configure.sh (100%) rename {shared => malcolm-iso/config/includes.chroot/usr/local}/bin/set-malcolm-gtk-bookmark.sh (100%) rename {shared/bin => scripts}/ics-oui-parse.py (100%) mode change 100644 => 100755 shared/bin/capa-build.sh mode change 100644 => 100755 shared/bin/keystore-bootstrap.sh diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index b3b80ad35..9768c749f 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'api/**' - 'Dockerfiles/api.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index 6202c0138..b3e96c275 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'arkime/**' - 'Dockerfiles/arkime.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index 52706f552..dcc4b8420 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'dashboards/**' - 'Dockerfiles/dashboards.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index 4afffa301..5d49c5e04 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'dashboards/**' - 'Dockerfiles/dashboards-helper.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index 867e8ebc8..4219cbf87 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -9,13 +9,10 @@ on: - 'file-monitor/**' - 'Dockerfiles/file-monitor.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*.sh' - '.trigger_workflow_build' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index 727280a0f..fb0a60067 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'file-upload/**' - 'Dockerfiles/file-upload.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index e43152c86..47759d34b 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'filebeat/**' - 'Dockerfiles/filebeat.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index acdc4f6e8..4c359f714 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'freq-server/**' - 'Dockerfiles/freq.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index dbcb71779..0bf33fec7 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'htadmin/**' - 'Dockerfiles/htadmin.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index 407c302ae..e835829a6 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'logstash/**' - 'Dockerfiles/logstash.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '!shared/bin/zeek*' - '.trigger_workflow_build' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index 01b4ff5a1..cb5e69eb1 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -9,7 +9,6 @@ on: - 'malcolm-iso/**' - 'shared/bin/*' - '!shared/bin/capa-build.sh' - - '!shared/bin/configure-capture.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/zeek*' diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index 5063f5787..8a9e9c922 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'netbox/**' - 'Dockerfiles/netbox.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index eb8d89012..6758e023e 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'nginx/**' - 'Dockerfiles/nginx.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index d3c1f52b5..3253ac8ae 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -8,16 +8,13 @@ on: paths: - 'Dockerfiles/opensearch.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 3d0bf4e7f..6e5ce485d 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'pcap-capture/**' - 'Dockerfiles/pcap-capture.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index f66cb71a1..24a54ccbe 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'pcap-monitor/**' - 'Dockerfiles/pcap-monitor.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index 9369feff2..d10e377d0 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -8,16 +8,13 @@ on: paths: - 'Dockerfiles/postgresql.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index 635728f2f..060a5c056 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -8,16 +8,13 @@ on: paths: - 'Dockerfiles/redis.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_workflow_build' diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index ec6ebadc6..01b83f663 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'suricata/**' - 'Dockerfiles/suricata.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '.trigger_workflow_build' workflow_dispatch: diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index 8d2dda621..64126d69c 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -9,16 +9,13 @@ on: - 'zeek/**' - 'Dockerfiles/zeek.Dockerfile' - 'shared/bin/*' - - '!shared/bin/agg-init.sh' - '!shared/bin/capa-build.sh' - '!shared/bin/common-init.sh' - - '!shared/bin/sensor-init.sh' - '!shared/bin/os-disk-config.py' - '!shared/bin/extracted_files_http_server.py' - '!shared/bin/web-ui-asset-download.sh' - '!shared/bin/preseed_late_user_config.sh' - '!shared/bin/configure-interfaces.py' - - '!shared/bin/configure-capture.py' - '!shared/bin/suricata*' - '.trigger_workflow_build' workflow_dispatch: diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile index 543049c41..bc7305167 100644 --- a/Dockerfiles/dashboards-helper.Dockerfile +++ b/Dockerfiles/dashboards-helper.Dockerfile @@ -60,8 +60,6 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic COPY --chmod=755 shared/bin/opensearch_status.sh /data/ -COPY --chmod=755 shared/bin/opensearch_index_size_prune.py /data/ -COPY --chmod=755 shared/bin/opensearch_read_only.py /data/ ADD scripts/malcolm_utils.py /data/ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \ diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 11e065e68..5a34ca7d8 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -83,7 +83,6 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --chmod=755 shared/bin/opensearch_status.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic -COPY --chmod=755 shared/bin/manuf-oui-parse.py /usr/local/bin/ COPY --chmod=755 shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ COPY --chmod=755 shared/bin/keystore-bootstrap.sh /usr/local/bin/ ADD logstash/maps/*.yaml /etc/ diff --git a/shared/bin/opensearch_index_size_prune.py b/dashboards/scripts/opensearch_index_size_prune.py similarity index 100% rename from shared/bin/opensearch_index_size_prune.py rename to dashboards/scripts/opensearch_index_size_prune.py diff --git a/shared/bin/opensearch_read_only.py b/dashboards/scripts/opensearch_read_only.py similarity index 100% rename from shared/bin/opensearch_read_only.py rename to dashboards/scripts/opensearch_read_only.py diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 653251002..b598dc06e 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -175,6 +175,6 @@ In instances where Malcolm is deployed with the intention of running indefinitel - `EXTRACTED_FILE_PRUNE_THRESHOLD_MAX_SIZE` - specifies the maximum size, specified either in gigabytes or as a human-readable data size (e.g., `250G`), that the `./zeek-logs/extract_files/` directory is allowed to contain before the prune condition triggers - `EXTRACTED_FILE_PRUNE_THRESHOLD_TOTAL_DISK_USAGE_PERCENT` - specifies a maximum fill percentage for the file system containing the `./zeek-logs/extract_files/`; in other words, if the disk is more than this percentage utilized, the prune condition triggers - `EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS` - the interval between checking the prune conditions, in seconds (default `300`) -* [Index management policies](index-management.md) can be handled via plugins provided as part of the OpenSearch and Elasticsearch platforms, respectively. In addition to those tools, the `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` variable in **`dashboards-helper.env`** defines a maximum cumulative that OpenSearch indices are allowed to consume before the oldest indices [are deleted]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/opensearch_index_size_prune.py), specified as either as a human-readable data size (e.g., `250G`) or as a percentage of the total disk size (e.g., `70%`): e.g., a value of `500G` means "delete the oldest OpenSearch indices if the total space consumed by Malcolm's indices exceeds five hundred gigabytes." +* [Index management policies](index-management.md) can be handled via plugins provided as part of the OpenSearch and Elasticsearch platforms, respectively. In addition to those tools, the `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` variable in **`dashboards-helper.env`** defines a maximum cumulative that OpenSearch indices are allowed to consume before the oldest indices [are deleted]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/dashboards/scripts/opensearch_index_size_prune.py), specified as either as a human-readable data size (e.g., `250G`) or as a percentage of the total disk size (e.g., `70%`): e.g., a value of `500G` means "delete the oldest OpenSearch indices if the total space consumed by Malcolm's indices exceeds five hundred gigabytes." Similar settings exist for managing disk usage on [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage). diff --git a/shared/bin/configure-capture.py b/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py similarity index 100% rename from shared/bin/configure-capture.py rename to hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py diff --git a/shared/bin/sensor-init.sh b/hedgehog-iso/config/includes.chroot/usr/local/bin/sensor-init.sh similarity index 100% rename from shared/bin/sensor-init.sh rename to hedgehog-iso/config/includes.chroot/usr/local/bin/sensor-init.sh diff --git a/shared/bin/ufw_allow_requests.sh b/hedgehog-iso/config/includes.chroot/usr/local/bin/ufw_allow_requests.sh similarity index 100% rename from shared/bin/ufw_allow_requests.sh rename to hedgehog-iso/config/includes.chroot/usr/local/bin/ufw_allow_requests.sh diff --git a/shared/bin/manuf-oui-parse.py b/logstash/scripts/manuf-oui-parse.py similarity index 100% rename from shared/bin/manuf-oui-parse.py rename to logstash/scripts/manuf-oui-parse.py diff --git a/shared/bin/agg-init.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/agg-init.sh similarity index 100% rename from shared/bin/agg-init.sh rename to malcolm-iso/config/includes.chroot/usr/local/bin/agg-init.sh diff --git a/shared/bin/docker-load-wait.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/docker-load-wait.sh similarity index 100% rename from shared/bin/docker-load-wait.sh rename to malcolm-iso/config/includes.chroot/usr/local/bin/docker-load-wait.sh diff --git a/shared/bin/malcolm-first-run-configure.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/malcolm-first-run-configure.sh similarity index 100% rename from shared/bin/malcolm-first-run-configure.sh rename to malcolm-iso/config/includes.chroot/usr/local/bin/malcolm-first-run-configure.sh diff --git a/shared/bin/set-malcolm-gtk-bookmark.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/set-malcolm-gtk-bookmark.sh similarity index 100% rename from shared/bin/set-malcolm-gtk-bookmark.sh rename to malcolm-iso/config/includes.chroot/usr/local/bin/set-malcolm-gtk-bookmark.sh diff --git a/shared/bin/ics-oui-parse.py b/scripts/ics-oui-parse.py similarity index 100% rename from shared/bin/ics-oui-parse.py rename to scripts/ics-oui-parse.py diff --git a/shared/bin/capa-build.sh b/shared/bin/capa-build.sh old mode 100644 new mode 100755 diff --git a/shared/bin/keystore-bootstrap.sh b/shared/bin/keystore-bootstrap.sh old mode 100644 new mode 100755 From 9779364556e060a2cf3b7cedd1b7ec6df6062620 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Oct 2024 12:12:54 -0600 Subject: [PATCH 45/65] Work in progress for #570, allow tagging per capture interface on Hedgehog Linux sensor --- .../usr/local/bin/configure-capture.py | 74 ++++++++++++++----- 1 file changed, 56 insertions(+), 18 deletions(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py b/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py index c71660e88..64b53d2ff 100755 --- a/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py +++ b/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py @@ -173,7 +173,13 @@ class Constants: ) MSG_CONFIG_ARKIME_VIEWER_PASSWORD = 'Specify password hash secret for Arkime viewer cluster' MSG_CONFIG_REQUEST_ACL = 'Specify IP addresses for ACL for artifact reachback from Malcolm (one per line)' - MSG_CONFIG_EXTRA_TAGS = 'Specify extra tags for logs forwarded to Malcolm (one per line)' + MSG_CONFIG_EXTRA_TAGS = ( + 'Specify extra tags for logs (captured on all interfaces) forwarded to Malcolm (one per line)' + ) + MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE_PROMPT = 'Specify per-interface extra tags?' + MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE = ( + 'Specify extra tags for logs (captured on {}) forwarded to Malcolm (one per line)' + ) MSG_ERR_PLEBE_REQUIRED = 'this utility should be be run as non-privileged user' MSG_ERROR_DIR_NOT_FOUND = 'One or more of the paths specified does not exist' MSG_ERROR_FILE_NOT_FOUND = 'One or more of the files specified does not exist' @@ -1309,28 +1315,60 @@ def main(): elif fwd_mode == Constants.TAGS_CONFIGURE: - # get list of tags for logs forwarded to Malcolm - lines = previous_config_values[Constants.MALCOLM_EXTRA_TAGS].split(",") - code, lines = d.editbox_str( - "\n".join(list(filter(None, list(set(lines))))), title=Constants.MSG_CONFIG_EXTRA_TAGS + # get list of tags for logs forwarded to Malcolm into a dictionary like: + # { + # '': ['global1', 'global2', 'global3'], + # 'eth0': ['specific1', 'specific2'], + # 'eth1': ['specific3', 'specific4'] + # } + prev_tags = defaultdict(lambda: []) + new_tags = defaultdict(lambda: []) + + # pre-load previous config values + for item in previous_config_values[Constants.MALCOLM_EXTRA_TAGS].split(","): + if ':' in item: + name, value = item.split(':', 1) + prev_tags[name].append(value) + else: + prev_tags[''].append(value) + + # ask for the global tags + code, new_tags_all_ifaces = d.editbox_str( + "\n".join(list(filter(None, list(set(prev_tags['']))))), title=Constants.MSG_CONFIG_EXTRA_TAGS ) - if code != Dialog.OK: + if code == Dialog.OK: + new_tags[''] = new_tags_all_ifaces.split('\n') + else: raise CancelledError - # modify specified tags array value in-place in SENSOR_CAPTURE_CONFIG file + # ask for the interface-specific tags + if ( + d.yesno(Constants.MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE_PROMPT, yes_label="No", no_label="Yes") + == Dialog.OK + ): + # previously used capture interfaces + capture_ifaces = set([x.strip() for x in capture_config_dict["CAPTURE_INTERFACE"].split(',')]) + if not capture_ifaces: + capture_ifaces = [adapter.name for adapter in get_available_adapters()] + for iface_name in capture_ifaces: + code, new_tags_one_iface = d.editbox_str( + "\n".join(list(filter(None, list(set(prev_tags[iface_name]))))), + title=Constants.MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE.format(iface_name), + ) + if code == Dialog.OK: + new_tags[iface_name] = new_tags_one_iface.split('\n') + else: + raise CancelledError + + # modify specified tags array value in-place in SENSOR_CAPTURE_CONFIG file, + # formatted like global1,global2,global3,eth0:specific1,eth0:specific2,eth1:specific3,eth1:specific4 + new_tags = { + key: list(set([re.sub(r'[^A-Za-z0-9 ._-]', '', s.strip()) for s in value])) + for key, value in new_tags.items() + } newTagsValsDict = { Constants.MALCOLM_EXTRA_TAGS: ','.join( - [ - tag - for tag in list( - set( - filter( - None, - [re.sub(r'[^A-Za-z0-9 ._-]', '', x.strip()) for x in lines.split('\n')], - ) - ) - ) - ] + [f"{key}:{value}" if key else value for key, values in new_tags.items() for value in values] ) } rewrite_dict_to_file(newTagsValsDict, Constants.SENSOR_CAPTURE_CONFIG) From dc2810392cb115614591fa1d0d9594f392529f8f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 16 Oct 2024 15:43:48 -0600 Subject: [PATCH 46/65] work in progress on idaholab/Malcolm#570 --- .../config/includes.chroot/usr/local/etc/zeek/local.zeek | 5 +++++ shared/bin/zeekdeploy.sh | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 89cf9cd59..86cd0c582 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -47,6 +47,11 @@ global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; +global zeek_capture_interface = getenv("ZEEK_CAPTURE_INTERFACE"); +@if (zeek_capture_interface != "") + redef Log::default_logdir = zeek_capture_interface; +@endif + global capture_filter_str = getenv("CAPTURE_FILTER"); @if (capture_filter_str != "") redef restrict_filters += { ["user-defined capture filter"] = capture_filter_str }; diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh index 2c977f4be..c931e592c 100755 --- a/shared/bin/zeekdeploy.sh +++ b/shared/bin/zeekdeploy.sh @@ -301,7 +301,7 @@ for IFACE in ${CAPTURE_INTERFACE//,/ }; do type=worker host=localhost interface=$IFACE -env_vars=ZEEK_EXTRACTOR_MODE=$ZEEK_EXTRACTOR_MODE,ZEEK_EXTRACTOR_PATH=$EXTRACT_FILES_PATH/,TMP=$TMP_PATH +env_vars=ZEEK_CAPTURE_INTERFACE=$IFACE,ZEEK_EXTRACTOR_MODE=$ZEEK_EXTRACTOR_MODE,ZEEK_EXTRACTOR_PATH=$EXTRACT_FILES_PATH/,TMP=$TMP_PATH EOF # if af_packet is available in the kernel, write it out as well if [ $AF_PACKET_SUPPORT -gt 0 ] && [ $WORKER_LB_PROCS -gt 0 ]; then From 5a5064180f0c471392ccbc3ac054246543ca2287 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Oct 2024 08:22:41 -0600 Subject: [PATCH 47/65] bump logstash and beats to 8.15.3 --- Dockerfiles/filebeat.Dockerfile | 2 +- Dockerfiles/logstash.Dockerfile | 2 +- hedgehog-iso/build.sh | 2 +- hedgehog-raspi/sensor_install.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index 378e8146c..9f496c004 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/beats/filebeat-oss:8.15.2 +FROM docker.elastic.co/beats/filebeat-oss:8.15.3 # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 5a34ca7d8..a7ba388f4 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/logstash/logstash-oss:8.15.2 +FROM docker.elastic.co/logstash/logstash-oss:8.15.3 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/hedgehog-iso/build.sh b/hedgehog-iso/build.sh index 4c8234ad2..d2b0d0bf2 100755 --- a/hedgehog-iso/build.sh +++ b/hedgehog-iso/build.sh @@ -5,7 +5,7 @@ IMAGE_PUBLISHER=idaholab IMAGE_VERSION=1.0.0 IMAGE_DISTRIBUTION=bookworm -BEATS_VER="8.15.2" +BEATS_VER="8.15.3" BEATS_OSS="-oss" ARKIME_VER="5.4.0" diff --git a/hedgehog-raspi/sensor_install.sh b/hedgehog-raspi/sensor_install.sh index c2d2a106b..0b3cf187f 100644 --- a/hedgehog-raspi/sensor_install.sh +++ b/hedgehog-raspi/sensor_install.sh @@ -34,7 +34,7 @@ SENSOR_DIR='/opt/sensor' ARKIME_VERSION="5.4.0" -BEATS_VER="8.15.2" +BEATS_VER="8.15.3" BEATS_OSS="-oss" # Option to build from sources if desired From 914e600c2894ad130dda4a68b1a55485473bcad8 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Oct 2024 09:47:52 -0600 Subject: [PATCH 48/65] fix hedgehog local.zeek for idaholab/Malcolm#508, ssh packet count variable was used with the wrong name --- .../config/includes.chroot/usr/local/etc/zeek/local.zeek | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 86cd0c582..0c7fb55f1 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -288,7 +288,7 @@ event zeek_init() &priority=-5 { redef LDAP::default_capture_password = T; @endif -redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; redef HTTP::log_client_header_names = T; redef HTTP::log_server_header_names = T; redef LDAP::default_log_search_attributes = F; From 0f669e5c2c34e7d60bcb1bfa1f1febf14a4f67bd Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Oct 2024 10:18:34 -0600 Subject: [PATCH 49/65] Revert "work in progress on idaholab/Malcolm#570" This reverts commit dc2810392cb115614591fa1d0d9594f392529f8f. --- .../usr/local/bin/configure-capture.py | 74 +++++-------------- .../usr/local/etc/zeek/local.zeek | 5 -- 2 files changed, 18 insertions(+), 61 deletions(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py b/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py index 64b53d2ff..c71660e88 100755 --- a/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py +++ b/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py @@ -173,13 +173,7 @@ class Constants: ) MSG_CONFIG_ARKIME_VIEWER_PASSWORD = 'Specify password hash secret for Arkime viewer cluster' MSG_CONFIG_REQUEST_ACL = 'Specify IP addresses for ACL for artifact reachback from Malcolm (one per line)' - MSG_CONFIG_EXTRA_TAGS = ( - 'Specify extra tags for logs (captured on all interfaces) forwarded to Malcolm (one per line)' - ) - MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE_PROMPT = 'Specify per-interface extra tags?' - MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE = ( - 'Specify extra tags for logs (captured on {}) forwarded to Malcolm (one per line)' - ) + MSG_CONFIG_EXTRA_TAGS = 'Specify extra tags for logs forwarded to Malcolm (one per line)' MSG_ERR_PLEBE_REQUIRED = 'this utility should be be run as non-privileged user' MSG_ERROR_DIR_NOT_FOUND = 'One or more of the paths specified does not exist' MSG_ERROR_FILE_NOT_FOUND = 'One or more of the files specified does not exist' @@ -1315,60 +1309,28 @@ def main(): elif fwd_mode == Constants.TAGS_CONFIGURE: - # get list of tags for logs forwarded to Malcolm into a dictionary like: - # { - # '': ['global1', 'global2', 'global3'], - # 'eth0': ['specific1', 'specific2'], - # 'eth1': ['specific3', 'specific4'] - # } - prev_tags = defaultdict(lambda: []) - new_tags = defaultdict(lambda: []) - - # pre-load previous config values - for item in previous_config_values[Constants.MALCOLM_EXTRA_TAGS].split(","): - if ':' in item: - name, value = item.split(':', 1) - prev_tags[name].append(value) - else: - prev_tags[''].append(value) - - # ask for the global tags - code, new_tags_all_ifaces = d.editbox_str( - "\n".join(list(filter(None, list(set(prev_tags['']))))), title=Constants.MSG_CONFIG_EXTRA_TAGS + # get list of tags for logs forwarded to Malcolm + lines = previous_config_values[Constants.MALCOLM_EXTRA_TAGS].split(",") + code, lines = d.editbox_str( + "\n".join(list(filter(None, list(set(lines))))), title=Constants.MSG_CONFIG_EXTRA_TAGS ) - if code == Dialog.OK: - new_tags[''] = new_tags_all_ifaces.split('\n') - else: + if code != Dialog.OK: raise CancelledError - # ask for the interface-specific tags - if ( - d.yesno(Constants.MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE_PROMPT, yes_label="No", no_label="Yes") - == Dialog.OK - ): - # previously used capture interfaces - capture_ifaces = set([x.strip() for x in capture_config_dict["CAPTURE_INTERFACE"].split(',')]) - if not capture_ifaces: - capture_ifaces = [adapter.name for adapter in get_available_adapters()] - for iface_name in capture_ifaces: - code, new_tags_one_iface = d.editbox_str( - "\n".join(list(filter(None, list(set(prev_tags[iface_name]))))), - title=Constants.MSG_CONFIG_EXTRA_TAGS_PER_INTERFACE.format(iface_name), - ) - if code == Dialog.OK: - new_tags[iface_name] = new_tags_one_iface.split('\n') - else: - raise CancelledError - - # modify specified tags array value in-place in SENSOR_CAPTURE_CONFIG file, - # formatted like global1,global2,global3,eth0:specific1,eth0:specific2,eth1:specific3,eth1:specific4 - new_tags = { - key: list(set([re.sub(r'[^A-Za-z0-9 ._-]', '', s.strip()) for s in value])) - for key, value in new_tags.items() - } + # modify specified tags array value in-place in SENSOR_CAPTURE_CONFIG file newTagsValsDict = { Constants.MALCOLM_EXTRA_TAGS: ','.join( - [f"{key}:{value}" if key else value for key, values in new_tags.items() for value in values] + [ + tag + for tag in list( + set( + filter( + None, + [re.sub(r'[^A-Za-z0-9 ._-]', '', x.strip()) for x in lines.split('\n')], + ) + ) + ) + ] ) } rewrite_dict_to_file(newTagsValsDict, Constants.SENSOR_CAPTURE_CONFIG) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 0c7fb55f1..e456d7d15 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -47,11 +47,6 @@ global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; -global zeek_capture_interface = getenv("ZEEK_CAPTURE_INTERFACE"); -@if (zeek_capture_interface != "") - redef Log::default_logdir = zeek_capture_interface; -@endif - global capture_filter_str = getenv("CAPTURE_FILTER"); @if (capture_filter_str != "") redef restrict_filters += { ["user-defined capture filter"] = capture_filter_str }; From 87e2dbe03bb2f4ae545d8d0d12555e7d96d2ff26 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Oct 2024 10:26:49 -0600 Subject: [PATCH 50/65] proto field is no longer hard-coded in hart-ip and profinet-io-cm parsers --- .../pipelines/zeek/1027_zeek_hart_ip.conf | 29 ++----------------- .../pipelines/zeek/1046_zeek_profinet.conf | 5 +--- 2 files changed, 4 insertions(+), 30 deletions(-) diff --git a/logstash/pipelines/zeek/1027_zeek_hart_ip.conf b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf index 3df8e4445..fbe84e04f 100644 --- a/logstash/pipelines/zeek/1027_zeek_hart_ip.conf +++ b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf @@ -39,12 +39,9 @@ filter { add_tag => [ "ics" ] } - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - # The other fields are basically just placeholders we don't want to store the raw data for. - mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto" - remove_field => [ "[zeek_cols][proto]", - "[zeek][hart_ip][token_passing_pdu_contents_data_data]", + # These fields are basically just placeholders we don't want to store the raw data for. + mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_useless" + remove_field => [ "[zeek][hart_ip][token_passing_pdu_contents_data_data]", "[zeek][hart_ip][message_packet_bytes]", "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] } @@ -83,11 +80,6 @@ filter { add_tag => [ "ics" ] } - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - } else if ([log_source] == "hart_ip") { ############################################################################################################################# # hart_ip.log @@ -122,11 +114,6 @@ filter { add_tag => [ "ics" ] } - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - } else if ([log_source] == "hart_ip_session_record") { ############################################################################################################################# # hart_ip_session_record.log @@ -161,11 +148,6 @@ filter { add_tag => [ "ics" ] } - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - } else if ([log_source] == "hart_ip_universal_commands") { ############################################################################################################################# # hart_ip_universal_commands.log @@ -200,11 +182,6 @@ filter { add_tag => [ "ics" ] } - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - } } # end Filter diff --git a/logstash/pipelines/zeek/1046_zeek_profinet.conf b/logstash/pipelines/zeek/1046_zeek_profinet.conf index e02d05afc..f823d9a6e 100644 --- a/logstash/pipelines/zeek/1046_zeek_profinet.conf +++ b/logstash/pipelines/zeek/1046_zeek_profinet.conf @@ -103,10 +103,7 @@ filter { } mutate { - id => "mutate_add_fields_zeek_profinet_io_cm" - add_field => { - "[zeek_cols][proto]" => "udp" - } + id => "mutate_add_ics_tag_zeek_profinet_io_cm" add_tag => [ "ics" ] } From 3829327b3ceb30258036a4d078ace4ffe08ea865 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 17 Oct 2024 12:28:16 -0600 Subject: [PATCH 51/65] change shell script permissions in file-monitor docker image to 755 instead of 777 (idaholab/Malcolm#328, hardening) --- Dockerfiles/file-monitor.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index f68858fb3..af9277a62 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -105,7 +105,7 @@ ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$ ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/ -COPY --chmod=777 shared/bin/capa-build.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/capa-build.sh /usr/local/bin/ ADD nginx/landingpage/css "${EXTRACTED_FILE_HTTP_SERVER_ASSETS_DIR}/css" ADD nginx/landingpage/js "${EXTRACTED_FILE_HTTP_SERVER_ASSETS_DIR}/js" ADD --chmod=644 docs/images/logo/Malcolm_background.png "${EXTRACTED_FILE_HTTP_SERVER_ASSETS_DIR}/assets/img/bg-masthead.png" From 0c2612fc2b1c2e81c9420e7b6693d4ecb4bc1e3f Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 21 Oct 2024 08:29:43 -0600 Subject: [PATCH 52/65] don't prompt for docker vs. podman if we are in the Malcolm installation ISO, which we know is docker --- scripts/install.py | 18 +++++++++++------- scripts/malcolm_common.py | 8 ++++++++ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/scripts/install.py b/scripts/install.py index eb0a714e0..52879e881 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -48,6 +48,7 @@ DotEnvDynamic, DownloadToFile, DumpYaml, + GetPlatformOSRelease, HOMEBREW_INSTALL_URLS, KubernetesDynamic, LoadYaml, @@ -4613,13 +4614,16 @@ def main(): # installer = WindowsInstaller(orchMode, debug=args.debug, configOnly=args.configOnly) if orchMode == OrchestrationFramework.DOCKER_COMPOSE: - runtimeOptions = ('docker', 'podman') - loopBreaker = CountUntilException(MaxAskForValueCount) - while (args.runtimeBin not in runtimeOptions) and loopBreaker.increment(): - args.runtimeBin = InstallerChooseOne( - 'Select container runtime engine', - choices=[(x, '', x == runtimeOptions[0]) for x in runtimeOptions], - ) + if GetPlatformOSRelease() == 'hedgehog-malcolm': + args.runtimeBin = 'docker' + else: + runtimeOptions = ('docker', 'podman') + loopBreaker = CountUntilException(MaxAskForValueCount) + while (args.runtimeBin not in runtimeOptions) and loopBreaker.increment(): + args.runtimeBin = InstallerChooseOne( + 'Select container runtime engine', + choices=[(x, '', x == runtimeOptions[0]) for x in runtimeOptions], + ) if args.debug: eprint(f"Container engine: {args.runtimeBin}") diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index eb9d734ef..52127daf9 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -156,6 +156,14 @@ class OrchestrationFramework(Flag): OrchestrationFrameworksSupported = OrchestrationFramework.DOCKER_COMPOSE | OrchestrationFramework.KUBERNETES +################################################################################################## +def GetPlatformOSRelease(): + try: + return platform.freedesktop_os_release().get('VARIANT_ID', None) + except Exception: + return None + + ################################################################################################## def LocalPathForContainerBindMount(service, dockerComposeContents, containerPath, localBasePath=None): localPath = None From c91ab891046f350cb4276ea8e9c8d4b5b1698932 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 21 Oct 2024 13:09:16 -0600 Subject: [PATCH 53/65] changes for review of hardening, idaholab/Malcolm#328 --- Dockerfiles/postgresql.Dockerfile | 1 + docs/hardening.md | 10 ++++++++++ docs/hedgehog-hardening.md | 10 ++++++++++ .../etc/audit/rules.d/audit.rules | 20 +++++++++++++++++++ .../config/package-lists/system.list.chroot | 1 - .../etc/audit/rules.d/audit.rules | 20 +++++++++++++++++++ .../config/package-lists/system.list.chroot | 1 - shared/bin/common-init.sh | 4 +++- 8 files changed, 64 insertions(+), 3 deletions(-) diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index 9b30308d9..1328344a5 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -37,6 +37,7 @@ RUN apk update --no-cache && \ ln -s /usr/bin /usr/local/bin && \ ln -s /usr/share /usr/local/share && \ ln -s /usr/lib /usr/local/lib && \ + chmod 00775 /var/lib/postgresql /run/postgresql && \ apk del .build-deps USER root diff --git a/docs/hardening.md b/docs/hardening.md index 83d13023e..62441646b 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -35,8 +35,16 @@ The Malcolm aggregator base operating system claims exceptions from the recommen **8.1.1.2 Disable System on Audit Log Full**, **8.1.1.3 Keep All Auditing Information**, **8.1.1.5 Ensure set remote_server for audit service**, **8.1.1.6 Ensure enable_krb5 set to yes for remote audit service**, **8.1.1.7 Ensure set action for audit storage volume is fulled**, **8.1.1.8 Ensure set action for network failure on remote audit service**, **8.1.1.9 Set space left for auditd service**, a few other audit-related items under section **8.1**, **8.2.4 Configure rsyslog to Send Logs to a Remote Log Host** - As maximizing availability is a system requirement, audit processing failures will be logged on the device rather than halting the system. `auditd` is set up to syslog when its local storage capacity is reached. +**8.2.1 Install the rsyslog package**, **8.2.2 Enable rsyslog**, **8.2.3 Create and Set Permissions on rsyslog Log Files by conf file**, **8.3.1 Install the syslog-ng package**, **8.3.2 Ensure the syslog-ng Service is activated**, - Modern Debian-based Linux systems now use journald instead of rsyslog or syslog-ng. On Malcolm, these logs are available using journalctl and can be configured to be forwarded into the Malcolm data store using Fluent Bit. + **8.4.2 Implement Periodic Execution of File Integrity** - This functionality is not configured by default, but it can be configured post-install by the end user. +**8.5 Ensure permissions on all logfiles are configured** - It is the opinion of the Malcolm development team that the log files found in `/var/log` on the Malcolm base operating system are set with secure file permissions, despite what the [audit script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh) for this item suggests. + +**8.7.1 Ensure journald is configured to compress large log files** - Malcolm does not enable compression for journald logs to ensure that they remain readable by [Fluent Bit](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) (see [this related issue](https://github.com/fluent/fluent-bit/issues/2998)) for forwarding into the Malcolm data store. + +**8.7.2 Ensure journald is configured to write logfiles to persistent disk** - Journald's `Storage` setting remains set to the default `auto` value in the Malcolm base operating system. However, these logs can be configured to be forwarded into the Malcolm data store, at which point they are persisted to disk. + Password-related recommendations under **9.2** and **10.1** - The library package `libpam-pwquality` is used in favor of `libpam-cracklib`, which is what the [compliance scripts](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening) are looking for. Also, as an appliance running Malcolm is intended to be used as an appliance rather than a general user-facing software platform, some exceptions to password enforcement policies are claimed. **9.3.13 Limit Access via SSH** - The Malcolm aggregator base operating system does not create multiple regular user accounts: only `root` and an aggregator service account are used. SSH access for `root` is disabled. SSH login with a password is also disallowed: only key-based authentication is accepted. The service account accepts no keys by default. As such, the `AllowUsers`, `AllowGroups`, `DenyUsers`, and `DenyGroups` values in `sshd_config` do not apply. @@ -57,6 +65,8 @@ Please review the notes for these additional guidelines. While not claiming an e **5.4 Ensure ctrl-alt-del is disabled** - The Malcolm aggregator base operating system disables the `ctrl+alt+delete` key sequence by executing `systemctl disable ctrl-alt-del.target` during installation and the command `systemctl mask ctrl-alt-del.target` at boot time. +**6.5 Ensure time sync server is installed**, **6.19 Configure Network Time Protocol (NTP)**, and **6.20 Configure Network Time Protocol (chrony)** - The Malcolm aggregator base operating system [can be configured](malcolm-hedgehog-e2e-iso-install.md#MalcolmTimeSync) to synchronize time using either Network Time Protocol (NTP) or HTP (HTTP Time Protocol). The audit scripts for checking and configuring NTP do not check for binaries provided by the `ntpsec` package Malcolm uses, which is why this is incorrectly flagged as noncompliant. + **7.4.4 Create /etc/hosts.deny**, **7.7.1 Ensure Firewall is active**, **7.7.4.1 Ensure default deny firewall policy**, **7.7.4.2 Ensure loopback traffic is configured**, **7.7.4.3 Ensure default deny firewall policy**, **7.7.4.4 Ensure outbound and established connections are configured** - The Malcolm aggregator base operating system **is** configured with an appropriately locked-down software firewall (managed by "[Uncomplicated Firewall](https://launchpad.net/ufw)" `ufw`). However, the methods outlined in the [CIS benchmark recommendations](https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/) do not account for this configuration. **8.6 Verifies integrity all packages** - The [script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.7_verify_integrity_packages.sh) that verifies package integrity only "fails" because of missing (status `??5??????` displayed by the utility) language ("locale") files, which are removed as part of the Malcolm aggregator base operating system's trimming-down process. All non-locale-related system files pass intergrity checks. diff --git a/docs/hedgehog-hardening.md b/docs/hedgehog-hardening.md index 75307fd17..41bf13e83 100644 --- a/docs/hedgehog-hardening.md +++ b/docs/hedgehog-hardening.md @@ -32,8 +32,16 @@ Hedgehog Linux claims exceptions from the recommendations in this benchmark in t **8.1.1.2 Disable System on Audit Log Full**, **8.1.1.3 Keep All Auditing Information**, **8.1.1.5 Ensure set remote_server for audit service**, **8.1.1.6 Ensure enable_krb5 set to yes for remote audit service**, **8.1.1.7 Ensure set action for audit storage volume is fulled**, **8.1.1.8 Ensure set action for network failure on remote audit service**, **8.1.1.9 Set space left for auditd service**, a few other audit-related items under section **8.1**, **8.2.4 Configure rsyslog to Send Logs to a Remote Log Host** - As maximizing availability is a system requirement, audit processing failures will be logged on the device rather than halting the system. `auditd` is set up to syslog when its local storage capacity is reached. +**8.2.1 Install the rsyslog package**, **8.2.2 Enable rsyslog**, **8.2.3 Create and Set Permissions on rsyslog Log Files by conf file**, **8.3.1 Install the syslog-ng package**, **8.3.2 Ensure the syslog-ng Service is activated**, - Modern Debian-based Linux systems now use journald instead of rsyslog or syslog-ng. On Malcolm, these logs are available using journalctl and can be configured to be forwarded into the Malcolm data store using Fluent Bit. + **8.4.2 Implement Periodic Execution of File Integrity** - This functionality is not configured by default, but it can be configured post-install by the end user. +**8.5 Ensure permissions on all logfiles are configured** - It is the opinion of the Malcolm development team that the log files found in `/var/log` on the Malcolm base operating system are set with secure file permissions, despite what the [audit script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh) for this item suggests. + +**8.7.1 Ensure journald is configured to compress large log files** - Malcolm does not enable compression for journald logs to ensure that they remain readable by [Fluent Bit](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) (see [this related issue](https://github.com/fluent/fluent-bit/issues/2998)) for forwarding into the Malcolm data store. + +**8.7.2 Ensure journald is configured to write logfiles to persistent disk** - Journald's `Storage` setting remains set to the default `auto` value in the Malcolm base operating system. However, these logs can be configured to be forwarded into the Malcolm data store, at which point they are persisted to disk. + Password-related recommendations under **9.2** and **10.1** - The library package `libpam-pwquality` is used in favor of `libpam-cracklib` which is what the [compliance scripts](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening) are looking for. Also, as an appliance running Malcolm is intended to be used as an appliance rather than a general user-facing software platform, some exceptions to password enforcement policies are claimed. **9.3.13 Limit Access via SSH** - Hedgehog Linux does not create multiple regular user accounts: only `root` and a sensor service account are used. SSH access for `root` is disabled. SSH login with a password is also disallowed: only key-based authentication is accepted. The service account accepts no keys by default. As such, the `AllowUsers`, `AllowGroups`, `DenyUsers`, and `DenyGroups` values in `sshd_config` do not apply. @@ -54,6 +62,8 @@ Please review the notes for these additional guidelines. While not claiming an e **5.4 Ensure ctrl-alt-del is disabled** - Hedgehog Linux disables the `ctrl+alt+delete` key sequence by executing `systemctl disable ctrl-alt-del.target` during installation and the command `systemctl mask ctrl-alt-del.target` at boot time. +**6.5 Ensure time sync server is installed**, **6.19 Configure Network Time Protocol (NTP)**, and **6.20 Configure Network Time Protocol (chrony)** - The Malcolm aggregator base operating system [can be configured](malcolm-hedgehog-e2e-iso-install.md#MalcolmTimeSync) to synchronize time using either Network Time Protocol (NTP) or HTP (HTTP Time Protocol). The audit scripts for checking and configuring NTP do not check for binaries provided by the `ntpsec` package Malcolm uses, which is why this is incorrectly flagged as noncompliant. + **7.4.4 Create /etc/hosts.deny**, **7.7.1 Ensure Firewall is active**, **7.7.4.1 Ensure default deny firewall policy**, **7.7.4.2 Ensure loopback traffic is configured**, **7.7.4.3 Ensure default deny firewall policy**, **7.7.4.4 Ensure outbound and established connections are configured** - Hedgehog Linux **is** configured with an appropriately locked-down software firewall (managed by "Uncomplicated Firewall" `ufw`). However, the methods outlined in the CIS benchmark recommendations do not account for this configuration. **8.6 Verifies integrity all packages** - The [script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.7_verify_integrity_packages.sh) which verifies package integrity only "fails" because of missing (status `??5??????` displayed by the utility) language ("locale") files, which are removed as part of Hedgehog Linux's trimming-down process. All non-locale-related system files pass intergrity checks. \ No newline at end of file diff --git a/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules b/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules index bdc53a2fd..5dcaaab91 100644 --- a/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules +++ b/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules @@ -34,10 +34,14 @@ -a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change -a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change -a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change +-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change -a always,exit -F path=/etc/profile -F perm=wa -k config_file_change -a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change -a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy +-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec +-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd @@ -78,6 +82,7 @@ -a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/write.ul -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged @@ -87,6 +92,7 @@ -a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use @@ -126,6 +132,9 @@ -w /sbin/insmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /sbin/rmmod -p x -k modules +-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use +-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change -w /var/log/btmp -p wa -k session -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins @@ -138,24 +147,35 @@ # syscalls -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale # Make the configuration immutable -- reboot is required to change audit rules -e 2 diff --git a/hedgehog-iso/config/package-lists/system.list.chroot b/hedgehog-iso/config/package-lists/system.list.chroot index 47d6d3f99..288441685 100644 --- a/hedgehog-iso/config/package-lists/system.list.chroot +++ b/hedgehog-iso/config/package-lists/system.list.chroot @@ -145,7 +145,6 @@ rar rename rtkit samba-libs -screen sed sharutils shed diff --git a/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules b/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules index bdc53a2fd..5dcaaab91 100644 --- a/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules +++ b/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules @@ -34,10 +34,14 @@ -a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change -a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change -a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change +-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change -a always,exit -F path=/etc/profile -F perm=wa -k config_file_change -a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change -a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy +-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec +-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd @@ -78,6 +82,7 @@ -a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/write.ul -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged @@ -87,6 +92,7 @@ -a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use @@ -126,6 +132,9 @@ -w /sbin/insmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /sbin/rmmod -p x -k modules +-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use +-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use +-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change -w /var/log/btmp -p wa -k session -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins @@ -138,24 +147,35 @@ # syscalls -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules +-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change -a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale # Make the configuration immutable -- reboot is required to change audit rules -e 2 diff --git a/malcolm-iso/config/package-lists/system.list.chroot b/malcolm-iso/config/package-lists/system.list.chroot index 6c5dc7e4f..68f74ef94 100644 --- a/malcolm-iso/config/package-lists/system.list.chroot +++ b/malcolm-iso/config/package-lists/system.list.chroot @@ -129,7 +129,6 @@ rar rename rtkit samba-libs -screen sed sharutils shed diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 9031044a2..ef9c082c1 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -41,7 +41,9 @@ function CleanDefaultAccounts() { [ ! -d /var/lib/usbmux ] && ((mkdir -p /var/lib/usbmux && chown usbmux:plugdev /var/lib/usbmux && chmod 700 /var/lib/usbmux) || true) [ ! -d /var/lib/ntp ] && ((mkdir -p /var/lib/ntp && chown ntp:ntp /var/lib/ntp && chmod 700 /var/lib/ntp) || true) ((mkdir -p /var/lib/systemd-coredump && chown systemd-coredump:nogroup /var/lib/systemd-coredump && chmod 700 /var/lib/systemd-coredump && usermod -m -d /var/lib/systemd-coredump systemd-coredump) || true) - chmod 600 "/etc/crontab" "/etc/group-" "/etc/gshadow-" "/etc/passwd-" "/etc/shadow-" >/dev/null 2>&1 || true + chmod 600 "/etc/crontab" >/dev/null 2>&1 || true + chmod 644 "/etc/passwd-" "/etc/group-" >/dev/null 2>&1 || true + chmod 640 "/etc/shadow-" "/etc/gshadow-" >/dev/null 2>&1 || true chmod 700 "/etc/cron.hourly" "/etc/cron.daily" "/etc/cron.weekly" "/etc/cron.monthly" "/etc/cron.d" >/dev/null 2>&1 || true } From ffde15c26bb80fcfaae7afb3832979d15fd80d4a Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 21 Oct 2024 16:55:06 -0600 Subject: [PATCH 54/65] idaholab/Malcolm#598, added malcolm /ready API --- api/project/__init__.py | 188 ++++++++++++++++++++++++++++- api/project/config.py | 27 ++++- docker-compose-dev.yml | 1 + docker-compose.yml | 1 + docs/api-ready.md | 24 ++++ docs/api.md | 1 + kubernetes/08-api.yml | 2 + logstash/scripts/logstash-start.sh | 2 +- 8 files changed, 239 insertions(+), 7 deletions(-) create mode 100644 docs/api-ready.md diff --git a/api/project/__init__.py b/api/project/__init__.py index 15748ebe9..d06f99115 100644 --- a/api/project/__init__.py +++ b/api/project/__init__.py @@ -169,6 +169,15 @@ missing_field_map['ip'] = '0.0.0.0' missing_field_map['long'] = 0 +logstash_default_pipelines = [ + "malcolm-beats", + "malcolm-enrichment", + "malcolm-input", + "malcolm-output", + "malcolm-suricata", + "malcolm-zeek", +] + urllib3.disable_warnings() warnings.filterwarnings( "ignore", @@ -181,9 +190,29 @@ debugApi = app.config["MALCOLM_API_DEBUG"] == "true" -opensearchUrl = app.config["OPENSEARCH_URL"] +arkimeHost = app.config["ARKIME_HOST"] +arkimePort = app.config["ARKIME_PORT"] +arkimeStatusUrl = f'https://{arkimeHost}:{arkimePort}/_ns_/nstest.html' dashboardsUrl = app.config["DASHBOARDS_URL"] +dashboardsHelperHost = app.config["DASHBOARDS_HELPER_HOST"] +dashboardsMapsPort = app.config["DASHBOARDS_MAPS_PORT"] databaseMode = malcolm_utils.DatabaseModeStrToEnum(app.config["OPENSEARCH_PRIMARY"]) +filebeatHost = app.config["FILEBEAT_HOST"] +filebeatTcpJsonPort = app.config["FILEBEAT_TCP_JSON_PORT"] +freqUrl = app.config["FREQ_URL"] +logstashApiPort = app.config["LOGSTASH_API_PORT"] +logstashHost = app.config["LOGSTASH_HOST"] +logstashLJPort = app.config["LOGSTASH_LJ_PORT"] +logstashMapsPort = app.config["LOGSTASH_LJ_PORT"] +logstashUrl = f'http://{logstashHost}:{logstashApiPort}' +netboxUrl = app.config["NETBOX_URL"] +opensearchUrl = app.config["OPENSEARCH_URL"] +pcapMonitorHost = app.config["PCAP_MONITOR_HOST"] +pcapTopicPort = app.config["PCAP_TOPIC_PORT"] +zeekExtractedFileLoggerHost = app.config["ZEEK_EXTRACTED_FILE_LOGGER_HOST"] +zeekExtractedFileLoggerTopicPort = app.config["ZEEK_EXTRACTED_FILE_LOGGER_TOPIC_PORT"] +zeekExtractedFileMonitorHost = app.config["ZEEK_EXTRACTED_FILE_MONITOR_HOST"] +zeekExtractedFileTopicPort = app.config["ZEEK_EXTRACTED_FILE_TOPIC_PORT"] opensearchLocal = (databaseMode == malcolm_utils.DatabaseMode.OpenSearchLocal) or ( opensearchUrl == 'http://opensearch:9200' @@ -884,6 +913,163 @@ def version(): ) +@app.route( + f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/ready", methods=['GET'] +) +def ready(): + """Return ready status (true or false) for various Malcolm components + + Parameters + ---------- + + Returns + ------- + arkime + true or false, the ready status of Arkime + dashboards + true or false, the ready status of Dashboards (or Kibana) + dashboards_maps + true or false, the ready status of the dashboards-helper offline map server + filebeat_tcp + true or false, the ready status of Filebeat's JSON-OVER-TCP + freq + true or false, the ready status of freq + logstash_lumberjack + true or false, the ready status of Logstash's lumberjack protocol listener + logstash_pipelines + true or false, the ready status of Logstash's default pipelines + netbox + true or false, the ready status of NetBox + opensearch + true or false, the ready status of OpenSearch (or Elasticsearch) + pcap_monitor + true or false, the ready status of the PCAP monitoring process + zeek_extracted_file_logger + true or false, the ready status of the Zeek extracted file results logging process + zeek_extracted_file_monitor + true or false, the ready status of the Zeek extracted file monitoring process + """ + global databaseClient + + try: + arkimeResponse = requests.get( + arkimeStatusUrl, + verify=False, + ) + arkimeResponse.raise_for_status() + arkimeStatus = True + except Exception as e: + arkimeStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Arkime status") + + try: + dashboardsStatus = requests.get( + f'{dashboardsUrl}/api/status', + auth=opensearchReqHttpAuth, + verify=opensearchSslVerify, + ).json() + except Exception as e: + dashboardsStatus = {} + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Dashboards status") + + try: + dashboardsMapsStatus = malcolm_utils.check_socket(dashboardsHelperHost, dashboardsMapsPort) + except Exception as e: + dashboardsMapsStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Logstash offline map server") + + try: + filebeatTcpJsonStatus = malcolm_utils.check_socket(filebeatHost, filebeatTcpJsonPort) + except Exception as e: + filebeatTcpJsonStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting filebeat TCP JSON listener status") + + try: + freqResponse = requests.get(freqUrl) + freqResponse.raise_for_status() + freqStatus = True + except Exception as e: + freqStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting freq status") + + try: + logstashStats = requests.get(f'{logstashUrl}/_node').json() + except Exception as e: + logstashStats = {} + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Logstash node status") + + try: + logstashLJStatus = malcolm_utils.check_socket(logstashHost, logstashLJPort) + except Exception as e: + logstashLJStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Logstash lumberjack listener status") + + try: + netboxStatus = requests.get(f'{netboxUrl}/api/status').json() + except Exception as e: + netboxStatus = {} + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting NetBox status") + + try: + openSearchHealth = dict(databaseClient.cluster.health()) + except Exception as e: + openSearchHealth = {} + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting OpenSearch health") + + try: + pcapMonitorStatus = malcolm_utils.check_socket(pcapMonitorHost, pcapTopicPort) + except Exception as e: + pcapMonitorStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting PCAP monitor topic status") + + try: + zeekExtractedFileMonitorStatus = malcolm_utils.check_socket( + zeekExtractedFileMonitorHost, zeekExtractedFileTopicPort + ) + except Exception as e: + zeekExtractedFileMonitorStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Zeek extracted file monitor topic status") + + try: + zeekExtractedFileLoggerStatus = malcolm_utils.check_socket( + zeekExtractedFileLoggerHost, zeekExtractedFileLoggerTopicPort + ) + except Exception as e: + zeekExtractedFileLoggerStatus = False + if debugApi: + print(f"{type(e).__name__}: {str(e)} getting Zeek extracted file logger topic status") + + return jsonify( + arkime=arkimeStatus, + dashboards=(malcolm_utils.deep_get(dashboardsStatus, ["status", "overall", "state"]) == "green"), + dashboards_maps=dashboardsMapsStatus, + filebeat_tcp=filebeatTcpJsonStatus, + freq=freqStatus, + logstash_lumberjack=logstashLJStatus, + logstash_pipelines=(malcolm_utils.deep_get(logstashStats, ["status"]) == "green") + and all( + pipeline in malcolm_utils.deep_get(logstashStats, ["pipelines"], {}) + for pipeline in logstash_default_pipelines + ), + netbox=(malcolm_utils.deep_get(netboxStatus, ["rq-workers-running"], 0) > 0), + opensearch=(malcolm_utils.deep_get(openSearchHealth, ["status"], 'red') != "red"), + pcap_monitor=pcapMonitorStatus, + zeek_extracted_file_logger=zeekExtractedFileLoggerStatus, + zeek_extracted_file_monitor=zeekExtractedFileMonitorStatus, + ) + + @app.route( f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/ping", methods=['GET'] ) diff --git a/api/project/config.py b/api/project/config.py index b98ef3481..eb473637f 100644 --- a/api/project/config.py +++ b/api/project/config.py @@ -13,18 +13,35 @@ class Config(object): ARKIME_NETWORK_INDEX_PATTERN = f"{os.getenv('ARKIME_NETWORK_INDEX_PATTERN', 'arkime_sessions3-*')}" ARKIME_NETWORK_INDEX_TIME_FIELD = f"{os.getenv('ARKIME_NETWORK_INDEX_TIME_FIELD', 'firstPacket')}" - DOCTYPE_DEFAULT = f"{os.getenv('DOCTYPE_DEFAULT', 'network')}" + ARKIME_HOST = f"{os.getenv('ARKIME_HOST', 'arkime')}" + ARKIME_PORT = int(f"{os.getenv('ARKIME_PORT', '8005')}") BUILD_DATE = f"{os.getenv('BUILD_DATE', 'unknown')}" DASHBOARDS_URL = f"{os.getenv('DASHBOARDS_URL', 'http://dashboards:5601/dashboards')}" - MALCOLM_API_PREFIX = f"{os.getenv('MALCOLM_API_PREFIX', 'mapi')}" + DASHBOARDS_HELPER_HOST = f"{os.getenv('DASHBOARDS_HELPER_HOST', 'dashboards-helper')}" + DASHBOARDS_MAPS_PORT = int(f"{os.getenv('DASHBOARDS_MAPS_PORT', '28991')}") + DOCTYPE_DEFAULT = f"{os.getenv('DOCTYPE_DEFAULT', 'network')}" + FILEBEAT_HOST = f"{os.getenv('FILEBEAT_HOST', 'filebeat')}" + FILEBEAT_TCP_JSON_PORT = int(f"{os.getenv('FILEBEAT_TCP_JSON_PORT', '5045')}") + FREQ_URL = f"{os.getenv('FREQ_URL', 'http://freq:10004')}" + LOGSTASH_API_PORT = int(f"{os.getenv('LOGSTASH_API_PORT', '9600')}") + LOGSTASH_HOST = f"{os.getenv('LOGSTASH_HOST', 'logstash')}" + LOGSTASH_LJ_PORT = int(f"{os.getenv('LOGSTASH_LJ_PORT', '5044')}") MALCOLM_API_DEBUG = f"{os.getenv('MALCOLM_API_DEBUG', 'false')}" + MALCOLM_API_PREFIX = f"{os.getenv('MALCOLM_API_PREFIX', 'mapi')}" MALCOLM_TEMPLATE = f"{os.getenv('MALCOLM_TEMPLATE', 'malcolm_template')}" MALCOLM_VERSION = f"{os.getenv('MALCOLM_VERSION', 'unknown')}" - OPENSEARCH_URL = f"{os.getenv('OPENSEARCH_URL', 'http://opensearch:9200')}" - OPENSEARCH_PRIMARY = f"{os.getenv('OPENSEARCH_PRIMARY', 'opensearch-local')}" - OPENSEARCH_SSL_CERTIFICATE_VERIFICATION = f"{os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', 'false')}" + NETBOX_URL = f"{os.getenv('NETBOX_URL', 'http://netbox:8080/netbox')}" OPENSEARCH_CREDS_CONFIG_FILE = ( f"{os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc')}" ) + OPENSEARCH_PRIMARY = f"{os.getenv('OPENSEARCH_PRIMARY', 'opensearch-local')}" + OPENSEARCH_SSL_CERTIFICATE_VERIFICATION = f"{os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', 'false')}" + OPENSEARCH_URL = f"{os.getenv('OPENSEARCH_URL', 'http://opensearch:9200')}" + PCAP_MONITOR_HOST = f"{os.getenv('PCAP_MONITOR_HOST', 'pcap-monitor')}" + PCAP_TOPIC_PORT = int(f"{os.getenv('PCAP_TOPIC_PORT', '30441')}") RESULT_SET_LIMIT = int(f"{os.getenv('RESULT_SET_LIMIT', '500')}") VCS_REVISION = f"{os.getenv('VCS_REVISION', 'unknown')}" + ZEEK_EXTRACTED_FILE_LOGGER_HOST = f"{os.getenv('ZEEK_EXTRACTED_FILE_LOGGER_HOST', 'file-monitor')}" + ZEEK_EXTRACTED_FILE_LOGGER_TOPIC_PORT = int(f"{os.getenv('ZEEK_EXTRACTED_FILE_LOGGER_TOPIC_PORT', '5988')}") + ZEEK_EXTRACTED_FILE_MONITOR_HOST = f"{os.getenv('ZEEK_EXTRACTED_FILE_MONITOR_HOST', 'file-monitor')}" + ZEEK_EXTRACTED_FILE_TOPIC_PORT = int(f"{os.getenv('ZEEK_EXTRACTED_FILE_TOPIC_PORT', '5987')}") diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index bbdbb2ddd..bada0e073 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -1318,6 +1318,7 @@ services: env_file: - ./config/process.env - ./config/ssl.env + - ./config/upload-common.env - ./config/dashboards.env - ./config/opensearch.env environment: diff --git a/docker-compose.yml b/docker-compose.yml index b29196f43..8bfaae622 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1180,6 +1180,7 @@ services: env_file: - ./config/process.env - ./config/ssl.env + - ./config/upload-common.env - ./config/dashboards.env - ./config/opensearch.env environment: diff --git a/docs/api-ready.md b/docs/api-ready.md new file mode 100644 index 000000000..79f8bcf0e --- /dev/null +++ b/docs/api-ready.md @@ -0,0 +1,24 @@ +# Malcolm Services Readiness Status + +`GET` - /mapi/ready + +Returns `true` or `false` indicating the readiness status of various Malcolm services. + +**Example output:** + +```json +{ + "arkime": true, + "dashboards": true, + "dashboards_maps": true, + "filebeat_tcp": false, + "freq": true, + "logstash_lumberjack": true, + "logstash_pipelines": true, + "netbox": true, + "opensearch": true, + "pcap_monitor": true, + "zeek_extracted_file_logger": true, + "zeek_extracted_file_monitor": true +} +``` diff --git a/docs/api.md b/docs/api.md index 3de995e6d..16c72ee8c 100644 --- a/docs/api.md +++ b/docs/api.md @@ -6,6 +6,7 @@ * [Fields](api-fields.md) * [Indices](api-indices.md) * [Ping](api-ping.md) +* [Ready](api-ready.md) * [Version](api-version.md) * [Examples](api-examples.md) diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml index 1d5f074d4..407c75e2d 100644 --- a/kubernetes/08-api.yml +++ b/kubernetes/08-api.yml @@ -53,6 +53,8 @@ spec: name: process-env - configMapRef: name: ssl-env + - configMapRef: + name: upload-common-env - configMapRef: name: dashboards-env - configMapRef: diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index d752f5fc3..a44e98176 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -10,7 +10,7 @@ HOST_PIPELINES_DIR="/usr/share/logstash/malcolm-pipelines.available" # runtime pipelines parent directory export PIPELINES_DIR="/usr/share/logstash/malcolm-pipelines" -# runtime pipeliens configuration file +# runtime pipelines configuration file export PIPELINES_CFG="/usr/share/logstash/config/pipelines.yml" # for each pipeline in /usr/share/logstash/malcolm-pipelines, append the contents of this file to the dynamically-generated From fea8a5eedc327dd2b28a93c7d4d5c44d7f494bed Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Oct 2024 10:54:31 -0600 Subject: [PATCH 55/65] documentation for how to draft a malcolm release --- docs/README.md | 3 +- docs/contributing-guide.md | 3 +- docs/contributing-release-prep.md | 192 +++++++++++++++++++++++++++ docs/images/logo/Malcolm_outline.svg | 6 +- 4 files changed, 199 insertions(+), 5 deletions(-) create mode 100644 docs/contributing-release-prep.md diff --git a/docs/README.md b/docs/README.md index f3880aa0f..a7004736c 100644 --- a/docs/README.md +++ b/docs/README.md @@ -148,4 +148,5 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation - [OpenSearch Dashboards](contributing-dashboards.md#dashboards) - [Carved file scanners](contributing-file-scanners.md#Scanners) - [Style](contributing-style.md#Style) - - [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) \ No newline at end of file + - [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) + - [Preparing a Malcolm Release](contributing-release-prep.md) \ No newline at end of file diff --git a/docs/contributing-guide.md b/docs/contributing-guide.md index 3237717be..d30153639 100644 --- a/docs/contributing-guide.md +++ b/docs/contributing-guide.md @@ -26,4 +26,5 @@ It is recommended before reviewing this guide to read the documentation on [cust + [OpenSearch Dashboards plugins](contributing-dashboards.md#DashboardsPlugins) * [Carved file scanners](contributing-file-scanners.md#Scanners) * [Style](contributing-style.md#Style) -* [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) \ No newline at end of file +* [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) +* [Preparing a Malcolm Release](contributing-release-prep.md) \ No newline at end of file diff --git a/docs/contributing-release-prep.md b/docs/contributing-release-prep.md new file mode 100644 index 000000000..0ab70fa30 --- /dev/null +++ b/docs/contributing-release-prep.md @@ -0,0 +1,192 @@ +# Preparing a Malcolm Release + +This document outlines the steps a Malcolm developer goes through to publish a release of Malcolm. This guide assumes the developer has been doing their work downstream in a fork of the main [Malcolm repository upstream]({{ site.github.repository_url }}), forked at `romeogdetlevjr/Malcolm` by the fictitious Malcolm developer Romeo G Detlev Jr. concocted for this example. + +## 1. Review the project milestone and the branch from which the release will be staged + +Malcolm tracks issues (whether they be bugs, new features, enhancements, etc.) for release milestones using a [GitHub project](https://github.com/orgs/idaholab/projects/1). Before building release candidate images, Romeo reviews the items for the upcoming release in the corresponding project milestone and ensures that all items assigned to it have their status set to **Done**, each item having been completed and tested locally by the developer to which the issue was assigned. + +Romeo also ensures that all work towards this release has been pulled into the branch on his fork from which the release will be cut. If [pull requests]({{ site.github.repository_url }}/pulls) have been submitted upstream which resolve the issues assigned to this release, those pull requests should be merged into the branch at `romeogdetlevjr/Malcolm`, whether they were submitted initially against that fork or pulled in manually by Romeo as part of this release process. Pull requests are not accepted directly into the `main` branch of the official [upstream fork]({{ site.github.repository_url }}). In other words, the branch of Malcolm in Romeo's development fork should contain **everything** that is going to comprise this release of Malcolm. + +There are several places in the Malcolm source code where the release version itself (e.g., `24.10.0`) needs to be present. Most of these places are in the documentation, consisting of markdown files, but others include [docker-compose.yml]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/docker-compose.yml), [docker-compose-dev.yml]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/docker-compose-dev.yml), and the [Kubernetes manifests]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/kubernetes). Most likely Romeo's first commit into his branch as he worked on this release was to bump those version strings ([like this](https://github.com/romeogdetlevjr/Malcolm/commit/cc7d0d8855b5cc4f04cd38ae22d1421c627444cc)), but he should verify now that he did so. + +## 2. Build Malcolm container images using GitHub runners + +Images and artifacts for release should not be built on Romeo's own development workstation. Instead, carefully reviews the documentation for [using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) (including setting up his [GitHub repository actions secrets and variables](contributing-github-runners.md#secrets-and-variables)) and starts builds of the GitHub container images [with a workflow or repository dispatch API trigger](contributing-github-runners.md#triggers). He monitors the [progress of the workflow actions]({{ site.github.repository_url }}/actions) and ensures that they complete successfully, including jobs for both `docker (linux/amd64)` and `docker (linux/arm64)` where applicable. + +## 3. Build Malcolm ISO images using GitHub runners + +The [workflow for building the Hedgehog Linux installer ISO]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/actions/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml) can be run independently of the Malcolm container images; however, the [workflow for building the Malcolm installer ISO]({{ site.github.repository_url }}/actions/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) needs to be run **after** all of the container image "build-and-push" actions have completed successfully, as those images are pulled and archived inside of the ISO itself. Once Romeo is sure that all of the actions for building the container images from the previous step have completed successfully, he initiates a run of the [`malcolm-iso-build-docker-wrap-push-ghcr`]({{ site.github.repository_url }}/actions/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) action. + +## 4. Pull the container images from ghcr.io + +Once all of the release candidate images have been built by their respective GitHub actions, Romeo can use the [convenience helper script](contributing-github-runners.md#convenience-scripts-for-development) (found at [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) in the Malcolm source code) which has the following purposes: + +1. To pull the freshly-built container images from ghcr.io named with his fork's tags (e.g., `ghcr.io/romeogdetlevjr/malcolm/zeek:main`) +2. To tag these images with their "official" tags (e.g., `ghcr.io/idaholab/malcolm/zeek:24.10.1`) +3. To extract the ISO 9660-formatted ISO files for the Malcolm and Hedgehog Linux installer ISOs + +Romeo carefully reviews the documentation on this [convenience helper script](contributing-github-runners.md#convenience-scripts-for-development), then runs it. When it has completed, he verifies with `docker images` that he pulled the new container images (checking the containers' ages with the `CREATED` column) and that he has the `.iso` files he expects to have. + +## 5. Extract, install, and test ISO images + +Now that he's got the `.iso` files for Malcolm and Hedgehog Linux, Romeo fires up some virtualization software ([VMware Workstation](https://www.vmware.com/products/desktop-hypervisor/workstation-and-fusion), [VirtualBox](https://www.virtualbox.org/), or, his personal favorite, [virt-manager](https://virt-manager.org/)) and installs the ISOs into their respective VMs. He makes sure his VMs are configured to meet the [recommended system requirements](system-requirements.md#SystemRequirements). He follows the [end-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#InstallationExample) example in the documentation to install and configure Malcolm and Hedgehog Linux, resulting in a configuration where the VMs are successfully communicating with each other. + +Part of Romeo's testing includes uploading PCAP files to test the parsers for Malcolm's [supported protocols](protocols.md#Protocols), so he uses a [set of PCAP files](https://github.com/mmguero-dev/Malcolm-PCAP) curated by another Malcolm developer for this purpose. + +He also knows that verifying live traffic capture is an important part of testing both [Hedgehog Linux](live-analysis.md#Hedgehog) and [Malcolm](live-analysis.md#LocalPCAP). He has used a few open-source tools to generate "real" live Internet traffic in his VMs, including [PartyLoud](https://github.com/mmguero-dev/PartyLoud), [alphasoc/flightsim](https://github.com/alphasoc/flightsim), and [3CORESec/testmynids.org](https://github.com/3CORESec/testmynids.org). He downloads these utilities into both VMs and configures both Malcolm and Hedgehog Linux to capture the live traffic generated. + +Having [uploaded](upload.md#Upload) a variety of PCAP files and configured [live traffic analysis](live-analysis.md), Romeo validates the resulting traffic metadata generated by Zeek, Suricata, and Arkime looks correct in both [OpenSearch Dashboards](dashboards.md#Dashboards) and [Arkime](arkime.md#Arkime). He makes a special note to use [Arkime's sessions interface](arkime.md#ArkimeSessions) to retrieve a PCAP payload for an Arkime session captured on each VM. + +Romeo knows that soon™ the Malcolm project will include a [robust automated system testing framework](https://github.com/idaholab/Malcolm/issues/11), but until then he realizes it's on him to do his best to ensure the quality of this Malcolm release. He carefully reviews and tests each issue assigned to this milestone on the [GitHub project board](https://github.com/orgs/idaholab/projects/1). + +## 6. Build Hedgehog Linux Raspberry Pi image + +Earlier, Romeo reminded himself that images and artifacts for release should not be built on his own development workstation. While this is a worthy goal, at the time of this writing GitHub does not provide [standard hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners) for arm64, so the [workflow for building the Hedgehog Linux Raspberry Pi image]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/actions/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml) would have to be emulated in QEMU. Romeo knows from personal experience that this build process would exceed GitHub's time limit and be killed, so he has to resort to [building the Raspberry Pi image](hedgehog-raspi-build.md#HedgehogRaspiBuild) locally. He has read that arm64 standard runners are [coming soon](https://github.com/orgs/community/discussions/19197#discussioncomment-10895290) and suspects that soon Malcolm will support building the Hedgehog Linux Raspberry Pi image natively using GitHub runners. + +## 7. Submit and merge a pull request + +Now that he's satisfied that everything looks ship-shape for the release, Romeo drafts and submits a pull request from his development fork to the [Malcolm repository upstream]({{ site.github.repository_url }}), where it should be carefully reviewed, preferably by Romeo and another Malcolm developer together. + +Once the PR has been carefully reviewed by the necessary parties to everyone's satisfaction, it can be merged info the `main` branch upstream. + +## 8. Push official images to ghcr.io + +Earlier Romeo used the [convenience helper script](contributing-github-runners.md#convenience-scripts-for-development) to pull and tag the container images that would become the official images for this release. He now pushes those images to ghcr.io, making them available to the public in the official upstream namespace with their final release tags. He uses some script-fu to do this, listing the container images, filtering for the newly-tagged `idaholab` images for this release, and using `xargs` to execute a `docker push` command for each: + +```bash +$ docker images \ + | grep -P "ghcr\.io/idaholab/malcolm/.+24\.10\.1" \ + | awk '{print $1 ":" $2}' \ + | xargs -r -l docker push + +Getting image source signatures +Copying blob f944ed4242ed skipped: already exists +… +Copying config 2c88f94597 done | +Writing manifest to image destination +… +Writing manifest to image destination +Getting image source signatures +Copying blob 43c4264eed91 skipped: already exists +… +Copying config caff12e3c5 done | +Writing manifest to image destination +``` + +The push should actually go very quickly, because the container registry is smart enough to realize that the images already exist (with the `romeogdetlevjr` tags), so there will be a lot of "Copying blob … skipped: already exists" messages in the output. + +## 9. Pulling and pushing the arm64 images + +Romeo's primary development workstation is a Linux system running on the x86_64/amd64 architecture. He realizes that Malcolm has had [arm64 support](https://github.com/idaholab/Malcolm/issues/389) for some time. However, the convenience script he used to pull and tag the Malcolm images as described above is only doing so for the `amd64` container images. + +Romeo switches over to an arm64-based machine (in his case, his Apple M2 Max MacBook Pro) and repeats the steps from **Pull the container images from ghcr.io** and **Push official images to ghcr.io** above, only this time for the Malcolm images with the `-arm64` suffixed tags. + +## 10. Prepare release artifacts + +Romeo appreciates it when open source projects include detailed release notes, so he carefully goes writes some to accompany this release of Malcolm. Using the pattern followed in [previous Malcolm releases]({{ site.github.repository_url }}/releases), he uses Markdown to draft release notes including: + +* New features and enhancements +* Version bumps for any components or libraries used by Malcolm +* Bugs fixed +* Changes to [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) +* Breaking changes (things that aren't backwards compatible, things requiring a re-run of the `configure` script, etc.) + +There are two general categories of files that need to be generated to be included with the Malcolm release as assets, broken down thusly: + +* Images + - Malcolm installer ISO + - Hedgehog Linux installer ISO + - Hedgehog Linux Raspberry Pi image +* Scripts and tarball for a standalone Docker installation + +Romeo checks out and switches his GitHub repository's working copy so that it's tracking the [upstream branch]({{ site.github.repository_url }}) (e.g., `git checkout main` and `git branch --set-upstream-to idaholab/main`). Running `git log -1` should show that the latest commit to this branch is the merge of the pull request performed earlier. + +Romeo creates a local directory to contain the release artifacts and runs `./scripts/malcolm_appliance_packager.sh` to package up the scripts and tarball for a standalone Docker installation (the output of that script is somewhat verbose, so it's been summarized for display here): + +```bash +$ mkdir releases + +$ cd releases + +$ ~/Malcolm/scripts/malcolm_appliance_packager.sh +… +mkdir: created directory … + +Package Kubernetes manifests in addition to docker-compose.yml [y/N]? y +… +Packaged Malcolm to "/home/romeogdetlevjr/Malcolm/releases/malcolm_20241008_215936_deadbeef.tar.gz" + +Do you need to package container images also [y/N]? n + +To install Malcolm: + 1. Run install.py + 2. Follow the prompts + +To start, stop, restart, etc. Malcolm: + Use the control scripts in the "scripts/" directory: + - start (start Malcolm) + - stop (stop Malcolm) + - restart (restart Malcolm) + - logs (monitor Malcolm logs) + - wipe (stop Malcolm and clear its database) + - auth_setup (change authentication-related settings) + +Malcolm services can be accessed at https:/// + +$ ls -l +total 462,848 +-rwxr-xr-x 1 romeogdetlevjr romeogdetlevjr 219,939 Oct 22 10:32 install.py +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 475 Oct 22 10:33 malcolm_20241008_215936_deadbeef.README.txt +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 115,865 Oct 22 10:32 malcolm_20241008_215936_deadbeef.tar.gz +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 41,372 Oct 22 10:32 malcolm_common.py +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 44,226 Oct 22 10:32 malcolm_kubernetes.py +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 24,865 Oct 22 10:32 malcolm_utils.py +``` + +The resultant `.py`, `.tar.gz,` and `.txt` files are ready to be included as assets in the Malcolm release on GitHub. + +As described in the documentation for [downloading Malcolm](download.md#JoinISOs), due to [limits on individual files](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas) in GitHub releases, the binary image files have been split into 2GB chunks. The same scripts (for Bash ([release_cleaver.sh]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/release_cleaver.sh)) and PowerShell ([release_cleaver.ps1]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/release_cleaver.ps1))) used to join the files can be used to split them up: + +```bash +$ ls -l +total 8,502,263,808 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 1,209,240 Oct 22 09:50 hedgehog-24.10.1-build.log +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,664,972,288 Oct 22 09:50 hedgehog-24.10.1.iso +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 963,775 Oct 22 09:49 malcolm-24.10.1-build.log +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 5,835,110,400 Oct 22 09:49 malcolm-24.10.1.iso + +$ for ISO in *.iso; do ~/Malcolm/scripts/release_cleaver.sh "$ISO"; done +Splitting... +bf6e71385046b39d265af3dfc5b77677a0ac5eeac86bdc5be48791d0900715df hedgehog-24.10.1.iso +Splitting... +b4957741420ec06988d975cdb7f71eaa201918245f6fcb7ee2641d7d0ad97c52 malcolm-24.10.1.iso + +$ ls -l +total 17,002,364,928 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 1,209,240 Oct 22 09:50 hedgehog-24.10.1-build.log +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,664,972,288 Oct 22 09:50 hedgehog-24.10.1.iso +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,000,000,000 Oct 22 10:40 hedgehog-24.10.1.iso.01 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 664,972,288 Oct 22 10:40 hedgehog-24.10.1.iso.02 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 87 Oct 22 10:40 hedgehog-24.10.1.iso.sha +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 963,775 Oct 22 09:49 malcolm-24.10.1-build.log +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 5,835,110,400 Oct 22 09:49 malcolm-24.10.1.iso +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,000,000,000 Oct 22 10:41 malcolm-24.10.1.iso.01 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,000,000,000 Oct 22 10:41 malcolm-24.10.1.iso.02 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 1,835,110,400 Oct 22 10:41 malcolm-24.10.1.iso.03 +-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 86 Oct 22 10:41 malcolm-24.10.1.iso.sha +``` + +The resultant files (with the `.iso.##` and `.iso.sha` extensions) are the files ready to be included as assets in the Malcolm release on GitHub. + +## 11. Publish the release + +Romeo goes to the [releases]({{ site.github.repository_url }}/releases) page of the upstream repository. He clicks **Draft a new release**. On the new release page, he enters the release tag under **Choose a tag** (e.g., `v24.10.1`) with `main` as the target. He puts **Malcolm v24.10.1** as the release title, and pastes the content of the markdown release notes he wrote into the **Write** input where it prompts him to **Describe this release**. + +Romeo attaches the asset files from the previous step where it says "↓ Attach binaries by dropping them here or selecting them." He ensures that **Set as the latest release** is checked. + +After reviewing the contents of this page, Romeo pushes the green **Publish release** button, making this the latest official Malcolm release. + +## 12. Close project milestone + +Finally, Romeo navigates back to the [GitHub project](https://github.com/orgs/idaholab/projects/1) and changes the status of each issue under the now-released milestone from **Done** to **Released**. He then navigates to the [milestones]({{ site.github.repository_url }}/milestones) page on GitHub and clicks **Close** for that milestone. \ No newline at end of file diff --git a/docs/images/logo/Malcolm_outline.svg b/docs/images/logo/Malcolm_outline.svg index 01da04f33..dc33a0e2b 100644 --- a/docs/images/logo/Malcolm_outline.svg +++ b/docs/images/logo/Malcolm_outline.svg @@ -16,7 +16,7 @@ version="1.1" id="svg131" inkscape:version="0.92.4 (5da689c313, 2019-01-14)" - inkscape:export-filename="/home/tlacuache/Malcolm_outline_banner.png" + inkscape:export-filename="Malcolm_outline_banner.png" inkscape:export-xdpi="96" inkscape:export-ydpi="96"> Date: Tue, 22 Oct 2024 11:09:29 -0600 Subject: [PATCH 56/65] minor label tweak --- _config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_config.yml b/_config.yml index e93e6c7af..3bbe0277c 100644 --- a/_config.yml +++ b/_config.yml @@ -1,6 +1,6 @@ repository: idaholab/Malcolm title: Malcolm -description: A powerful, easily deployable network traffic analysis tool suite +description: A powerful, easily deployable network traffic analysis tool suite for network security monitoring logo: docs/images/logo/Malcolm_outline_banner_dark.png remote_theme: pages-themes/minimal@v0.2.0 youtube_url: https://www.youtube.com/@MalcolmNetworkTrafficAnalysis From b4c47f7b06cae40e31c140dc69c7ea7f31dcbd75 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Oct 2024 11:28:37 -0600 Subject: [PATCH 57/65] documentation update --- docs/api-ready.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/api-ready.md b/docs/api-ready.md index 79f8bcf0e..31d6f8a55 100644 --- a/docs/api-ready.md +++ b/docs/api-ready.md @@ -2,7 +2,7 @@ `GET` - /mapi/ready -Returns `true` or `false` indicating the readiness status of various Malcolm services. +Returns `true` or `false` indicating the readiness status of various Malcolm services. Generally speaking, Malcolm is ready to begin processing traffic when the `opensearch`, `pcap_monitor`, `logstash_lumberjack`, and `logstash_pipelines` services are `true`. **Example output:** From 2d9da4269ec32dd2169e05effe07fca53d4ac211 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Oct 2024 12:55:18 -0600 Subject: [PATCH 58/65] changes for review of hardening, idaholab/Malcolm#328 --- Dockerfiles/postgresql.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index 1328344a5..1759b53d6 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -37,7 +37,7 @@ RUN apk update --no-cache && \ ln -s /usr/bin /usr/local/bin && \ ln -s /usr/share /usr/local/share && \ ln -s /usr/lib /usr/local/lib && \ - chmod 00775 /var/lib/postgresql /run/postgresql && \ + chmod 00775 /var/lib/postgresql /var/lib/postgresql/data /run/postgresql && \ apk del .build-deps USER root From ec6f6cc5208d8357ee14c82d73d656b35714d00d Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Oct 2024 13:31:59 -0600 Subject: [PATCH 59/65] changes for review of hardening, idaholab/Malcolm#328 --- Dockerfiles/logstash.Dockerfile | 1 + docs/hardening.md | 6 ++++++ docs/hedgehog-hardening.md | 4 ++++ .../config/hooks/normal/0910-sensor-build.hook.chroot | 2 ++ .../hooks/normal/0991-security-performance.hook.chroot | 3 ++- .../config/includes.chroot/etc/ssh/sshd_config | 2 +- hedgehog-raspi/sensor_install.sh | 1 + .../hooks/normal/0991-security-performance.hook.chroot | 2 +- malcolm-iso/config/includes.chroot/etc/ssh/sshd_config | 2 +- shared/bin/preseed_late_user_config.sh | 10 ++++++---- 10 files changed, 25 insertions(+), 8 deletions(-) diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index a7ba388f4..69348bb05 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -105,6 +105,7 @@ RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" chown --silent -R ${PUSER}:root \ /usr/share/logstash \ /logstash-persistent-queue && \ + chmod -R o-w /usr/share/logstash && \ echo "Retrieving and parsing Wireshark manufacturer database..." && \ python3 /usr/local/bin/manuf-oui-parse.py -o /etc/vendor_macs.yaml && \ echo "Complete." diff --git a/docs/hardening.md b/docs/hardening.md index 62441646b..6a492682e 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -21,12 +21,16 @@ The Malcolm aggregator base operating system claims exceptions from the recommen **2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid option to /run/shm Partition**, **2.16 Add noexec option to /run/shm Partition** - The Malcolm aggregator base operating system does not mount `/run/shm` as a separate partition, so these recommendations do not apply. +**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers. + **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - The Malcolm aggregator base operating system is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel. **3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensure uninterrupted service. A boot loader password is not enabled. **4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system. +**5.2 Install screen** - The Malcolm base operating system comes with `tmux`, a modern `screen` alternative. + **6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by the Malcolm aggregator base operating system, but the `avahi` and `cups` services themselves are disabled. **6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary. @@ -55,6 +59,8 @@ Password-related recommendations under **9.2** and **10.1** - The library packag **10.1.10 Set maxlogins for all accounts** and **10.5 Set Timeout on ttys** - The Malcolm aggregator base operating system does not create multiple regular user accounts: only the `root` and aggregator service accounts are used. +**12.8 Find Un-owned Files and Directories** and **12.9 Find Un-grouped Files and Directories** - The files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.8_find_unowned_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.9_find_ungrouped_files.sh) exist within the layers of Malcolm's Docker images. While they do not belong to any user/group the host system knows about, the ownership of these files is set correctly in each Docker container's entrypoint. These files are not accessible to any unprivileged user on the host. + **12.10 Find SUID System Executables**, **12.11 Find SGID System Executables** - The few files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.10_find_suid_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.11_find_sgid_files.sh) are valid exceptions required by the Malcolm aggregator base operating system's core requirements. **14.1 Defense for NAT Slipstreaming** - As Malcolm may operate as a network traffic capture appliance sniffing packets on a network interface configured in promiscuous mode, this recommendation does not apply. diff --git a/docs/hedgehog-hardening.md b/docs/hedgehog-hardening.md index 41bf13e83..c993f2042 100644 --- a/docs/hedgehog-hardening.md +++ b/docs/hedgehog-hardening.md @@ -18,12 +18,16 @@ Hedgehog Linux claims exceptions from the recommendations in this benchmark in t **2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid Option to /run/shm Partition**, **2.16 Add noexec Option to /run/shm Partition** - Hedgehog Linux does not mount `/run/shm` as a separate partition, so these recommendations do not apply. +**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers. + **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - Hedgehog Linux is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel. **3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensured uninterrupted service. A boot loader password is not enabled. **4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system. +**5.2 Install screen** - Hedgehog Linux comes with `tmux`, a modern `screen` alternative. + **6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by Hedgehog Linux, but the `avahi` and `cups` services themselves are disabled. **6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary. diff --git a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 50f9e89af..8c40a1f7c 100755 --- a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -201,6 +201,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${yq_tar_url}" | tar -xzf - ./yq_linux_${ARCH mv ./yq_linux_${ARCH} /usr/bin/yq chmod 755 /usr/bin/yq +chown root:root /usr/bin/yq ### # supercronic @@ -220,6 +221,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${croc_tar_url}" | tar -xzf - croc mv ./croc /usr/local/bin/croc chmod 755 /usr/local/bin/croc +chown root:root /usr/local/bin/croc ### # update clamav signatures diff --git a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot index 4801ca047..e4fa64082 100755 --- a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -117,6 +117,7 @@ sed -i "s/#user_allow_other.*/user_allow_other/" /etc/fuse.conf find /etc/audit -type d -exec chmod 750 "{}" \; find /etc/audit -type f -exec chmod 640 "{}" \; chmod 600 /etc/ssh/sshd_config +chmod o-w /run/sendmail/mta/smsocket # set DIR_MODE to 750 for new users sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf @@ -178,7 +179,7 @@ cat << 'EOF' >> /etc/fluent-bit/parsers.conf Format logfmt EOF -# remove identifying operating system information +# remove identifying operating system information from /etc/issue* truncate -s 0 /etc/motd sed -i "s/Debian/Hedgehog/g" /etc/issue sed -i "s/Debian/Hedgehog/g" /etc/issue.net diff --git a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config index 84e31145f..d1ad39c03 100644 --- a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config +++ b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config @@ -111,7 +111,7 @@ ClientAliveCountMax 0 #ChrootDirectory none #VersionAddendum none -Banner=/etc/issue +Banner=/etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/hedgehog-raspi/sensor_install.sh b/hedgehog-raspi/sensor_install.sh index 0b3cf187f..12c82de02 100644 --- a/hedgehog-raspi/sensor_install.sh +++ b/hedgehog-raspi/sensor_install.sh @@ -251,6 +251,7 @@ clean_up() { # Set Hedgehog banner mv /root/hedgehog-ascii-text.txt /etc/issue + cp /etc/issue /etc/issue.net # Remove ethernet interface files left by installation # Sensor setup will create necessary files when user runs setup diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot index 55f54c4a6..3ed2d1a30 100755 --- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -167,7 +167,7 @@ systemctl disable htpdate || true sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate -# remove identifying operating system information from /etc/issue +# remove identifying operating system information from /etc/issue* truncate -s 0 /etc/motd sed -i "s/Debian/Hedgehog/g" /etc/issue sed -i "s/Debian/Hedgehog/g" /etc/issue.net diff --git a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config index 84e31145f..d1ad39c03 100644 --- a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config +++ b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config @@ -111,7 +111,7 @@ ClientAliveCountMax 0 #ChrootDirectory none #VersionAddendum none -Banner=/etc/issue +Banner=/etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh index 3fe94bf3b..6795aaa86 100755 --- a/shared/bin/preseed_late_user_config.sh +++ b/shared/bin/preseed_late_user_config.sh @@ -204,8 +204,9 @@ db_get malcolm/dod_banner if [ "$RET" = true ]; then # login banner - OLD_ISSUE="$(grep ^Debian /etc/issue | sed -r "s@[[:space:]]\\\.*@@g")" - cat << 'EOF' > /etc/issue + for ISSUE_FILE in /etc/issue /etc/issue.net; do + OLD_ISSUE="$(grep ^Debian ${ISSUE_FILE} | sed -r "s@[[:space:]]\\\.*@@g")" + cat << 'EOF' > ${ISSUE_FILE} You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. @@ -215,8 +216,9 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. EOF - /bin/echo -E "$OLD_ISSUE \n \l" >> /etc/issue - echo >> /etc/issue + /bin/echo -E "$OLD_ISSUE \n \l" >> ${ISSUE_FILE} + echo >> ${ISSUE_FILE} + done else rm -f /usr/local/bin/dod-login-banner.sh From d303f8b076062a1a4e7c2dde25616aca2bc63e4a Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Tue, 22 Oct 2024 13:44:46 -0600 Subject: [PATCH 60/65] try to fall back to alternate trivy DB database, see aquasecurity/trivy-action#389 --- .github/workflows/api-build-and-push-ghcr.yml | 2 ++ .github/workflows/arkime-build-and-push-ghcr.yml | 2 ++ .github/workflows/dashboards-build-and-push-ghcr.yml | 2 ++ .github/workflows/dashboards-helper-build-and-push-ghcr.yml | 2 ++ .github/workflows/dirinit-build-and-push-ghcr.yml | 2 ++ .github/workflows/file-monitor-build-and-push-ghcr.yml | 2 ++ .github/workflows/file-upload-build-and-push-ghcr.yml | 2 ++ .github/workflows/filebeat-build-and-push-ghcr.yml | 2 ++ .github/workflows/freq-build-and-push-ghcr.yml | 2 ++ .github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml | 2 ++ .github/workflows/htadmin-build-and-push-ghcr.yml | 2 ++ .github/workflows/logstash-build-and-push-ghcr.yml | 2 ++ .github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml | 2 ++ .github/workflows/netbox-build-and-push-ghcr.yml | 2 ++ .github/workflows/nginx-build-and-push-ghcr.yml | 2 ++ .github/workflows/opensearch-build-and-push-ghcr.yml | 2 ++ .github/workflows/pcap-capture-build-and-push-ghcr.yml | 2 ++ .github/workflows/pcap-monitor-build-and-push-ghcr.yml | 2 ++ .github/workflows/postgresql-build-and-push-ghcr.yml | 2 ++ .github/workflows/redis-build-and-push-ghcr.yml | 2 ++ .github/workflows/suricata-build-and-push-ghcr.yml | 2 ++ .github/workflows/zeek-build-and-push-ghcr.yml | 2 ++ 22 files changed, 44 insertions(+) diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index 9768c749f..8eaf30def 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index b3e96c275..fa5644999 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -113,6 +113,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index dcc4b8420..6ced81fe3 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index 5d49c5e04..b0f338def 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/dirinit-build-and-push-ghcr.yml b/.github/workflows/dirinit-build-and-push-ghcr.yml index 5cf0424fd..df3933fac 100644 --- a/.github/workflows/dirinit-build-and-push-ghcr.yml +++ b/.github/workflows/dirinit-build-and-push-ghcr.yml @@ -101,6 +101,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index 4219cbf87..5d44883e1 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -108,6 +108,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index fb0a60067..454ab989e 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index 47759d34b..da2f0536b 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index 4c359f714..3862e5f1f 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml index 50a19f596..4f7f243f0 100644 --- a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml @@ -142,6 +142,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'fs' scan-ref: './hedgehog-iso' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index 0bf33fec7..6a7a4099f 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index e835829a6..1bf286fa7 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index cb5e69eb1..bf5045aeb 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -148,6 +148,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'fs' scan-ref: './malcolm-iso' diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index 8a9e9c922..857015d30 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index 6758e023e..8221bd513 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -118,6 +118,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index 3253ac8ae..1bc3db595 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -110,6 +110,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 6e5ce485d..c01f21f4e 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index 24a54ccbe..2352fb82d 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -111,6 +111,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index d10e377d0..951170880 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -110,6 +110,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index 060a5c056..da0706bea 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -110,6 +110,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index 01b83f663..36d9adca5 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -110,6 +110,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index 64126d69c..882b77623 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -112,6 +112,8 @@ jobs: if: ${{ matrix.platform == 'linux/amd64' }} id: trivy-scan uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: scan-type: 'image' scanners: 'vuln' From d6e306c0b5eb92b74cf1e37808cd92fed76e4994 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Oct 2024 09:37:38 -0600 Subject: [PATCH 61/65] speed up image load from github extract --- scripts/github_image_helper.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh index 248121e30..28d58e94c 100755 --- a/scripts/github_image_helper.sh +++ b/scripts/github_image_helper.sh @@ -163,8 +163,8 @@ function ExtractISOsFromGithubWorkflowBuilds() { # extract the malcolm ISO wrapped in the ghcr.io docker image to a temp directory, # then extract and load the docker images tarball from the ISO. function ExtractAndLoadImagesFromGithubWorkflowBuildISO() { - if ! type xorriso >/dev/null 2>&1 || ! type unsquashfs >/dev/null 2>&1; then - echo "Cannot extract ISO file without xorriso" >&2 + if ! type xorriso >/dev/null 2>&1 || ! type unsquashfs >/dev/null 2>&1 || ! type unxz >/dev/null 2>&1; then + echo "Cannot extract ISO file without xorriso, unsquashfs, and unxz" >&2 else mkdir -p "$WORKDIR" _ExtractISOFromGithubWorkflowBuild malcolm "$WORKDIR" malcolm @@ -174,7 +174,7 @@ function ExtractAndLoadImagesFromGithubWorkflowBuildISO() { if [[ -e filesystem.squashfs ]]; then unsquashfs filesystem.squashfs -f malcolm_images.tar.xz if [[ -e squashfs-root/malcolm_images.tar.xz ]]; then - $MALCOLM_CONTAINER_RUNTIME load -i squashfs-root/malcolm_images.tar.xz + unxz < squashfs-root/malcolm_images.tar.xz | $MALCOLM_CONTAINER_RUNTIME load else echo "Failed to images tarball" 2>&1 fi From 97b45bf065719b58f50f7dbd39e23068c3d34a2e Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Oct 2024 10:14:02 -0600 Subject: [PATCH 62/65] slight tweak to netbox health check --- api/project/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/project/__init__.py b/api/project/__init__.py index d06f99115..1ad80ba8b 100644 --- a/api/project/__init__.py +++ b/api/project/__init__.py @@ -1062,7 +1062,7 @@ def ready(): pipeline in malcolm_utils.deep_get(logstashStats, ["pipelines"], {}) for pipeline in logstash_default_pipelines ), - netbox=(malcolm_utils.deep_get(netboxStatus, ["rq-workers-running"], 0) > 0), + netbox=malcolm_utils.deep_get(netboxStatus, ["netbox-version"]), opensearch=(malcolm_utils.deep_get(openSearchHealth, ["status"], 'red') != "red"), pcap_monitor=pcapMonitorStatus, zeek_extracted_file_logger=zeekExtractedFileLoggerStatus, From 0ec12e3464327958f674f8a692c39beae826c1fe Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Oct 2024 10:26:29 -0600 Subject: [PATCH 63/65] slight tweak to netbox health check --- api/project/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/project/__init__.py b/api/project/__init__.py index 1ad80ba8b..004cc2cf2 100644 --- a/api/project/__init__.py +++ b/api/project/__init__.py @@ -1062,7 +1062,7 @@ def ready(): pipeline in malcolm_utils.deep_get(logstashStats, ["pipelines"], {}) for pipeline in logstash_default_pipelines ), - netbox=malcolm_utils.deep_get(netboxStatus, ["netbox-version"]), + netbox=bool(malcolm_utils.deep_get(netboxStatus, ["netbox-version"])), opensearch=(malcolm_utils.deep_get(openSearchHealth, ["status"], 'red') != "red"), pcap_monitor=pcapMonitorStatus, zeek_extracted_file_logger=zeekExtractedFileLoggerStatus, From 53c99705225b5372b3ec0d8d9fa4df68210b3421 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Oct 2024 13:15:47 -0600 Subject: [PATCH 64/65] fix script name --- scripts/demo/Vagrantfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/demo/Vagrantfile b/scripts/demo/Vagrantfile index 6d5d9e480..b1ffd363f 100644 --- a/scripts/demo/Vagrantfile +++ b/scripts/demo/Vagrantfile @@ -78,10 +78,10 @@ Vagrant.configure("2") do |config| config.vm.provision "shell", privileged: false, inline: <<-STEP2 mkdir -p ~/.local/bin ~/.config - curl -sSL -o ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh https://raw.githubusercontent.com/idaholab/Malcolm/main/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh + curl -sSL -o ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh https://raw.githubusercontent.com/idaholab/Malcolm/main/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh chmod 755 ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh - MALCOLM_SETUP_NONINTERACTIVE=1 ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh + MALCOLM_SETUP_NONINTERACTIVE=1 ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh STEP2 config.vm.provision :reload From 205fdf176d4ecb899dc591e310ca142c5b4109a2 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 23 Oct 2024 22:12:28 -0600 Subject: [PATCH 65/65] only do spot checking at the end of the build if we built all of the images --- scripts/build.sh | 70 +++++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 34 deletions(-) diff --git a/scripts/build.sh b/scripts/build.sh index 050128dbc..6a9473d79 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -127,37 +127,39 @@ else $DOCKER_COMPOSE_COMMAND --progress=plain build --build-arg TARGETPLATFORM="$TARGET_PLATFORM" --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL="${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg ZEEK_DEB_ALTERNATE_DOWNLOAD_URL="${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@" fi -# we're going to do some validation that some things got pulled/built correctly -FILES_IN_IMAGES=( - "/usr/share/filebeat-logs/filebeat-logs.yml;filebeat-oss" - "/var/www/upload/filepond/dist/filepond.js;file-upload" - "/opt/freq_server/freq_server.py;freq" - "/usr/local/bin/capa;file-monitor" - "/var/www/htadmin/htadmin.php;htadmin" - "/etc/ip_protocol_name_to_number.yaml;logstash" - "/etc/vendor_macs.yaml;logstash" - "/opt/arkime/etc/GeoLite2-ASN.mmdb;arkime" - "/opt/arkime/etc/GeoLite2-Country.mmdb;arkime" - "/opt/arkime/etc/ipv4-address-space.csv;arkime" - "/opt/arkime/etc/oui.txt;arkime" - "/opt/arkime/bin/capture;arkime" - "/opt/netbox-devicetype-library-import/repo/schema/components.json;netbox" - "/opt/zeek/bin/zeek;zeek" - "/opt/zeek/bin/spicyz;zeek" - "/usr/share/nginx/html/index.html;nginx-proxy" -) -for i in ${FILES_IN_IMAGES[@]}; do - FILE="$(echo "$i" | cut -d';' -f1)" - IMAGE="$(echo "$i" | cut -d';' -f2)" - (( "$(filesize_in_image $IMAGE "$FILE")" > 0 )) || { echo "Failed to create \"$FILE\" in \"$IMAGE\""; exit 1; } -done - -DIRS_IN_IMAGES=( - "/var/lib/clamav;file-monitor;200000000" -) -for i in ${DIRS_IN_IMAGES[@]}; do - DIR="$(echo "$i" | cut -d';' -f1)" - IMAGE="$(echo "$i" | cut -d';' -f2)" - MINSIZE="$(echo "$i" | cut -d';' -f3)" - (( "$(dirsize_in_image $IMAGE "$DIR")" > $MINSIZE )) || { echo "Failed to create \"$DIR\" in \"$IMAGE\""; exit 1; } -done +if (( $# == 0 )); then + # if we built *all* the images, we're going to do some validation that some things got pulled/built correctly + FILES_IN_IMAGES=( + "/usr/share/filebeat-logs/filebeat-logs.yml;filebeat-oss" + "/var/www/upload/filepond/dist/filepond.js;file-upload" + "/opt/freq_server/freq_server.py;freq" + "/usr/local/bin/capa;file-monitor" + "/var/www/htadmin/htadmin.php;htadmin" + "/etc/ip_protocol_name_to_number.yaml;logstash" + "/etc/vendor_macs.yaml;logstash" + "/opt/arkime/etc/GeoLite2-ASN.mmdb;arkime" + "/opt/arkime/etc/GeoLite2-Country.mmdb;arkime" + "/opt/arkime/etc/ipv4-address-space.csv;arkime" + "/opt/arkime/etc/oui.txt;arkime" + "/opt/arkime/bin/capture;arkime" + "/opt/netbox-devicetype-library-import/repo/schema/components.json;netbox" + "/opt/zeek/bin/zeek;zeek" + "/opt/zeek/bin/spicyz;zeek" + "/usr/share/nginx/html/index.html;nginx-proxy" + ) + for i in ${FILES_IN_IMAGES[@]}; do + FILE="$(echo "$i" | cut -d';' -f1)" + IMAGE="$(echo "$i" | cut -d';' -f2)" + (( "$(filesize_in_image $IMAGE "$FILE")" > 0 )) || { echo "Failed to create \"$FILE\" in \"$IMAGE\""; exit 1; } + done + + DIRS_IN_IMAGES=( + "/var/lib/clamav;file-monitor;200000000" + ) + for i in ${DIRS_IN_IMAGES[@]}; do + DIR="$(echo "$i" | cut -d';' -f1)" + IMAGE="$(echo "$i" | cut -d';' -f2)" + MINSIZE="$(echo "$i" | cut -d';' -f3)" + (( "$(dirsize_in_image $IMAGE "$DIR")" > $MINSIZE )) || { echo "Failed to create \"$DIR\" in \"$IMAGE\""; exit 1; } + done +fi \ No newline at end of file