diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index 5e70a3c12..0c297098c 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -106,6 +106,7 @@ jobs: BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }} VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }} MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }} + MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL=${{ secrets.MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL }} push: true provenance: false platforms: ${{ matrix.platform }} diff --git a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml index e0b13335e..6a16d715e 100644 --- a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml @@ -128,6 +128,8 @@ jobs: pushd ./hedgehog-iso echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt + echo "${{ secrets.MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/maxmind_url.txt + echo "${{ secrets.ZEEK_DEB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/zeek_url.txt echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot echo "BUILD_JOBS=2" > ./shared/environment.chroot diff --git a/.github/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml b/.github/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml index 93a33f001..21c46dbfd 100644 --- a/.github/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml @@ -85,6 +85,8 @@ jobs: mkdir -p ./shared echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt + echo "${{ secrets.MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/maxmind_url.txt + echo "${{ secrets.ZEEK_DEB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/zeek_url.txt echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot echo "BUILD_JOBS=2" > ./shared/environment.chroot diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index 4cec0de26..26fac60b3 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -105,6 +105,7 @@ jobs: MALCOLM_VERSION=${{ steps.extract_malcolm_version.outputs.mversion }} BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }} VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }} + ZEEK_DEB_ALTERNATE_DOWNLOAD_URL=${{ secrets.ZEEK_DEB_ALTERNATE_DOWNLOAD_URL }} push: true provenance: false platforms: ${{ matrix.platform }} diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile index 69f1a16ec..5fa14a4d5 100644 --- a/Dockerfiles/api.Dockerfile +++ b/Dockerfiles/api.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} python:3-slim-bookworm as builder +FROM python:3-slim-bookworm as builder ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -20,7 +18,7 @@ WORKDIR /usr/src/app RUN python3 -m pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/app/wheels -r requirements.txt \ && flake8 --ignore=E203,E501,F401,W503 -FROM --platform=${TARGETPLATFORM} python:3-slim-bookworm +FROM python:3-slim-bookworm # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -39,6 +37,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "yeflask" ENV PGROUP "yeflask" ENV PUSER_PRIV_DROP true +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index fd2d97354..3fc52cab6 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -1,8 +1,6 @@ -ARG TARGETPLATFORM=linux/amd64 - # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -27,6 +25,7 @@ ENV PGROUP "arkime" # a final check in docker_entrypoint.sh before startup ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -65,6 +64,7 @@ ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor ARG PCAP_NODE_NAME=malcolm ARG MAXMIND_GEOIP_DB_LICENSE_KEY="" +ARG MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL="" # Declare envs vars for each arg ENV MALCOLM_USERNAME $MALCOLM_USERNAME @@ -123,6 +123,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ libyaml-dev \ libyara9 \ libzmq5 \ + lua5.4 \ lzma \ p7zip-full \ procps \ @@ -148,7 +149,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ mkdir -p "${ARKIME_DIR}"/plugins && \ curl -fsSL -o "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" "$(echo "${ARKIME_JA4_SO_URL}" | sed "s/XXX/${DEBARCH}/g")" && \ chmod 755 "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" && \ - python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog==4.0.2 && \ + python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog==5.0.3 && \ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \ ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \ ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \ @@ -161,6 +162,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --chmod=755 shared/bin/self_signed_key_gen.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/maxmind-mmdb-download.sh /usr/local/bin/ COPY --chmod=755 shared/bin/nic-capture-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/opensearch_status.sh /opt COPY --chmod=755 shared/bin/pcap_processor.py /opt/ @@ -179,15 +181,9 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic # see https://dev.maxmind.com/geoip/geoipupdate/#Direct_Downloads # see https://github.com/arkime/arkime/issues/1350 # see https://github.com/arkime/arkime/issues/1352 -RUN [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ] && for DB in ASN Country City; do \ - cd /tmp && \ - curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" && \ - tar xf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 && \ - mv -v "GeoLite2-$DB.mmdb" $ARKIME_DIR/etc/; \ - rm -f "GeoLite2-$DB*"; \ - done; \ - curl -s -S -L -o $ARKIME_DIR/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" && \ - curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://www.wireshark.org/download/automated/data/manuf" +RUN ( /usr/local/bin/maxmind-mmdb-download.sh -o $ARKIME_DIR/etc || true ) && \ + curl -s -S -L -o $ARKIME_DIR/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" && \ + curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://www.wireshark.org/download/automated/data/manuf" RUN groupadd --gid $DEFAULT_GID $PGROUP && \ useradd -M --uid $DEFAULT_UID --gid $DEFAULT_GID --home $ARKIME_DIR $PUSER && \ @@ -201,8 +197,8 @@ RUN groupadd --gid $DEFAULT_GID $PGROUP && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' $ARKIME_DIR/bin/capture && \ chown root:${PGROUP} /sbin/ethtool && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool && \ - mkdir -p /var/run/arkime $ARKIME_DIR/logs && \ - chown -R $PUSER:$PGROUP $ARKIME_DIR/etc $ARKIME_DIR/rules $ARKIME_DIR/logs /var/run/arkime + mkdir -p /var/run/arkime $ARKIME_DIR/logs $ARKIME_DIR/lua && \ + chown -R $PUSER:$PGROUP $ARKIME_DIR/etc $ARKIME_DIR/lua $ARKIME_DIR/rules $ARKIME_DIR/logs /var/run/arkime #Update Path ENV PATH="/opt:$ARKIME_DIR/bin:${PATH}" diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile index b0e87bde8..3d08b203b 100644 --- a/Dockerfiles/dashboards-helper.Dockerfile +++ b/Dockerfiles/dashboards-helper.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2020 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -18,7 +16,14 @@ ENV DEFAULT_UID $DEFAULT_UID ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "helper" ENV PGROUP "helper" +# This is to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +ENV PUSER_CHOWN "/data/init" ENV PUSER_PRIV_DROP true +USER root ENV TERM xterm @@ -37,7 +42,7 @@ ENV OPENSEARCH_DEFAULT_DASHBOARD $OPENSEARCH_DEFAULT_DASHBOARD ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE ENV PATH="/data:${PATH}" -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" @@ -114,6 +119,7 @@ ENTRYPOINT ["/usr/bin/tini", \ CMD ["/usr/local/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] +# see PUSER_CHOWN comment above VOLUME ["/data/init"] # to be populated at build-time: diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile index bdf7a0b8f..a9cc67d59 100644 --- a/Dockerfiles/dashboards.Dockerfile +++ b/Dockerfiles/dashboards.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} opensearchproject/opensearch-dashboards:2.16.0 +FROM opensearchproject/opensearch-dashboards:2.17.1 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -18,13 +16,14 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "opensearch-dashboards" ENV PGROUP "opensearch-dashboards" ENV PUSER_PRIV_DROP true +USER root ENV TERM xterm ENV TINI_VERSION v0.19.0 ENV TINI_URL https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini -ENV OSD_TRANSFORM_VIS_VERSION 2.15.0 +ENV OSD_TRANSFORM_VIS_VERSION 2.17.1 ARG NODE_OPTIONS="--max_old_space_size=4096" ENV NODE_OPTIONS $NODE_OPTIONS @@ -43,10 +42,10 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') # Malcolm manages authentication and encryption via NGINX reverse proxy /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \ cd /tmp && \ - unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ - sed -i "s/2\.15\.0/2\.16\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \ - sed -i "s/2\.15\.0/2\.16\.0/g" opensearch-dashboards/transformVis/package.json && \ - zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ + # unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ + # sed -i "s/2\.16\.0/2\.17\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \ + # sed -i "s/2\.16\.0/2\.17\.0/g" opensearch-dashboards/transformVis/package.json && \ + # zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \ cd /usr/share/opensearch-dashboards/plugins && \ /usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/transformVis.zip --allow-root && \ rm -rf /tmp/transformVis /tmp/opensearch-dashboards && \ diff --git a/Dockerfiles/dirinit.Dockerfile b/Dockerfiles/dirinit.Dockerfile index c5bfea7ea..31d70029b 100644 --- a/Dockerfiles/dirinit.Dockerfile +++ b/Dockerfiles/dirinit.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} alpine:3.20 +FROM alpine:3.20 # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -19,6 +17,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "dirinit" ENV PGROUP "dirinit" ENV PUSER_PRIV_DROP true +USER root ENV TERM xterm diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 1b3fed7f9..e743951a0 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -19,6 +17,8 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "monitor" ENV PGROUP "monitor" ENV PUSER_PRIV_DROP true +# see PUSER_CHOWN at the bottom of the file (after the other environment variables it references) +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -88,7 +88,7 @@ ENV EXTRACTED_FILE_ENABLE_CAPA $EXTRACTED_FILE_ENABLE_CAPA ENV EXTRACTED_FILE_CAPA_VERBOSE $EXTRACTED_FILE_CAPA_VERBOSE ENV SRC_BASE_DIR "/usr/local/src" ENV CLAMAV_RULES_DIR "/var/lib/clamav" -ENV YARA_VERSION "4.5.1" +ENV YARA_VERSION "4.5.2" ENV YARA_URL "https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz" ENV YARA_RULES_SRC_DIR "/yara-rules-src" ENV YARA_RULES_DIR "/yara-rules" @@ -100,7 +100,7 @@ ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY ENV EXTRACTED_FILE_HTTP_SERVER_RECURSIVE $EXTRACTED_FILE_HTTP_SERVER_RECURSIVE ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" @@ -159,7 +159,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') python-magic \ stream-zip \ supervisor \ - watchdog==4.0.2 \ + watchdog==5.0.3 \ yara-python && \ curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \ chmod +x /usr/local/bin/supercronic && \ @@ -237,11 +237,18 @@ COPY --chmod=644 shared/bin/watch_common.py /usr/local/bin/ COPY --chmod=644 scripts/malcolm_utils.py /usr/local/bin/ COPY --chmod=644 file-monitor/supervisord.conf /etc/supervisord.conf COPY --chmod=755 file-monitor/docker-entrypoint.sh /docker-entrypoint.sh -COPY --chmod=755 file-monitor/*update.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic WORKDIR /zeek/extract_files +# This is to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +ENV PUSER_CHOWN "$CLAMAV_RULES_DIR;$YARA_RULES_DIR;$YARA_RULES_SRC_DIR" + +# see PUSER_CHOWN comment above VOLUME ["$CLAMAV_RULES_DIR"] VOLUME ["$YARA_RULES_DIR"] VOLUME ["$YARA_RULES_SRC_DIR"] diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 718b17a9e..150e769e6 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim AS npmget +FROM debian:12-slim AS npmget # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. @@ -17,7 +15,7 @@ RUN apt-get -q update && \ filepond-plugin-file-rename \ @jcubic/tagger -FROM --platform=${TARGETPLATFORM} debian:12-slim AS runtime +FROM debian:12-slim AS runtime LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -34,10 +32,17 @@ ENV DEFAULT_UID $DEFAULT_UID ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "www-data" ENV PGROUP "www-data" +# This is to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +ENV PUSER_CHOWN "/var/www/upload/server/php/chroot/files" # not dropping privileges globally in this container as required to run SFTP server. this can # be handled by supervisord instead on an as-needed basis, and/or php-fpm/nginx itself # will drop privileges to www-data as well. ENV PUSER_PRIV_DROP false +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -51,7 +56,7 @@ ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH ARG STALE_UPLOAD_DELETE_MIN=360 ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" @@ -122,7 +127,9 @@ RUN mkdir -p /run/php \ >/var/www/upload/server/php/chroot/README.txt && \ rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* +# see PUSER_CHOWN comment above VOLUME [ "/var/www/upload/server/php/chroot/files" ] + EXPOSE 22 80 ENTRYPOINT ["/usr/bin/tini", \ diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index c3db92ac3..fc2a15e76 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} docker.elastic.co/beats/filebeat-oss:8.15.0 +FROM docker.elastic.co/beats/filebeat-oss:8.15.2 # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -18,10 +16,17 @@ ENV DEFAULT_UID $DEFAULT_UID ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "filebeat" ENV PGROUP "filebeat" +# This is to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +ENV PUSER_CHOWN "/usr/share/filebeat-logs/data;/usr/share/filebeat-nginx/data;/usr/share/filebeat-tcp/data" # not dropping privileges globally: supervisord will take care of it # on a case-by-case basis so that one script (filebeat-watch-zeeklogs-uploads-folder.py) # can chown uploaded files ENV PUSER_PRIV_DROP false +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -62,7 +67,7 @@ ARG FILEBEAT_TCP_PARSE_DROP_FIELD="" ARG FILEBEAT_TCP_TAG="_malcolm_beats" ARG PCAP_NODE_NAME=malcolm -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" @@ -95,13 +100,15 @@ RUN export EVTXARCH=$(uname -m | sed 's/arm64/aarch64/') && \ psmisc \ python3-pip \ python3-setuptools \ + python3.9 \ rsync \ tar \ tini \ unar \ unzip \ xz-utils && \ - python3 -m pip install --no-compile --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog==4.0.2 && \ + ln -s -f -r /usr/bin/python3.9 /usr/bin/python3 && \ + python3.9 -m pip install --no-compile --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog==5.0.3 && \ curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \ chmod +x /usr/local/bin/supercronic && \ curl -fsSL -o /usr/local/bin/yq "${YQ_URL}${BINARCH}" && \ @@ -170,6 +177,7 @@ ENV FILEBEAT_REGISTRY_FILE "/usr/share/filebeat-logs/data/registry/filebeat/log. ENV FILEBEAT_ZEEK_DIR "/zeek/" ENV PCAP_NODE_NAME $PCAP_NODE_NAME +# see PUSER_CHOWN comment above VOLUME ["/usr/share/filebeat-logs/data", "/usr/share/filebeat-nginx/data", "/usr/share/filebeat-tcp/data"] ENTRYPOINT ["/usr/bin/tini", \ diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile index 3d9822a29..b68fb6d81 100644 --- a/Dockerfiles/freq.Dockerfile +++ b/Dockerfiles/freq.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -19,6 +17,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "freq" ENV PGROUP "freq" ENV PUSER_PRIV_DROP true +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index 9c2244da3..175a78459 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:11-slim +FROM debian:11-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -21,6 +19,7 @@ ENV PGROUP "www-data" # not dropping privileges globally so nginx can bind privileged ports internally. # nginx and php-fpm will drop privileges to "www-data" user for worker processes ENV PUSER_PRIV_DROP false +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 2e605b16b..89fde5ef9 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} docker.elastic.co/logstash/logstash-oss:8.15.0 +FROM docker.elastic.co/logstash/logstash-oss:8.15.2 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -19,6 +17,13 @@ ENV PUSER "logstash" ENV PGROUP "logstash" ENV PUSER_PRIV_DROP true ENV PUSER_RLIMIT_UNLOCK true +# This is to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +ENV PUSER_CHOWN "/logstash-persistent-queue" +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -110,6 +115,7 @@ RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" # own envrionment variable at runtime. ENV LOGSTASH_KEYSTORE_PASS "a410a267b1404c949284dee25518a917" +# see PUSER_CHOWN comment above VOLUME ["/logstash-persistent-queue"] EXPOSE 5044 diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index 73a514b90..eaeecc6ad 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} netboxcommunity/netbox:v4.0.9 +FROM netboxcommunity/netbox:v4.0.11 # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -25,12 +23,14 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "ubuntu" ENV PGROUP "ubuntu" ENV PUSER_PRIV_DROP true +USER root -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV NETBOX_INITIALIZERS_VERSION "50d077d" +ENV NETBOX_TOPOLOGY_VERSION "4.0.1" ENV YQ_VERSION "4.44.3" ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_" @@ -85,6 +85,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') tini && \ "${NETBOX_PATH}/venv/bin/python" -m pip install --break-system-packages --no-compile --no-cache-dir \ "git+https://github.com/tobiasge/netbox-initializers@${NETBOX_INITIALIZERS_VERSION}" \ + "git+https://github.com/netbox-community/netbox-topology-views@v${NETBOX_TOPOLOGY_VERSION}" \ psycopg2 \ pynetbox \ python-magic \ diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile index afcb81a93..e094bcb20 100644 --- a/Dockerfiles/nginx.Dockerfile +++ b/Dockerfiles/nginx.Dockerfile @@ -6,10 +6,8 @@ # tiredofit/docker-nginx-ldap - https://github.com/tiredofit/docker-nginx-ldap/blob/master/Dockerfile #################################################################################### -ARG TARGETPLATFORM=linux/amd64 - # first build documentation with jekyll -FROM --platform=${TARGETPLATFORM} ghcr.io/mmguero-dev/jekyll:latest as docbuild +FROM ghcr.io/mmguero-dev/jekyll:latest as docbuild ARG GITHUB_TOKEN ARG VCS_REVISION @@ -34,7 +32,7 @@ RUN find /site -type f -name "*.md" -exec sed -i "s/{{[[:space:]]*site.github.bu find /site/_site -type f -name "*.html" -exec sed -i 's@\(href=\)"/"@\1"/readme/"@g' "{}" \; # build NGINX image -FROM --platform=${TARGETPLATFORM} alpine:3.20 +FROM alpine:3.20 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -54,6 +52,7 @@ ENV PGROUP "nginx" # not dropping privileges globally so nginx and stunnel can bind privileged ports internally. # nginx itself will drop privileges to "nginx" user for worker processes ENV PUSER_PRIV_DROP false +USER root ENV TERM xterm diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile index 024968f27..78a030676 100644 --- a/Dockerfiles/opensearch.Dockerfile +++ b/Dockerfiles/opensearch.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} opensearchproject/opensearch:2.16.0 +FROM opensearchproject/opensearch:2.17.1 # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -21,6 +19,13 @@ ENV PUSER "opensearch" ENV PGROUP "opensearch" ENV PUSER_PRIV_DROP true ENV PUSER_RLIMIT_UNLOCK true +# This is to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +ENV PUSER_CHOWN "/var/local/ca-trust" +USER root ENV TERM xterm @@ -75,6 +80,7 @@ ENV logger.level "WARN" ENV MAX_LOCKED_MEMORY "unlimited" ENV path.repo "/opt/opensearch/backup" +# see PUSER_CHOWN comment above VOLUME ["/var/local/ca-trust"] ENTRYPOINT ["/usr/bin/tini", \ diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile index 2e3ef0c82..e90d4ce9f 100644 --- a/Dockerfiles/pcap-capture.Dockerfile +++ b/Dockerfiles/pcap-capture.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -26,6 +24,7 @@ ENV PGROUP "pcap" # a final check in supervisor.sh before startup ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index 16670f9f3..8e3cd1492 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -22,6 +20,7 @@ ENV PGROUP "watcher" # on a case-by-case basis so that one script (watch-pcap-uploads-folder.sh) # can chown uploaded files ENV PUSER_PRIV_DROP false +USER root ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -68,7 +67,7 @@ RUN apt-get -q update && \ python-magic \ pyzmq \ requests \ - watchdog==4.0.2 && \ + watchdog==5.0.3 && \ groupadd --gid ${DEFAULT_GID} ${PGROUP} && \ useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index c35fa8879..ba401f126 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} postgres:15-alpine +FROM postgres:16-alpine # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -20,6 +18,7 @@ ENV PUSER "postgres" ENV PGROUP "postgres" ENV PUSER_PRIV_DROP true ENV PUSER_CHOWN "/run/postgresql;/var/lib/postgresql" +USER root ENV TERM xterm diff --git a/Dockerfiles/redis.Dockerfile b/Dockerfiles/redis.Dockerfile index d56a84aa4..d67742fe3 100644 --- a/Dockerfiles/redis.Dockerfile +++ b/Dockerfiles/redis.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} redis:7-alpine +FROM redis:7-alpine # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -19,6 +17,7 @@ ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "redis" ENV PGROUP "redis" ENV PUSER_PRIV_DROP true +USER root ENV TERM xterm diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index 4d8ab53c4..cce710791 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -32,8 +30,10 @@ ENV PGROUP "suricata" # a final check in docker_entrypoint.sh before startup ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true +# see PUSER_CHOWN at the bottom of the file (after the other environment variables it references) +USER root -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "/etc/crontab" @@ -108,7 +108,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') apt-get install -q -y --no-install-recommends -t bookworm-backports \ suricata=${SURICATA_VERSION_PATTERN} \ suricata-update && \ - python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog==4.0.2 && \ + python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog==5.0.3 && \ curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \ chmod +x /usr/local/bin/supercronic && \ curl -fsSL -o /usr/bin/yq "${YQ_URL}${BINARCH}" && \ @@ -118,8 +118,8 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') usermod -a -G tty ${PUSER} && \ ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_suricata_processor.py && \ (echo "0 */6 * * * /bin/bash /usr/local/bin/suricata-update-rules.sh\n" > ${SUPERCRONIC_CRONTAB}) && \ - mkdir -p "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_DEFAULT_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ - chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_DEFAULT_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ + mkdir -p "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_DEFAULT_RULES_DIR" "$SURICATA_CONFIG_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ + chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_DEFAULT_RULES_DIR" "$SURICATA_CONFIG_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ cp "$(dpkg -L suricata-update | grep 'update\.yaml$' | head -n 1)" \ "$SURICATA_UPDATE_CONFIG_FILE" && \ suricata-update update-sources --verbose --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \ @@ -179,9 +179,18 @@ ENV PCAP_IFACE_TWEAK $PCAP_IFACE_TWEAK ENV PCAP_FILTER $PCAP_FILTER ENV PCAP_NODE_NAME $PCAP_NODE_NAME - -ENV PUSER_CHOWN "$SURICATA_CONFIG_DIR;$SURICATA_MANAGED_DIR;$SURICATA_LOG_DIR;$SURICATA_RUN_DIR" - +# This is in part to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +# However, note that in this case (unlike most of the other Dockerfiles +# where I've put this workaround) in this case the PUSER_CHOWN was +# already being set like this, so even if I resolve that issue +# I probably don't want to remove this. +ENV PUSER_CHOWN "$SURICATA_CONFIG_DIR;$SURICATA_CUSTOM_RULES_DIR;$SURICATA_CUSTOM_CONFIG_DIR;$SURICATA_LOG_DIR;$SURICATA_MANAGED_DIR;$SURICATA_RUN_DIR" + +# see PUSER_CHOWN comment above VOLUME ["$SURICATA_CONFIG_DIR"] VOLUME ["$SURICATA_CUSTOM_RULES_DIR"] VOLUME ["$SURICATA_CUSTOM_CONFIG_DIR"] @@ -200,7 +209,6 @@ ENTRYPOINT ["/usr/bin/tini", \ CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] - # to be populated at build-time: ARG BUILD_DATE ARG MALCOLM_VERSION diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index a62e56137..02b7cd3b1 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -1,6 +1,4 @@ -ARG TARGETPLATFORM=linux/amd64 - -FROM --platform=${TARGETPLATFORM} debian:12-slim +FROM debian:12-slim # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" @@ -31,10 +29,13 @@ ENV PGROUP "zeeker" # docker-uid-gid-setup.sh will cause them to be lost, so we need # a final check in docker_entrypoint.sh before startup ENV PUSER_PRIV_DROP false +USER root +# see PUSER_CHOWN at the bottom of the file (after the other environment variables it references) # for download and install -ARG ZEEK_VERSION=7.0.0-0 +ARG ZEEK_VERSION=7.0.3-0 ENV ZEEK_VERSION $ZEEK_VERSION +ARG ZEEK_DEB_ALTERNATE_DOWNLOAD_URL="" # put Zeek and Spicy in PATH ENV ZEEK_DIR "/opt/zeek" @@ -51,7 +52,7 @@ ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/ # custom one-off packages locally ADD zeek/custom-pkg "$ZEEK_DIR"/custom-pkg -ENV SUPERCRONIC_VERSION "0.2.30" +ENV SUPERCRONIC_VERSION "0.2.32" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-" ENV SUPERCRONIC_CRONTAB "${ZEEK_DIR}/crontab" @@ -173,7 +174,7 @@ RUN groupadd --gid ${DEFAULT_GID} ${PUSER} && \ # sanity checks to make sure the plugins installed and copied over correctly # these ENVs should match the third party scripts/plugins installed by zeek_install_plugins.sh -ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_SPICY_GE_SRTP|ANALYZER_SPICY_PROFINET_IO_CM|ANALYZER_S7COMM_TCP|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)" +ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_HART_IP_UDP|ANALYZER_SPICY_HART_IP_TCP|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_SPICY_GE_SRTP|ANALYZER_SPICY_PROFINET_IO_CM|ANALYZER_S7COMM_TCP|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)" ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja4/main|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)" RUN mkdir -p /tmp/logs && \ @@ -246,6 +247,7 @@ ARG ZEEK_DISABLE_HASH_ALL_FILES= ARG ZEEK_DISABLE_LOG_PASSWORDS= ARG ZEEK_DISABLE_SSL_VALIDATE_CERTS= ARG ZEEK_DISABLE_TRACK_ALL_ASSETS= +ARG ZEEK_DISABLE_DETECT_ROUTERS=true ARG ZEEK_DISABLE_BEST_GUESS_ICS=true # TODO: assess spicy-analyzer that replace built-in Zeek parsers # for now, disable them by default when a Zeek parser exists @@ -264,6 +266,7 @@ ENV ZEEK_DISABLE_HASH_ALL_FILES $ZEEK_DISABLE_HASH_ALL_FILES ENV ZEEK_DISABLE_LOG_PASSWORDS $ZEEK_DISABLE_LOG_PASSWORDS ENV ZEEK_DISABLE_SSL_VALIDATE_CERTS $ZEEK_DISABLE_SSL_VALIDATE_CERTS ENV ZEEK_DISABLE_TRACK_ALL_ASSETS $ZEEK_DISABLE_TRACK_ALL_ASSETS +ENV ZEEK_DISABLE_DETECT_ROUTERS $ZEEK_DISABLE_DETECT_ROUTERS ENV ZEEK_DISABLE_BEST_GUESS_ICS $ZEEK_DISABLE_BEST_GUESS_ICS ENV ZEEK_DISABLE_SPICY_IPSEC $ZEEK_DISABLE_SPICY_IPSEC @@ -276,8 +279,18 @@ ENV ZEEK_DISABLE_SPICY_TFTP $ZEEK_DISABLE_SPICY_TFTP ENV ZEEK_DISABLE_SPICY_WIREGUARD $ZEEK_DISABLE_SPICY_WIREGUARD ENV ZEEK_SYNCHROPHASOR_DETAILED $ZEEK_SYNCHROPHASOR_DETAILED +# This is in part to handle an issue when running with rootless podman and +# "userns_mode: keep-id". It seems that anything defined as a VOLUME +# in the Dockerfile is getting set with an ownership of 999:999. +# This is to override that, although I'm not yet sure if there are +# other implications. See containers/podman#23347. +# However, note that in this case (unlike most of the other Dockerfiles +# where I've put this workaround) in this case the PUSER_CHOWN was +# already being set like this, so even if I resolve that issue +# I probably don't want to remove this. ENV PUSER_CHOWN "$ZEEK_DIR" +# see PUSER_CHOWN comment above VOLUME ["${ZEEK_DIR}/share/zeek/site/intel"] ENTRYPOINT ["/usr/bin/tini", \ @@ -289,6 +302,7 @@ ENTRYPOINT ["/usr/bin/tini", \ CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] +USER root # to be populated at build-time: ARG BUILD_DATE diff --git a/api/project/__init__.py b/api/project/__init__.py index 80a15502a..15748ebe9 100644 --- a/api/project/__init__.py +++ b/api/project/__init__.py @@ -67,7 +67,13 @@ fields_to_urls.append( [r'^zeek\.genisys.*\.', ['DASH:03207c00-d07e-11ec-b4a7-d1b4003706b7', 'DASH:4a4bde20-4760-11ea-949c-bbb5a9feecbf']] ) +fields_to_urls.append( + [r'^zeek\.ge_srtp.*\.', ['DASH:e233a570-45d9-11ef-96a6-432365601033', 'DASH:4a4bde20-4760-11ea-949c-bbb5a9feecbf']] +) fields_to_urls.append([r'^zeek\.gquic\.', ['DASH:11ddd980-e388-11e9-b568-cf17de8e860c']]) +fields_to_urls.append( + [r'^zeek\.hart_ip.*\.', ['DASH:3a9e3440-75e2-11ef-8138-03748f839a49', 'DASH:4a4bde20-4760-11ea-949c-bbb5a9feecbf']] +) fields_to_urls.append([r'^zeek\.http\.', ['DASH:37041ee1-79c0-4684-a436-3173b0e89876']]) fields_to_urls.append([r'^zeek\.intel\.', ['DASH:36ed695f-edcc-47c1-b0ec-50d20c93ce0f']]) fields_to_urls.append([r'^zeek\.irc\.', ['DASH:76f2f912-80da-44cd-ab66-6a73c8344cc3']]) @@ -737,7 +743,7 @@ def fields(): s = SearchClass( using=databaseClient, index=index_from_args(args), - ).extra(size=5000) + ).extra(size=6000) for hit in [x['_source'] for x in s.execute().to_dict().get('hits', {}).get('hits', [])]: if (fieldname := malcolm_utils.deep_get(hit, ['dbField2'])) and (fieldname not in fields): if debugApi: diff --git a/api/requirements.txt b/api/requirements.txt index 516642bfa..aa497c6ab 100644 --- a/api/requirements.txt +++ b/api/requirements.txt @@ -5,6 +5,6 @@ opensearch-py==2.6.0 requests==2.32.0 regex==2022.3.2 dateparser==1.1.1 -elasticsearch==8.15.0 -elasticsearch-dsl==8.15.0 +elasticsearch==8.15.1 +elasticsearch-dsl==8.15.4 psutil==5.9.8 \ No newline at end of file diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 822dca867..4a5ad775c 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -29,6 +29,7 @@ logEveryXPackets=500000 logFileCreation=true logHTTPConnections=false logUnknownProtocols=false +luaFiles= maxESConns=30 maxESRequests=500 maxFileSizeG=4 @@ -44,7 +45,7 @@ parseSMB=true parseSMTP=true passwordSecret=Malcolm pcapDir=/data/pcap/processed -plugins=wise.so +plugins=lua.so;wise.so pluginsDir=/opt/arkime/plugins queryAllIndices=false queryExtraIndices= @@ -317,6 +318,7 @@ zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;viewe zeek.cip.cip_status_code=db:zeek.cip.cip_status_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Status Code;help:Status Code zeek.cip.cip_extended_status_code=db:zeek.cip.cip_extended_status_code;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Extended Status Code;help:Extended Status Code zeek.cip.cip_extended_status=db:zeek.cip.cip_extended_status;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Extended Status;help:Extended Status +zeek.cip.packet_correlation_id=db:zeek.cip.packet_correlation_id;group:zeek_cip;kind:termfield;viewerOnly:true;friendly:Packet Correlation ID;help:Packet Correlation ID # cip_identity.log # https://github.com/cisagov/ICSNPP @@ -594,6 +596,615 @@ zeek.gquic.tag_count=db:zeek.gquic.tag_count;group:zeek_gquic;kind:integer;viewe zeek.gquic.cyu=db:zeek.gquic.cyu;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:CYU Fingerprint;help:gquic cyu zeek.gquic.cyutags=db:zeek.gquic.cyutags;group:zeek_gquic;kind:termfield;viewerOnly:true;friendly:CYU Fingerprint Digest;help:gquic cyutags +# hart_ip_common_commands.log +# https://github.com/cisagov/icsnpp-hart-ip +zeek.hart_ip_common_commands.read_device_variables_request_slot0_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_request_slot0_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_request_slot0_device_variable_code;help:read_device_variables_request_slot0_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_request_slot1_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_request_slot1_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_request_slot1_device_variable_code;help:read_device_variables_request_slot1_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_request_slot2_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_request_slot2_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_request_slot2_device_variable_code;help:read_device_variables_request_slot2_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_request_slot3_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_request_slot3_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_request_slot3_device_variable_code;help:read_device_variables_request_slot3_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_response_slot0_device_variable_code;help:read_device_variables_response_slot0_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_response_slot0_units_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot0_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot0_units_code;help:read_device_variables_response_slot0_units_code +zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable=db:zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot0_device_variable;help:read_device_variables_response_slot0_device_variable +zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_response_slot1_device_variable_code;help:read_device_variables_response_slot1_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_response_slot1_units_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot1_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot1_units_code;help:read_device_variables_response_slot1_units_code +zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable=db:zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot1_device_variable;help:read_device_variables_response_slot1_device_variable +zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_response_slot2_device_variable_code;help:read_device_variables_response_slot2_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_response_slot2_units_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot2_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot2_units_code;help:read_device_variables_response_slot2_units_code +zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable=db:zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot2_device_variable;help:read_device_variables_response_slot2_device_variable +zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variables_response_slot3_device_variable_code;help:read_device_variables_response_slot3_device_variable_code +zeek.hart_ip_common_commands.read_device_variables_response_slot3_units_code=db:zeek.hart_ip_common_commands.read_device_variables_response_slot3_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot3_units_code;help:read_device_variables_response_slot3_units_code +zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable=db:zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variables_response_slot3_device_variable;help:read_device_variables_response_slot3_device_variable +zeek.hart_ip_common_commands.write_primary_variable_damping_value_pv_damping_value=db:zeek.hart_ip_common_commands.write_primary_variable_damping_value_pv_damping_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_primary_variable_damping_value_pv_damping_value;help:write_primary_variable_damping_value_pv_damping_value +zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code=db:zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code;help:write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code +zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_range_value=db:zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_range_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_primary_variable_range_values_pv_upper_range_value;help:write_primary_variable_range_values_pv_upper_range_value +zeek.hart_ip_common_commands.write_primary_variable_range_values_p_v_lower_range_value=db:zeek.hart_ip_common_commands.write_primary_variable_range_values_p_v_lower_range_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_primary_variable_range_values_p_v_lower_range_value;help:write_primary_variable_range_values_p_v_lower_range_value +zeek.hart_ip_common_commands.eeprom_control_eeprom_control_code=db:zeek.hart_ip_common_commands.eeprom_control_eeprom_control_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:eeprom_control_eeprom_control_code;help:eeprom_control_eeprom_control_code +zeek.hart_ip_common_commands.enter_exit_fixed_current_mode_pv_fixed_current_level=db:zeek.hart_ip_common_commands.enter_exit_fixed_current_mode_pv_fixed_current_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:enter_exit_fixed_current_mode_pv_fixed_current_level;help:enter_exit_fixed_current_mode_pv_fixed_current_level +zeek.hart_ip_common_commands.write_primary_variable_units_pv_unit_codes=db:zeek.hart_ip_common_commands.write_primary_variable_units_pv_unit_codes;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_primary_variable_units_pv_unit_codes;help:write_primary_variable_units_pv_unit_codes +zeek.hart_ip_common_commands.trim_loop_current_zero_measured_pv_loop_current_level=db:zeek.hart_ip_common_commands.trim_loop_current_zero_measured_pv_loop_current_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:trim_loop_current_zero_measured_pv_loop_current_level;help:trim_loop_current_zero_measured_pv_loop_current_level +zeek.hart_ip_common_commands.trim_loop_current_gain_measured_pv_loop_current_level=db:zeek.hart_ip_common_commands.trim_loop_current_gain_measured_pv_loop_current_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:trim_loop_current_gain_measured_pv_loop_current_level;help:trim_loop_current_gain_measured_pv_loop_current_level +zeek.hart_ip_common_commands.write_primary_variable_transfer_function_p_v_transfer_function_code=db:zeek.hart_ip_common_commands.write_primary_variable_transfer_function_p_v_transfer_function_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_primary_variable_transfer_function_p_v_transfer_function_code;help:write_primary_variable_transfer_function_p_v_transfer_function_code +zeek.hart_ip_common_commands.write_primary_variable_transducer_serial_number_pv_transducer_serial_number=db:zeek.hart_ip_common_commands.write_primary_variable_transducer_serial_number_pv_transducer_serial_number;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_primary_variable_transducer_serial_number_pv_transducer_serial_number;help:write_primary_variable_transducer_serial_number_pv_transducer_serial_number +zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable;help:read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable +zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable;help:read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable +zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable;help:read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable +zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable;help:read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable +zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable=db:zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable;help:write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable +zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable=db:zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable;help:write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable +zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable=db:zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable;help:write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable +zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable=db:zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable;help:write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable +zeek.hart_ip_common_commands.set_device_variable_zero_device_variable_zeroed=db:zeek.hart_ip_common_commands.set_device_variable_zero_device_variable_zeroed;group:zeek_hart_ip_common_commands;kind:integer;friendly:set_device_variable_zero_device_variable_zeroed;help:set_device_variable_zero_device_variable_zeroed +zeek.hart_ip_common_commands.write_device_variable_units_device_variable_code=db:zeek.hart_ip_common_commands.write_device_variable_units_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_units_device_variable_code;help:write_device_variable_units_device_variable_code +zeek.hart_ip_common_commands.write_device_variable_units_device_variable_units_code=db:zeek.hart_ip_common_commands.write_device_variable_units_device_variable_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_units_device_variable_units_code;help:write_device_variable_units_device_variable_units_code +zeek.hart_ip_common_commands.read_device_variable_information_request_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variable_information_request_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variable_information_request_device_variable_code;help:read_device_variable_information_request_device_variable_code +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variable_information_response_device_variable_code;help:read_device_variable_information_response_device_variable_code +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_transducer_serial_number=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_transducer_serial_number;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variable_information_response_device_variable_transducer_serial_number;help:read_device_variable_information_response_device_variable_transducer_serial_number +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_limits_minimum_span_units_code=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_limits_minimum_span_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_limits_minimum_span_units_code;help:read_device_variable_information_response_device_variable_limits_minimum_span_units_code +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_upper_transducer_limit=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_upper_transducer_limit;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_upper_transducer_limit;help:read_device_variable_information_response_device_variable_upper_transducer_limit +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_lower_transducer_limit=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_lower_transducer_limit;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_lower_transducer_limit;help:read_device_variable_information_response_device_variable_lower_transducer_limit +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_damping_value=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_damping_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_damping_value;help:read_device_variable_information_response_device_variable_damping_value +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_minimum_span=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_minimum_span;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_minimum_span;help:read_device_variable_information_response_device_variable_minimum_span +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_classification=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_classification;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_classification;help:read_device_variable_information_response_device_variable_classification +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_family=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_family;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_family;help:read_device_variable_information_response_device_variable_family +zeek.hart_ip_common_commands.read_device_variable_information_response_acquisition_period=db:zeek.hart_ip_common_commands.read_device_variable_information_response_acquisition_period;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_acquisition_period;help:read_device_variable_information_response_acquisition_period +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_simulated=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_simulated;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_properties_is_simulated;help:read_device_variable_information_response_device_variable_properties_is_simulated +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_undefined_bits_1_6=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_undefined_bits_1_6;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variable_information_response_device_variable_properties_undefined_bits_1_6;help:read_device_variable_information_response_device_variable_properties_undefined_bits_1_6 +zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_input=db:zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_input;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_information_response_device_variable_properties_is_input;help:read_device_variable_information_response_device_variable_properties_is_input +zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_code=db:zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_damping_value_device_variable_code;help:write_device_variable_damping_value_device_variable_code +zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_damping_value=db:zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_damping_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_damping_value_device_variable_damping_value;help:write_device_variable_damping_value_device_variable_damping_value +zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_code=db:zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_transducer_serial_no_device_variable_code;help:write_device_variable_transducer_serial_no_device_variable_code +zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_transducer_serial_number=db:zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_transducer_serial_number;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_transducer_serial_no_device_variable_transducer_serial_number;help:write_device_variable_transducer_serial_no_device_variable_transducer_serial_number +zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_tag=db:zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_tag;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_unit_tag_descriptor_date_response_unit_tag;help:read_unit_tag_descriptor_date_response_unit_tag +zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_descriptor=db:zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_descriptor;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_unit_tag_descriptor_date_response_unit_descriptor;help:read_unit_tag_descriptor_date_response_unit_descriptor +zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_date=db:zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_date;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_unit_tag_descriptor_date_response_unit_date;help:read_unit_tag_descriptor_date_response_unit_date +zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_tag=db:zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_tag;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_unit_tag_descriptor_date_unit_tag;help:write_unit_tag_descriptor_date_unit_tag +zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_descriptor=db:zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_descriptor;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_unit_tag_descriptor_date_unit_descriptor;help:write_unit_tag_descriptor_date_unit_descriptor +zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_date=db:zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_date;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_unit_tag_descriptor_date_unit_date;help:write_unit_tag_descriptor_date_unit_date +zeek.hart_ip_common_commands.write_number_of_response_preambles_number_of_preambles=db:zeek.hart_ip_common_commands.write_number_of_response_preambles_number_of_preambles;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_number_of_response_preambles_number_of_preambles;help:write_number_of_response_preambles_number_of_preambles +zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_request_analog_channel_number_code=db:zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_request_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_and_percent_of_range_request_analog_channel_number_code;help:read_analog_channel_and_percent_of_range_request_analog_channel_number_code +zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_number_code=db:zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_and_percent_of_range_response_analog_channel_number_code;help:read_analog_channel_and_percent_of_range_response_analog_channel_number_code +zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_units_code=db:zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_and_percent_of_range_response_analog_channel_units_code;help:read_analog_channel_and_percent_of_range_response_analog_channel_units_code +zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_level=db:zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_and_percent_of_range_response_analog_channel_level;help:read_analog_channel_and_percent_of_range_response_analog_channel_level +zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range=db:zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range;help:read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code;help:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level;help:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code;help:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable;help:read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code;help:read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable;help:read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code;help:read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable;help:read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code;help:read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code +zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable=db:zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable;help:read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable +zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot0=db:zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot0;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_request_analog_channel_number_code_slot0;help:read_analog_channels_request_analog_channel_number_code_slot0 +zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot1=db:zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot1;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_request_analog_channel_number_code_slot1;help:read_analog_channels_request_analog_channel_number_code_slot1 +zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot2=db:zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot2;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_request_analog_channel_number_code_slot2;help:read_analog_channels_request_analog_channel_number_code_slot2 +zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot3=db:zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot3;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_request_analog_channel_number_code_slot3;help:read_analog_channels_request_analog_channel_number_code_slot3 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot0=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot0;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_response_analog_channel_number_code_slot0;help:read_analog_channels_response_analog_channel_number_code_slot0 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot0=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot0;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_units_code_slot0;help:read_analog_channels_response_analog_channel_units_code_slot0 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot0=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot0;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_level_slot0;help:read_analog_channels_response_analog_channel_level_slot0 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot1=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot1;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_response_analog_channel_number_code_slot1;help:read_analog_channels_response_analog_channel_number_code_slot1 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot1=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot1;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_units_code_slot1;help:read_analog_channels_response_analog_channel_units_code_slot1 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot1=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot1;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_level_slot1;help:read_analog_channels_response_analog_channel_level_slot1 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot2=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot2;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_response_analog_channel_number_code_slot2;help:read_analog_channels_response_analog_channel_number_code_slot2 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot2=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot2;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_units_code_slot2;help:read_analog_channels_response_analog_channel_units_code_slot2 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot2=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot2;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_level_slot2;help:read_analog_channels_response_analog_channel_level_slot2 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot3=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot3;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channels_response_analog_channel_number_code_slot3;help:read_analog_channels_response_analog_channel_number_code_slot3 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot3=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot3;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_units_code_slot3;help:read_analog_channels_response_analog_channel_units_code_slot3 +zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot3=db:zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot3;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channels_response_analog_channel_level_slot3;help:read_analog_channels_response_analog_channel_level_slot3 +zeek.hart_ip_common_commands.read_analog_channel_information_request_analog_channel_number_code=db:zeek.hart_ip_common_commands.read_analog_channel_information_request_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_information_request_analog_channel_number_code;help:read_analog_channel_information_request_analog_channel_number_code +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_number_code=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_information_response_analog_channel_number_code;help:read_analog_channel_information_response_analog_channel_number_code +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_alarm_selection_code=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_alarm_selection_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_alarm_selection_code;help:read_analog_channel_information_response_analog_channel_alarm_selection_code +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_transfer_function_code=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_transfer_function_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_transfer_function_code;help:read_analog_channel_information_response_analog_channel_transfer_function_code +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code;help:read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_range_value=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_range_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_upper_range_value;help:read_analog_channel_information_response_analog_channel_upper_range_value +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_lower_range_value=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_lower_range_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_lower_range_value;help:read_analog_channel_information_response_analog_channel_lower_range_value +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_damping_value=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_damping_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_damping_value;help:read_analog_channel_information_response_analog_channel_damping_value +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_simulated=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_simulated;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_flags_is_simulated;help:read_analog_channel_information_response_analog_channel_flags_is_simulated +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6;help:read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6 +zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_input=db:zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_input;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_information_response_analog_channel_flags_is_input;help:read_analog_channel_information_response_analog_channel_flags_is_input +zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_number_code=db:zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_analog_channel_additional_damping_value_analog_channel_number_code;help:write_analog_channel_additional_damping_value_analog_channel_number_code +zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_damping_value=db:zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_damping_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_analog_channel_additional_damping_value_analog_channel_damping_value;help:write_analog_channel_additional_damping_value_analog_channel_damping_value +zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_number_code=db:zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_analog_channel_range_values_analog_channel_number_code;help:write_analog_channel_range_values_analog_channel_number_code +zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code=db:zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code;help:write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code +zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_range_value=db:zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_range_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_analog_channel_range_values_analog_channel_upper_range_value;help:write_analog_channel_range_values_analog_channel_upper_range_value +zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_lower_range_value=db:zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_lower_range_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_analog_channel_range_values_analog_channel_lower_range_value;help:write_analog_channel_range_values_analog_channel_lower_range_value +zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_number_code=db:zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:enter_exit_fixed_analog_channel_mode_analog_channel_number_code;help:enter_exit_fixed_analog_channel_mode_analog_channel_number_code +zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_units_code=db:zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:enter_exit_fixed_analog_channel_mode_analog_channel_units_code;help:enter_exit_fixed_analog_channel_mode_analog_channel_units_code +zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level=db:zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level;help:enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level +zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_number_code=db:zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:trim_analog_channel_zero_analog_channel_number_code;help:trim_analog_channel_zero_analog_channel_number_code +zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_units_code=db:zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:trim_analog_channel_zero_analog_channel_units_code;help:trim_analog_channel_zero_analog_channel_units_code +zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_level=db:zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:trim_analog_channel_zero_analog_channel_level;help:trim_analog_channel_zero_analog_channel_level +zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_number_code=db:zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:trim_analog_channel_gain_analog_channel_number_code;help:trim_analog_channel_gain_analog_channel_number_code +zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_units_code=db:zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:trim_analog_channel_gain_analog_channel_units_code;help:trim_analog_channel_gain_analog_channel_units_code +zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_level=db:zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_level;group:zeek_hart_ip_common_commands;kind:termfield;friendly:trim_analog_channel_gain_analog_channel_level;help:trim_analog_channel_gain_analog_channel_level +zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_number_code=db:zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_analog_channel_transfer_function_analog_channel_number_code;help:write_analog_channel_transfer_function_analog_channel_number_code +zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_units_code=db:zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_analog_channel_transfer_function_analog_channel_units_code;help:write_analog_channel_transfer_function_analog_channel_units_code +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_request_analog_channel_number_code=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_request_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_endpoint_values_request_analog_channel_number_code;help:read_analog_channel_endpoint_values_request_analog_channel_number_code +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_number_code=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_number_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_analog_channel_endpoint_values_response_analog_channel_number_code;help:read_analog_channel_endpoint_values_response_analog_channel_number_code +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code;help:read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value;help:read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value;help:read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value;help:read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value +zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value=db:zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value;help:read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value +zeek.hart_ip_common_commands.lock_device_lock_code=db:zeek.hart_ip_common_commands.lock_device_lock_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:lock_device_lock_code;help:lock_device_lock_code +zeek.hart_ip_common_commands.squawk_squawk_control=db:zeek.hart_ip_common_commands.squawk_squawk_control;group:zeek_hart_ip_common_commands;kind:termfield;friendly:squawk_squawk_control;help:squawk_squawk_control +zeek.hart_ip_common_commands.find_device_response_254=db:zeek.hart_ip_common_commands.find_device_response_254;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_254;help:find_device_response_254 +zeek.hart_ip_common_commands.find_device_response_expanded_device_type=db:zeek.hart_ip_common_commands.find_device_response_expanded_device_type;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_expanded_device_type;help:find_device_response_expanded_device_type +zeek.hart_ip_common_commands.find_device_response_minimum_preambles_master_slave=db:zeek.hart_ip_common_commands.find_device_response_minimum_preambles_master_slave;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_minimum_preambles_master_slave;help:find_device_response_minimum_preambles_master_slave +zeek.hart_ip_common_commands.find_device_response_hart_protocol_major_revision=db:zeek.hart_ip_common_commands.find_device_response_hart_protocol_major_revision;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_hart_protocol_major_revision;help:find_device_response_hart_protocol_major_revision +zeek.hart_ip_common_commands.find_device_response_device_revision_level=db:zeek.hart_ip_common_commands.find_device_response_device_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_device_revision_level;help:find_device_response_device_revision_level +zeek.hart_ip_common_commands.find_device_response_software_revision_level=db:zeek.hart_ip_common_commands.find_device_response_software_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_software_revision_level;help:find_device_response_software_revision_level +zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level=db:zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;help:find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level +zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code=db:zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;help:find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code +zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_in_multi_drop_only=db:zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_in_multi_drop_only;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_c8_psk_in_multi_drop_only;help:find_device_response_flags_c8_psk_in_multi_drop_only +zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_capable_field_device=db:zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_capable_field_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_c8_psk_capable_field_device;help:find_device_response_flags_c8_psk_capable_field_device +zeek.hart_ip_common_commands.find_device_response_flags_undefined_5=db:zeek.hart_ip_common_commands.find_device_response_flags_undefined_5;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_undefined_5;help:find_device_response_flags_undefined_5 +zeek.hart_ip_common_commands.find_device_response_flags_safehart_capable_field_device=db:zeek.hart_ip_common_commands.find_device_response_flags_safehart_capable_field_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_safehart_capable_field_device;help:find_device_response_flags_safehart_capable_field_device +zeek.hart_ip_common_commands.find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation=db:zeek.hart_ip_common_commands.find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;help:find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation +zeek.hart_ip_common_commands.find_device_response_flags_protocol_bridge_device=db:zeek.hart_ip_common_commands.find_device_response_flags_protocol_bridge_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_protocol_bridge_device;help:find_device_response_flags_protocol_bridge_device +zeek.hart_ip_common_commands.find_device_response_flags_eeprom_control=db:zeek.hart_ip_common_commands.find_device_response_flags_eeprom_control;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_eeprom_control;help:find_device_response_flags_eeprom_control +zeek.hart_ip_common_commands.find_device_response_flags_mutli_sensor_field_device=db:zeek.hart_ip_common_commands.find_device_response_flags_mutli_sensor_field_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_flags_mutli_sensor_field_device;help:find_device_response_flags_mutli_sensor_field_device +zeek.hart_ip_common_commands.find_device_response_device_id=db:zeek.hart_ip_common_commands.find_device_response_device_id;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_device_id;help:find_device_response_device_id +zeek.hart_ip_common_commands.find_device_response_number_preambles_slave_master=db:zeek.hart_ip_common_commands.find_device_response_number_preambles_slave_master;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_number_preambles_slave_master;help:find_device_response_number_preambles_slave_master +zeek.hart_ip_common_commands.find_device_response_last_device_variable_this=db:zeek.hart_ip_common_commands.find_device_response_last_device_variable_this;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_last_device_variable_this;help:find_device_response_last_device_variable_this +zeek.hart_ip_common_commands.find_device_response_configuration_change_counter=db:zeek.hart_ip_common_commands.find_device_response_configuration_change_counter;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_configuration_change_counter;help:find_device_response_configuration_change_counter +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_undefined_bits=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_undefined_bits;group:zeek_hart_ip_common_commands;kind:integer;friendly:find_device_response_extended_field_device_status_undefined_bits;help:find_device_response_extended_field_device_status_undefined_bits +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_function_check=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_function_check;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_extended_field_device_status_function_check;help:find_device_response_extended_field_device_status_function_check +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_out_of_specification=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_out_of_specification;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_extended_field_device_status_out_of_specification;help:find_device_response_extended_field_device_status_out_of_specification +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_failure=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_failure;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_extended_field_device_status_failure;help:find_device_response_extended_field_device_status_failure +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_extended_field_device_status_critical_power_failure;help:find_device_response_extended_field_device_status_critical_power_failure +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_extended_field_device_status_device_variable_alert;help:find_device_response_extended_field_device_status_device_variable_alert +zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_maintenance_required=db:zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_maintenance_required;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_extended_field_device_status_maintenance_required;help:find_device_response_extended_field_device_status_maintenance_required +zeek.hart_ip_common_commands.find_device_response_manufacturer_identification_code=db:zeek.hart_ip_common_commands.find_device_response_manufacturer_identification_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_manufacturer_identification_code;help:find_device_response_manufacturer_identification_code +zeek.hart_ip_common_commands.find_device_response_private_label_distributor_code=db:zeek.hart_ip_common_commands.find_device_response_private_label_distributor_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_private_label_distributor_code;help:find_device_response_private_label_distributor_code +zeek.hart_ip_common_commands.find_device_response_device_profile=db:zeek.hart_ip_common_commands.find_device_response_device_profile;group:zeek_hart_ip_common_commands;kind:termfield;friendly:find_device_response_device_profile;help:find_device_response_device_profile +zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_io_cards=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_io_cards;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_system_capabilities_response_max_io_cards;help:read_io_system_capabilities_response_max_io_cards +zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_channels_per_io_card=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_channels_per_io_card;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_system_capabilities_response_max_channels_per_io_card;help:read_io_system_capabilities_response_max_channels_per_io_card +zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_sub_devices_per_channel=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_sub_devices_per_channel;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_system_capabilities_response_max_sub_devices_per_channel;help:read_io_system_capabilities_response_max_sub_devices_per_channel +zeek.hart_ip_common_commands.read_io_system_capabilities_response_number_of_devices_detected=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_number_of_devices_detected;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_system_capabilities_response_number_of_devices_detected;help:read_io_system_capabilities_response_number_of_devices_detected +zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_delayed_responses_supported=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_delayed_responses_supported;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_system_capabilities_response_max_delayed_responses_supported;help:read_io_system_capabilities_response_max_delayed_responses_supported +zeek.hart_ip_common_commands.read_io_system_capabilities_response_master_mode=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_master_mode;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_io_system_capabilities_response_master_mode;help:read_io_system_capabilities_response_master_mode +zeek.hart_ip_common_commands.read_io_system_capabilities_response_retry_count=db:zeek.hart_ip_common_commands.read_io_system_capabilities_response_retry_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_system_capabilities_response_retry_count;help:read_io_system_capabilities_response_retry_count +zeek.hart_ip_common_commands.poll_sub_device_request_io_card=db:zeek.hart_ip_common_commands.poll_sub_device_request_io_card;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_request_io_card;help:poll_sub_device_request_io_card +zeek.hart_ip_common_commands.poll_sub_device_request_channel=db:zeek.hart_ip_common_commands.poll_sub_device_request_channel;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_request_channel;help:poll_sub_device_request_channel +zeek.hart_ip_common_commands.poll_sub_device_request_sub_device_polling_address=db:zeek.hart_ip_common_commands.poll_sub_device_request_sub_device_polling_address;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_request_sub_device_polling_address;help:poll_sub_device_request_sub_device_polling_address +zeek.hart_ip_common_commands.poll_sub_device_response_254=db:zeek.hart_ip_common_commands.poll_sub_device_response_254;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_254;help:poll_sub_device_response_254 +zeek.hart_ip_common_commands.poll_sub_device_response_expanded_device_type=db:zeek.hart_ip_common_commands.poll_sub_device_response_expanded_device_type;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_expanded_device_type;help:poll_sub_device_response_expanded_device_type +zeek.hart_ip_common_commands.poll_sub_device_response_minimum_preambles_master_slave=db:zeek.hart_ip_common_commands.poll_sub_device_response_minimum_preambles_master_slave;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_minimum_preambles_master_slave;help:poll_sub_device_response_minimum_preambles_master_slave +zeek.hart_ip_common_commands.poll_sub_device_response_hart_protocol_major_revision=db:zeek.hart_ip_common_commands.poll_sub_device_response_hart_protocol_major_revision;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_hart_protocol_major_revision;help:poll_sub_device_response_hart_protocol_major_revision +zeek.hart_ip_common_commands.poll_sub_device_response_device_revision_level=db:zeek.hart_ip_common_commands.poll_sub_device_response_device_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_device_revision_level;help:poll_sub_device_response_device_revision_level +zeek.hart_ip_common_commands.poll_sub_device_response_software_revision_level=db:zeek.hart_ip_common_commands.poll_sub_device_response_software_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_software_revision_level;help:poll_sub_device_response_software_revision_level +zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level=db:zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;help:poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level +zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code=db:zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;help:poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code +zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_in_multi_drop_only=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_in_multi_drop_only;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_c8_psk_in_multi_drop_only;help:poll_sub_device_response_flags_c8_psk_in_multi_drop_only +zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_capable_field_device=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_capable_field_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_c8_psk_capable_field_device;help:poll_sub_device_response_flags_c8_psk_capable_field_device +zeek.hart_ip_common_commands.poll_sub_device_response_flags_undefined_5=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_undefined_5;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_undefined_5;help:poll_sub_device_response_flags_undefined_5 +zeek.hart_ip_common_commands.poll_sub_device_response_flags_safehart_capable_field_device=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_safehart_capable_field_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_safehart_capable_field_device;help:poll_sub_device_response_flags_safehart_capable_field_device +zeek.hart_ip_common_commands.poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;help:poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation +zeek.hart_ip_common_commands.poll_sub_device_response_flags_protocol_bridge_device=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_protocol_bridge_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_protocol_bridge_device;help:poll_sub_device_response_flags_protocol_bridge_device +zeek.hart_ip_common_commands.poll_sub_device_response_flags_eeprom_control=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_eeprom_control;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_eeprom_control;help:poll_sub_device_response_flags_eeprom_control +zeek.hart_ip_common_commands.poll_sub_device_response_flags_mutli_sensor_field_device=db:zeek.hart_ip_common_commands.poll_sub_device_response_flags_mutli_sensor_field_device;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_flags_mutli_sensor_field_device;help:poll_sub_device_response_flags_mutli_sensor_field_device +zeek.hart_ip_common_commands.poll_sub_device_response_device_id=db:zeek.hart_ip_common_commands.poll_sub_device_response_device_id;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_device_id;help:poll_sub_device_response_device_id +zeek.hart_ip_common_commands.poll_sub_device_response_number_preambles_slave_master=db:zeek.hart_ip_common_commands.poll_sub_device_response_number_preambles_slave_master;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_number_preambles_slave_master;help:poll_sub_device_response_number_preambles_slave_master +zeek.hart_ip_common_commands.poll_sub_device_response_last_device_variable_this=db:zeek.hart_ip_common_commands.poll_sub_device_response_last_device_variable_this;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_last_device_variable_this;help:poll_sub_device_response_last_device_variable_this +zeek.hart_ip_common_commands.poll_sub_device_response_configuration_change_counter=db:zeek.hart_ip_common_commands.poll_sub_device_response_configuration_change_counter;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_configuration_change_counter;help:poll_sub_device_response_configuration_change_counter +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_undefined_bits=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_undefined_bits;group:zeek_hart_ip_common_commands;kind:integer;friendly:poll_sub_device_response_extended_field_device_status_undefined_bits;help:poll_sub_device_response_extended_field_device_status_undefined_bits +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_function_check=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_function_check;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_extended_field_device_status_function_check;help:poll_sub_device_response_extended_field_device_status_function_check +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_out_of_specification=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_out_of_specification;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_extended_field_device_status_out_of_specification;help:poll_sub_device_response_extended_field_device_status_out_of_specification +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_failure=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_failure;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_extended_field_device_status_failure;help:poll_sub_device_response_extended_field_device_status_failure +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_extended_field_device_status_critical_power_failure;help:poll_sub_device_response_extended_field_device_status_critical_power_failure +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_extended_field_device_status_device_variable_alert;help:poll_sub_device_response_extended_field_device_status_device_variable_alert +zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_maintenance_required=db:zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_maintenance_required;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_extended_field_device_status_maintenance_required;help:poll_sub_device_response_extended_field_device_status_maintenance_required +zeek.hart_ip_common_commands.poll_sub_device_response_manufacturer_identification_code=db:zeek.hart_ip_common_commands.poll_sub_device_response_manufacturer_identification_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_manufacturer_identification_code;help:poll_sub_device_response_manufacturer_identification_code +zeek.hart_ip_common_commands.poll_sub_device_response_private_label_distributor_code=db:zeek.hart_ip_common_commands.poll_sub_device_response_private_label_distributor_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_private_label_distributor_code;help:poll_sub_device_response_private_label_distributor_code +zeek.hart_ip_common_commands.poll_sub_device_response_device_profile=db:zeek.hart_ip_common_commands.poll_sub_device_response_device_profile;group:zeek_hart_ip_common_commands;kind:termfield;friendly:poll_sub_device_response_device_profile;help:poll_sub_device_response_device_profile +zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_undefined_bits=db:zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_undefined_bits;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_lock_device_state_response_lock_status_undefined_bits;help:read_lock_device_state_response_lock_status_undefined_bits +zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_gateway=db:zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_gateway;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_lock_device_state_response_lock_status_lock_gateway;help:read_lock_device_state_response_lock_status_lock_gateway +zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_configuration_locked=db:zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_configuration_locked;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_lock_device_state_response_lock_status_configuration_locked;help:read_lock_device_state_response_lock_status_configuration_locked +zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_primary=db:zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_primary;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_lock_device_state_response_lock_status_lock_primary;help:read_lock_device_state_response_lock_status_lock_primary +zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_permanent=db:zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_permanent;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_lock_device_state_response_lock_status_lock_permanent;help:read_lock_device_state_response_lock_status_lock_permanent +zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_device_locked=db:zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_device_locked;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_lock_device_state_response_lock_status_device_locked;help:read_lock_device_state_response_lock_status_device_locked +zeek.hart_ip_common_commands.write_device_variable_device_variable_code=db:zeek.hart_ip_common_commands.write_device_variable_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_device_variable_code;help:write_device_variable_device_variable_code +zeek.hart_ip_common_commands.write_device_variable_write_device_variable_command_code=db:zeek.hart_ip_common_commands.write_device_variable_write_device_variable_command_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_write_device_variable_command_code;help:write_device_variable_write_device_variable_command_code +zeek.hart_ip_common_commands.write_device_variable_units_code=db:zeek.hart_ip_common_commands.write_device_variable_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_units_code;help:write_device_variable_units_code +zeek.hart_ip_common_commands.write_device_variable_device_variable_value=db:zeek.hart_ip_common_commands.write_device_variable_device_variable_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_device_variable_value;help:write_device_variable_device_variable_value +zeek.hart_ip_common_commands.write_device_variable_device_variable_status_process_data_status=db:zeek.hart_ip_common_commands.write_device_variable_device_variable_status_process_data_status;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_device_variable_status_process_data_status;help:write_device_variable_device_variable_status_process_data_status +zeek.hart_ip_common_commands.write_device_variable_device_variable_status_limit_status=db:zeek.hart_ip_common_commands.write_device_variable_device_variable_status_limit_status;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_device_variable_status_limit_status;help:write_device_variable_device_variable_status_limit_status +zeek.hart_ip_common_commands.write_device_variable_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_common_commands.write_device_variable_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_device_variable_status_more_device_variable_status_available;help:write_device_variable_device_variable_status_more_device_variable_status_available +zeek.hart_ip_common_commands.write_device_variable_device_variable_status_device_family_specific_status=db:zeek.hart_ip_common_commands.write_device_variable_device_variable_status_device_family_specific_status;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_device_variable_status_device_family_specific_status;help:write_device_variable_device_variable_status_device_family_specific_status +zeek.hart_ip_common_commands.read_device_variable_trim_points_device_variable_code=db:zeek.hart_ip_common_commands.read_device_variable_trim_points_device_variable_code;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variable_trim_points_device_variable_code;help:read_device_variable_trim_points_device_variable_code +zeek.hart_ip_common_commands.read_device_variable_trim_points_response_trim_points_units_code=db:zeek.hart_ip_common_commands.read_device_variable_trim_points_response_trim_points_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_trim_points_response_trim_points_units_code;help:read_device_variable_trim_points_response_trim_points_units_code +zeek.hart_ip_common_commands.read_device_variable_trim_points_response_lower_or_single_trim_point=db:zeek.hart_ip_common_commands.read_device_variable_trim_points_response_lower_or_single_trim_point;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_trim_points_response_lower_or_single_trim_point;help:read_device_variable_trim_points_response_lower_or_single_trim_point +zeek.hart_ip_common_commands.read_device_variable_trim_points_response_upper_trim_point=db:zeek.hart_ip_common_commands.read_device_variable_trim_points_response_upper_trim_point;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_device_variable_trim_points_response_upper_trim_point;help:read_device_variable_trim_points_response_upper_trim_point +zeek.hart_ip_common_commands.read_device_variable_trim_guidelines_device_variable_guidelines=db:zeek.hart_ip_common_commands.read_device_variable_trim_guidelines_device_variable_guidelines;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_device_variable_trim_guidelines_device_variable_guidelines;help:read_device_variable_trim_guidelines_device_variable_guidelines +zeek.hart_ip_common_commands.write_device_variable_trim_point_device_variable_to_trim=db:zeek.hart_ip_common_commands.write_device_variable_trim_point_device_variable_to_trim;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_device_variable_trim_point_device_variable_to_trim;help:write_device_variable_trim_point_device_variable_to_trim +zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point=db:zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_trim_point_trim_point;help:write_device_variable_trim_point_trim_point +zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_points_units_code=db:zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_points_units_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_trim_point_trim_points_units_code;help:write_device_variable_trim_point_trim_points_units_code +zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point_value=db:zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point_value;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_device_variable_trim_point_trim_point_value;help:write_device_variable_trim_point_trim_point_value +zeek.hart_ip_common_commands.reset_device_variable_trim_device_variable_trim_to_reset=db:zeek.hart_ip_common_commands.reset_device_variable_trim_device_variable_trim_to_reset;group:zeek_hart_ip_common_commands;kind:integer;friendly:reset_device_variable_trim_device_variable_trim_to_reset;help:reset_device_variable_trim_device_variable_trim_to_reset +zeek.hart_ip_common_commands.read_sub_device_identity_summary_sub_device_index=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_sub_device_index;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_identity_summary_sub_device_index;help:read_sub_device_identity_summary_sub_device_index +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_io_card=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_io_card;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_identity_summary_response_io_card;help:read_sub_device_identity_summary_response_io_card +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_channel=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_channel;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_identity_summary_response_channel;help:read_sub_device_identity_summary_response_channel +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_manufacturer_identification_code=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_manufacturer_identification_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_sub_device_identity_summary_response_manufacturer_identification_code;help:read_sub_device_identity_summary_response_manufacturer_identification_code +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_expanded_device_type=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_expanded_device_type;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_sub_device_identity_summary_response_expanded_device_type;help:read_sub_device_identity_summary_response_expanded_device_type +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_id=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_id;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_identity_summary_response_device_id;help:read_sub_device_identity_summary_response_device_id +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_universal_command_revision_level=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_universal_command_revision_level;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_identity_summary_response_universal_command_revision_level;help:read_sub_device_identity_summary_response_universal_command_revision_level +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_long_tag=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_long_tag;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_sub_device_identity_summary_response_long_tag;help:read_sub_device_identity_summary_response_long_tag +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_revision=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_revision;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_identity_summary_response_device_revision;help:read_sub_device_identity_summary_response_device_revision +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_profile=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_profile;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_sub_device_identity_summary_response_device_profile;help:read_sub_device_identity_summary_response_device_profile +zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_private_label_distributor_code=db:zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_private_label_distributor_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:read_sub_device_identity_summary_response_private_label_distributor_code;help:read_sub_device_identity_summary_response_private_label_distributor_code +zeek.hart_ip_common_commands.read_io_channel_statistics_io_card=db:zeek.hart_ip_common_commands.read_io_channel_statistics_io_card;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_io_card;help:read_io_channel_statistics_io_card +zeek.hart_ip_common_commands.read_io_channel_statistics_channel=db:zeek.hart_ip_common_commands.read_io_channel_statistics_channel;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_channel;help:read_io_channel_statistics_channel +zeek.hart_ip_common_commands.read_io_channel_statistics_response_stx_count=db:zeek.hart_ip_common_commands.read_io_channel_statistics_response_stx_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_response_stx_count;help:read_io_channel_statistics_response_stx_count +zeek.hart_ip_common_commands.read_io_channel_statistics_response_ack_count=db:zeek.hart_ip_common_commands.read_io_channel_statistics_response_ack_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_response_ack_count;help:read_io_channel_statistics_response_ack_count +zeek.hart_ip_common_commands.read_io_channel_statistics_response_ostx_count=db:zeek.hart_ip_common_commands.read_io_channel_statistics_response_ostx_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_response_ostx_count;help:read_io_channel_statistics_response_ostx_count +zeek.hart_ip_common_commands.read_io_channel_statistics_response_oack_count=db:zeek.hart_ip_common_commands.read_io_channel_statistics_response_oack_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_response_oack_count;help:read_io_channel_statistics_response_oack_count +zeek.hart_ip_common_commands.read_io_channel_statistics_response_back_count=db:zeek.hart_ip_common_commands.read_io_channel_statistics_response_back_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_io_channel_statistics_response_back_count;help:read_io_channel_statistics_response_back_count +zeek.hart_ip_common_commands.read_sub_device_statistics_sub_device_index=db:zeek.hart_ip_common_commands.read_sub_device_statistics_sub_device_index;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_statistics_sub_device_index;help:read_sub_device_statistics_sub_device_index +zeek.hart_ip_common_commands.read_sub_device_statistics_response_stx_count=db:zeek.hart_ip_common_commands.read_sub_device_statistics_response_stx_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_statistics_response_stx_count;help:read_sub_device_statistics_response_stx_count +zeek.hart_ip_common_commands.read_sub_device_statistics_response_ack_count=db:zeek.hart_ip_common_commands.read_sub_device_statistics_response_ack_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_statistics_response_ack_count;help:read_sub_device_statistics_response_ack_count +zeek.hart_ip_common_commands.read_sub_device_statistics_response_back_count=db:zeek.hart_ip_common_commands.read_sub_device_statistics_response_back_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:read_sub_device_statistics_response_back_count;help:read_sub_device_statistics_response_back_count +zeek.hart_ip_common_commands.write_io_system_master_mode_master_mode=db:zeek.hart_ip_common_commands.write_io_system_master_mode_master_mode;group:zeek_hart_ip_common_commands;kind:termfield;friendly:write_io_system_master_mode_master_mode;help:write_io_system_master_mode_master_mode +zeek.hart_ip_common_commands.write_io_system_retry_count_retry_count=db:zeek.hart_ip_common_commands.write_io_system_retry_count_retry_count;group:zeek_hart_ip_common_commands;kind:integer;friendly:write_io_system_retry_count_retry_count;help:write_io_system_retry_count_retry_count +zeek.hart_ip_common_commands.set_real_time_clock_time_set_code=db:zeek.hart_ip_common_commands.set_real_time_clock_time_set_code;group:zeek_hart_ip_common_commands;kind:termfield;friendly:set_real_time_clock_time_set_code;help:set_real_time_clock_time_set_code +zeek.hart_ip_common_commands.set_real_time_clock_date=db:zeek.hart_ip_common_commands.set_real_time_clock_date;group:zeek_hart_ip_common_commands;kind:termfield;friendly:set_real_time_clock_date;help:set_real_time_clock_date +zeek.hart_ip_common_commands.set_real_time_clock_time_of_day=db:zeek.hart_ip_common_commands.set_real_time_clock_time_of_day;group:zeek_hart_ip_common_commands;kind:termfield;friendly:set_real_time_clock_time_of_day;help:set_real_time_clock_time_of_day +zeek.hart_ip_common_commands.set_real_time_clock_null_bytes=db:zeek.hart_ip_common_commands.set_real_time_clock_null_bytes;group:zeek_hart_ip_common_commands;kind:integer;friendly:set_real_time_clock_null_bytes;help:set_real_time_clock_null_bytes + +# hart_ip_direct_pdu_command.log +# https://github.com/cisagov/icsnpp-hart-ip +zeek.hart_ip_direct_pdu_command.direct_pdu_command_data_data=db:zeek.hart_ip_direct_pdu_command.direct_pdu_command_data_data;group:zeek_hart_ip_direct_pdu_command;kind:termfield;friendly:direct_pdu_command_data_data;help:direct_pdu_command_data_data +zeek.hart_ip_direct_pdu_command.direct_pdu_command_command_number=db:zeek.hart_ip_direct_pdu_command.direct_pdu_command_command_number;group:zeek_hart_ip_direct_pdu_command;kind:termfield;friendly:direct_pdu_command_command_number;help:direct_pdu_command_command_number +zeek.hart_ip_direct_pdu_command.direct_pdu_command_byte_count=db:zeek.hart_ip_direct_pdu_command.direct_pdu_command_byte_count;group:zeek_hart_ip_direct_pdu_command;kind:integer;friendly:direct_pdu_command_byte_count;help:direct_pdu_command_byte_count +zeek.hart_ip_direct_pdu_command.direct_pdu_contents_response_response_code=db:zeek.hart_ip_direct_pdu_command.direct_pdu_contents_response_response_code;group:zeek_hart_ip_direct_pdu_command;kind:integer;friendly:direct_pdu_contents_response_response_code;help:direct_pdu_contents_response_response_code + +# hart_ip.log +# https://github.com/cisagov/icsnpp-hart-ip +zeek.hart_ip.command_number_link_id=db:zeek.hart_ip.command_number_link_id;group:zeek_hart_ip;kind:termfield;friendly:command_number_link_id;help:command_number_link_id +zeek.hart_ip.direct_pdu_command_link_id=db:zeek.hart_ip.direct_pdu_command_link_id;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_command_link_id;help:direct_pdu_command_link_id +zeek.hart_ip.session_log_record_link_id=db:zeek.hart_ip.session_log_record_link_id;group:zeek_hart_ip;kind:termfield;friendly:session_log_record_link_id;help:session_log_record_link_id +zeek.hart_ip.message_packet_bytes=db:zeek.hart_ip.message_packet_bytes;group:zeek_hart_ip;kind:termfield;friendly:message_packet_bytes;help:message_packet_bytes +zeek.hart_ip.header_version=db:zeek.hart_ip.header_version;group:zeek_hart_ip;kind:integer;friendly:header_version;help:header_version +zeek.hart_ip.header_message_type_reserved=db:zeek.hart_ip.header_message_type_reserved;group:zeek_hart_ip;kind:integer;friendly:header_message_type_reserved;help:header_message_type_reserved +zeek.hart_ip.header_message_type_message_type=db:zeek.hart_ip.header_message_type_message_type;group:zeek_hart_ip;kind:termfield;friendly:header_message_type_message_type;help:header_message_type_message_type +zeek.hart_ip.header_message_id=db:zeek.hart_ip.header_message_id;group:zeek_hart_ip;kind:termfield;friendly:header_message_id;help:header_message_id +zeek.hart_ip.header_status_code=db:zeek.hart_ip.header_status_code;group:zeek_hart_ip;kind:termfield;friendly:header_status_code;help:header_status_code +zeek.hart_ip.header_sequence_number=db:zeek.hart_ip.header_sequence_number;group:zeek_hart_ip;kind:integer;friendly:header_sequence_number;help:header_sequence_number +zeek.hart_ip.header_length=db:zeek.hart_ip.header_length;group:zeek_hart_ip;kind:integer;friendly:header_length;help:header_length +zeek.hart_ip.session_initiate_master_type=db:zeek.hart_ip.session_initiate_master_type;group:zeek_hart_ip;kind:integer;friendly:session_initiate_master_type;help:session_initiate_master_type +zeek.hart_ip.session_initiate_inactivity_close_timer=db:zeek.hart_ip.session_initiate_inactivity_close_timer;group:zeek_hart_ip;kind:integer;friendly:session_initiate_inactivity_close_timer;help:session_initiate_inactivity_close_timer +zeek.hart_ip.token_passing_pdu_delimiter_address_type=db:zeek.hart_ip.token_passing_pdu_delimiter_address_type;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_delimiter_address_type;help:token_passing_pdu_delimiter_address_type +zeek.hart_ip.token_passing_pdu_delimiter_expansion_bytes=db:zeek.hart_ip.token_passing_pdu_delimiter_expansion_bytes;group:zeek_hart_ip;kind:integer;friendly:token_passing_pdu_delimiter_expansion_bytes;help:token_passing_pdu_delimiter_expansion_bytes +zeek.hart_ip.token_passing_pdu_delimiter_physical_layer_type=db:zeek.hart_ip.token_passing_pdu_delimiter_physical_layer_type;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_delimiter_physical_layer_type;help:token_passing_pdu_delimiter_physical_layer_type +zeek.hart_ip.token_passing_pdu_delimiter_frame_type=db:zeek.hart_ip.token_passing_pdu_delimiter_frame_type;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_delimiter_frame_type;help:token_passing_pdu_delimiter_frame_type +zeek.hart_ip.token_passing_pdu_address_v4=db:zeek.hart_ip.token_passing_pdu_address_v4;group:zeek_hart_ip;kind:integer;friendly:token_passing_pdu_address_v4;help:token_passing_pdu_address_v4 +zeek.hart_ip.token_passing_pdu_address_v6=db:zeek.hart_ip.token_passing_pdu_address_v6;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_address_v6;help:token_passing_pdu_address_v6 +zeek.hart_ip.token_passing_pdu_command_number=db:zeek.hart_ip.token_passing_pdu_command_number;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_command_number;help:token_passing_pdu_command_number +zeek.hart_ip.token_passing_pdu_byte_count=db:zeek.hart_ip.token_passing_pdu_byte_count;group:zeek_hart_ip;kind:integer;friendly:token_passing_pdu_byte_count;help:token_passing_pdu_byte_count +zeek.hart_ip.token_passing_pdu_check_byte=db:zeek.hart_ip.token_passing_pdu_check_byte;group:zeek_hart_ip;kind:integer;friendly:token_passing_pdu_check_byte;help:token_passing_pdu_check_byte +zeek.hart_ip.token_passing_pdu_contents_data_data=db:zeek.hart_ip.token_passing_pdu_contents_data_data;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_data_data;help:token_passing_pdu_contents_data_data +zeek.hart_ip.token_passing_pdu_contents_response_response_code=db:zeek.hart_ip.token_passing_pdu_contents_response_response_code;group:zeek_hart_ip;kind:integer;friendly:token_passing_pdu_contents_response_response_code;help:token_passing_pdu_contents_response_response_code +zeek.hart_ip.token_passing_pdu_contents_response_device_status_device_malfunction=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_device_malfunction;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_device_malfunction;help:token_passing_pdu_contents_response_device_status_device_malfunction +zeek.hart_ip.token_passing_pdu_contents_response_device_status_configuration_changed=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_configuration_changed;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_configuration_changed;help:token_passing_pdu_contents_response_device_status_configuration_changed +zeek.hart_ip.token_passing_pdu_contents_response_device_status_cold_start=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_cold_start;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_cold_start;help:token_passing_pdu_contents_response_device_status_cold_start +zeek.hart_ip.token_passing_pdu_contents_response_device_status_more_status_available=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_more_status_available;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_more_status_available;help:token_passing_pdu_contents_response_device_status_more_status_available +zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_fixed=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_fixed;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_loop_current_fixed;help:token_passing_pdu_contents_response_device_status_loop_current_fixed +zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_saturated=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_saturated;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_loop_current_saturated;help:token_passing_pdu_contents_response_device_status_loop_current_saturated +zeek.hart_ip.token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits;help:token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits +zeek.hart_ip.token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits=db:zeek.hart_ip.token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits;group:zeek_hart_ip;kind:termfield;friendly:token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits;help:token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits +zeek.hart_ip.direct_pdu_device_status_device_malfunction=db:zeek.hart_ip.direct_pdu_device_status_device_malfunction;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_device_malfunction;help:direct_pdu_device_status_device_malfunction +zeek.hart_ip.direct_pdu_device_status_configuration_changed=db:zeek.hart_ip.direct_pdu_device_status_configuration_changed;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_configuration_changed;help:direct_pdu_device_status_configuration_changed +zeek.hart_ip.direct_pdu_device_status_cold_start=db:zeek.hart_ip.direct_pdu_device_status_cold_start;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_cold_start;help:direct_pdu_device_status_cold_start +zeek.hart_ip.direct_pdu_device_status_more_status_available=db:zeek.hart_ip.direct_pdu_device_status_more_status_available;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_more_status_available;help:direct_pdu_device_status_more_status_available +zeek.hart_ip.direct_pdu_device_status_loop_current_fixed=db:zeek.hart_ip.direct_pdu_device_status_loop_current_fixed;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_loop_current_fixed;help:direct_pdu_device_status_loop_current_fixed +zeek.hart_ip.direct_pdu_device_status_loop_current_saturated=db:zeek.hart_ip.direct_pdu_device_status_loop_current_saturated;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_loop_current_saturated;help:direct_pdu_device_status_loop_current_saturated +zeek.hart_ip.direct_pdu_device_status_non_primary_variable_out_of_limits=db:zeek.hart_ip.direct_pdu_device_status_non_primary_variable_out_of_limits;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_non_primary_variable_out_of_limits;help:direct_pdu_device_status_non_primary_variable_out_of_limits +zeek.hart_ip.direct_pdu_device_status_primary_variable_out_of_limits=db:zeek.hart_ip.direct_pdu_device_status_primary_variable_out_of_limits;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_device_status_primary_variable_out_of_limits;help:direct_pdu_device_status_primary_variable_out_of_limits +zeek.hart_ip.direct_pdu_extended_status_undefined_bits=db:zeek.hart_ip.direct_pdu_extended_status_undefined_bits;group:zeek_hart_ip;kind:integer;friendly:direct_pdu_extended_status_undefined_bits;help:direct_pdu_extended_status_undefined_bits +zeek.hart_ip.direct_pdu_extended_status_function_check=db:zeek.hart_ip.direct_pdu_extended_status_function_check;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_extended_status_function_check;help:direct_pdu_extended_status_function_check +zeek.hart_ip.direct_pdu_extended_status_out_of_specification=db:zeek.hart_ip.direct_pdu_extended_status_out_of_specification;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_extended_status_out_of_specification;help:direct_pdu_extended_status_out_of_specification +zeek.hart_ip.direct_pdu_extended_status_failure=db:zeek.hart_ip.direct_pdu_extended_status_failure;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_extended_status_failure;help:direct_pdu_extended_status_failure +zeek.hart_ip.direct_pdu_extended_status_critical_power_failure=db:zeek.hart_ip.direct_pdu_extended_status_critical_power_failure;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_extended_status_critical_power_failure;help:direct_pdu_extended_status_critical_power_failure +zeek.hart_ip.direct_pdu_extended_status_device_variable_alert=db:zeek.hart_ip.direct_pdu_extended_status_device_variable_alert;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_extended_status_device_variable_alert;help:direct_pdu_extended_status_device_variable_alert +zeek.hart_ip.direct_pdu_extended_status_maintenance_required=db:zeek.hart_ip.direct_pdu_extended_status_maintenance_required;group:zeek_hart_ip;kind:termfield;friendly:direct_pdu_extended_status_maintenance_required;help:direct_pdu_extended_status_maintenance_required +zeek.hart_ip.read_audit_log_start_record=db:zeek.hart_ip.read_audit_log_start_record;group:zeek_hart_ip;kind:integer;friendly:read_audit_log_start_record;help:read_audit_log_start_record +zeek.hart_ip.read_audit_log_number_of_records=db:zeek.hart_ip.read_audit_log_number_of_records;group:zeek_hart_ip;kind:integer;friendly:read_audit_log_number_of_records;help:read_audit_log_number_of_records +zeek.hart_ip.read_audit_log_power_up_time=db:zeek.hart_ip.read_audit_log_power_up_time;group:zeek_hart_ip;kind:integer;friendly:read_audit_log_power_up_time;help:read_audit_log_power_up_time +zeek.hart_ip.read_audit_log_last_security_change=db:zeek.hart_ip.read_audit_log_last_security_change;group:zeek_hart_ip;kind:integer;friendly:read_audit_log_last_security_change;help:read_audit_log_last_security_change +zeek.hart_ip.read_audit_log_server_status_undefined_bits=db:zeek.hart_ip.read_audit_log_server_status_undefined_bits;group:zeek_hart_ip;kind:integer;friendly:read_audit_log_server_status_undefined_bits;help:read_audit_log_server_status_undefined_bits +zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection=db:zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection;group:zeek_hart_ip;kind:termfield;friendly:read_audit_log_server_status_insecure_syslog_connection;help:read_audit_log_server_status_insecure_syslog_connection +zeek.hart_ip.read_audit_log_server_status_syslog_server_located_but_connection_failed=db:zeek.hart_ip.read_audit_log_server_status_syslog_server_located_but_connection_failed;group:zeek_hart_ip;kind:termfield;friendly:read_audit_log_server_status_syslog_server_located_but_connection_failed;help:read_audit_log_server_status_syslog_server_located_but_connection_failed +zeek.hart_ip.read_audit_log_server_status_unable_to_locate_syslog_server=db:zeek.hart_ip.read_audit_log_server_status_unable_to_locate_syslog_server;group:zeek_hart_ip;kind:termfield;friendly:read_audit_log_server_status_unable_to_locate_syslog_server;help:read_audit_log_server_status_unable_to_locate_syslog_server +zeek.hart_ip.read_audit_log_session_record_size=db:zeek.hart_ip.read_audit_log_session_record_size;group:zeek_hart_ip;kind:integer;friendly:read_audit_log_session_record_size;help:read_audit_log_session_record_size + +# hart_ip_session_record.log +# https://github.com/cisagov/icsnpp-hart-ip +zeek.hart_ip_session_record.session_log_record_client_i_pv4_address=db:zeek.hart_ip_session_record.session_log_record_client_i_pv4_address;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_client_i_pv4_address;help:session_log_record_client_i_pv4_address +zeek.hart_ip_session_record.session_log_record_client_i_pv6_address=db:zeek.hart_ip_session_record.session_log_record_client_i_pv6_address;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_client_i_pv6_address;help:session_log_record_client_i_pv6_address +zeek.hart_ip_session_record.session_log_record_client_port=db:zeek.hart_ip_session_record.session_log_record_client_port;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_client_port;help:session_log_record_client_port +zeek.hart_ip_session_record.session_log_record_server_port=db:zeek.hart_ip_session_record.session_log_record_server_port;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_server_port;help:session_log_record_server_port +zeek.hart_ip_session_record.session_log_record_connect_time=db:zeek.hart_ip_session_record.session_log_record_connect_time;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_connect_time;help:session_log_record_connect_time +zeek.hart_ip_session_record.session_log_record_disconnect_time=db:zeek.hart_ip_session_record.session_log_record_disconnect_time;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_disconnect_time;help:session_log_record_disconnect_time +zeek.hart_ip_session_record.session_log_record_session_status_summary_undefined_bits=db:zeek.hart_ip_session_record.session_log_record_session_status_summary_undefined_bits;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_session_status_summary_undefined_bits;help:session_log_record_session_status_summary_undefined_bits +zeek.hart_ip_session_record.session_log_record_session_status_summary_insecure_session=db:zeek.hart_ip_session_record.session_log_record_session_status_summary_insecure_session;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_session_status_summary_insecure_session;help:session_log_record_session_status_summary_insecure_session +zeek.hart_ip_session_record.session_log_record_session_status_summary_session_timeout=db:zeek.hart_ip_session_record.session_log_record_session_status_summary_session_timeout;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_session_status_summary_session_timeout;help:session_log_record_session_status_summary_session_timeout +zeek.hart_ip_session_record.session_log_record_session_status_summary_aborted_session=db:zeek.hart_ip_session_record.session_log_record_session_status_summary_aborted_session;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_session_status_summary_aborted_session;help:session_log_record_session_status_summary_aborted_session +zeek.hart_ip_session_record.session_log_record_session_status_summary_bad_session_initialization=db:zeek.hart_ip_session_record.session_log_record_session_status_summary_bad_session_initialization;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_session_status_summary_bad_session_initialization;help:session_log_record_session_status_summary_bad_session_initialization +zeek.hart_ip_session_record.session_log_record_session_status_summary_writes_occured=db:zeek.hart_ip_session_record.session_log_record_session_status_summary_writes_occured;group:zeek_hart_ip_session_record;kind:termfield;friendly:session_log_record_session_status_summary_writes_occured;help:session_log_record_session_status_summary_writes_occured +zeek.hart_ip_session_record.session_log_record_start_configuration_change_count=db:zeek.hart_ip_session_record.session_log_record_start_configuration_change_count;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_start_configuration_change_count;help:session_log_record_start_configuration_change_count +zeek.hart_ip_session_record.session_log_record_end_configuration_change_count=db:zeek.hart_ip_session_record.session_log_record_end_configuration_change_count;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_end_configuration_change_count;help:session_log_record_end_configuration_change_count +zeek.hart_ip_session_record.session_log_record_num_publish_pdu=db:zeek.hart_ip_session_record.session_log_record_num_publish_pdu;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_num_publish_pdu;help:session_log_record_num_publish_pdu +zeek.hart_ip_session_record.session_log_record_num_request_pdu=db:zeek.hart_ip_session_record.session_log_record_num_request_pdu;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_num_request_pdu;help:session_log_record_num_request_pdu +zeek.hart_ip_session_record.session_log_record_num_response_pdu=db:zeek.hart_ip_session_record.session_log_record_num_response_pdu;group:zeek_hart_ip_session_record;kind:integer;friendly:session_log_record_num_response_pdu;help:session_log_record_num_response_pdu + +# hart_ip_universal_commands.log +# https://github.com/cisagov/icsnpp-hart-ip +zeek.hart_ip_universal_commands.read_unique_identifier_response_254=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_254;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_254;help:read_unique_identifier_response_254 +zeek.hart_ip_universal_commands.read_unique_identifier_response_expanded_device_type=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_expanded_device_type;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_expanded_device_type;help:read_unique_identifier_response_expanded_device_type +zeek.hart_ip_universal_commands.read_unique_identifier_response_minimum_preambles_master_slave=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_minimum_preambles_master_slave;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_minimum_preambles_master_slave;help:read_unique_identifier_response_minimum_preambles_master_slave +zeek.hart_ip_universal_commands.read_unique_identifier_response_hart_protocol_major_revision=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_hart_protocol_major_revision;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_hart_protocol_major_revision;help:read_unique_identifier_response_hart_protocol_major_revision +zeek.hart_ip_universal_commands.read_unique_identifier_response_device_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_device_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_device_revision_level;help:read_unique_identifier_response_device_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_response_software_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_software_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_software_revision_level;help:read_unique_identifier_response_software_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;help:read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;help:read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_in_multi_drop_only=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_in_multi_drop_only;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_c8_psk_in_multi_drop_only;help:read_unique_identifier_response_flags_c8_psk_in_multi_drop_only +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_capable_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_capable_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_c8_psk_capable_field_device;help:read_unique_identifier_response_flags_c8_psk_capable_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_undefined_5=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_undefined_5;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_undefined_5;help:read_unique_identifier_response_flags_undefined_5 +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_safehart_capable_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_safehart_capable_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_safehart_capable_field_device;help:read_unique_identifier_response_flags_safehart_capable_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;help:read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_protocol_bridge_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_protocol_bridge_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_protocol_bridge_device;help:read_unique_identifier_response_flags_protocol_bridge_device +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_eeprom_control=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_eeprom_control;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_eeprom_control;help:read_unique_identifier_response_flags_eeprom_control +zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_mutli_sensor_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_mutli_sensor_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_flags_mutli_sensor_field_device;help:read_unique_identifier_response_flags_mutli_sensor_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_response_device_id=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_device_id;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_device_id;help:read_unique_identifier_response_device_id +zeek.hart_ip_universal_commands.read_unique_identifier_response_number_preambles_slave_master=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_number_preambles_slave_master;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_number_preambles_slave_master;help:read_unique_identifier_response_number_preambles_slave_master +zeek.hart_ip_universal_commands.read_unique_identifier_response_last_device_variable_this=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_last_device_variable_this;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_last_device_variable_this;help:read_unique_identifier_response_last_device_variable_this +zeek.hart_ip_universal_commands.read_unique_identifier_response_configuration_change_counter=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_configuration_change_counter;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_configuration_change_counter;help:read_unique_identifier_response_configuration_change_counter +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_undefined_bits=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_response_extended_field_device_status_undefined_bits;help:read_unique_identifier_response_extended_field_device_status_undefined_bits +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_function_check=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_function_check;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_extended_field_device_status_function_check;help:read_unique_identifier_response_extended_field_device_status_function_check +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_out_of_specification=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_out_of_specification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_extended_field_device_status_out_of_specification;help:read_unique_identifier_response_extended_field_device_status_out_of_specification +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_failure=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_extended_field_device_status_failure;help:read_unique_identifier_response_extended_field_device_status_failure +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_extended_field_device_status_critical_power_failure;help:read_unique_identifier_response_extended_field_device_status_critical_power_failure +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_extended_field_device_status_device_variable_alert;help:read_unique_identifier_response_extended_field_device_status_device_variable_alert +zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_maintenance_required=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_maintenance_required;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_extended_field_device_status_maintenance_required;help:read_unique_identifier_response_extended_field_device_status_maintenance_required +zeek.hart_ip_universal_commands.read_unique_identifier_response_manufacturer_identification_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_manufacturer_identification_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_manufacturer_identification_code;help:read_unique_identifier_response_manufacturer_identification_code +zeek.hart_ip_universal_commands.read_unique_identifier_response_private_label_distributor_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_private_label_distributor_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_private_label_distributor_code;help:read_unique_identifier_response_private_label_distributor_code +zeek.hart_ip_universal_commands.read_unique_identifier_response_device_profile=db:zeek.hart_ip_universal_commands.read_unique_identifier_response_device_profile;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_response_device_profile;help:read_unique_identifier_response_device_profile +zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable_units=db:zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable_units;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_primary_variable_response_primary_variable_units;help:read_primary_variable_response_primary_variable_units +zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable=db:zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_primary_variable_response_primary_variable;help:read_primary_variable_response_primary_variable +zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_loop_current=db:zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_loop_current;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_loop_current_response_primary_variable_loop_current;help:read_loop_current_response_primary_variable_loop_current +zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_percent_range=db:zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_percent_range;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_loop_current_response_primary_variable_percent_range;help:read_loop_current_response_primary_variable_percent_range +zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_loop_current=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_loop_current;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_primary_variable_loop_current;help:read_dynamic_variable_response_primary_variable_loop_current +zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_units=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_units;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_primary_variable_units;help:read_dynamic_variable_response_primary_variable_units +zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_primary_variable;help:read_dynamic_variable_response_primary_variable +zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable_units=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable_units;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_secondary_variable_units;help:read_dynamic_variable_response_secondary_variable_units +zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_secondary_variable;help:read_dynamic_variable_response_secondary_variable +zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable_units=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable_units;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_tertiary_variable_units;help:read_dynamic_variable_response_tertiary_variable_units +zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_tertiary_variable;help:read_dynamic_variable_response_tertiary_variable +zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable_units=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable_units;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_quaternary_variable_units;help:read_dynamic_variable_response_quaternary_variable_units +zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable=db:zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_response_quaternary_variable;help:read_dynamic_variable_response_quaternary_variable +zeek.hart_ip_universal_commands.write_polling_address_polling_address_device=db:zeek.hart_ip_universal_commands.write_polling_address_polling_address_device;group:zeek_hart_ip_universal_commands;kind:integer;friendly:write_polling_address_polling_address_device;help:write_polling_address_polling_address_device +zeek.hart_ip_universal_commands.write_polling_address_loop_current_mode=db:zeek.hart_ip_universal_commands.write_polling_address_loop_current_mode;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:write_polling_address_loop_current_mode;help:write_polling_address_loop_current_mode +zeek.hart_ip_universal_commands.read_loop_configuration_response_polling_address_device=db:zeek.hart_ip_universal_commands.read_loop_configuration_response_polling_address_device;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_loop_configuration_response_polling_address_device;help:read_loop_configuration_response_polling_address_device +zeek.hart_ip_universal_commands.read_loop_configuration_response_loop_current_mode=db:zeek.hart_ip_universal_commands.read_loop_configuration_response_loop_current_mode;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_loop_configuration_response_loop_current_mode;help:read_loop_configuration_response_loop_current_mode +zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_primary_variable_classification=db:zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_primary_variable_classification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_classifications_response_primary_variable_classification;help:read_dynamic_variable_classifications_response_primary_variable_classification +zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_secondary_variable_classification=db:zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_secondary_variable_classification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_classifications_response_secondary_variable_classification;help:read_dynamic_variable_classifications_response_secondary_variable_classification +zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_tertiary_variable_classification=db:zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_tertiary_variable_classification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_classifications_response_tertiary_variable_classification;help:read_dynamic_variable_classifications_response_tertiary_variable_classification +zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_quaternary_variable_classification=db:zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_quaternary_variable_classification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_dynamic_variable_classifications_response_quaternary_variable_classification;help:read_dynamic_variable_classifications_response_quaternary_variable_classification +zeek.hart_ip_universal_commands.read_device_variable_request_slot0_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot0_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot0_device_variable_code;help:read_device_variable_request_slot0_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot1_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot1_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot1_device_variable_code;help:read_device_variable_request_slot1_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot2_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot2_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot2_device_variable_code;help:read_device_variable_request_slot2_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot3_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot3_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot3_device_variable_code;help:read_device_variable_request_slot3_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot4_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot4_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot4_device_variable_code;help:read_device_variable_request_slot4_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot5_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot5_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot5_device_variable_code;help:read_device_variable_request_slot5_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot6_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot6_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot6_device_variable_code;help:read_device_variable_request_slot6_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_request_slot7_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_request_slot7_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_request_slot7_device_variable_code;help:read_device_variable_request_slot7_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_undefined_bits=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_extended_field_device_status_undefined_bits;help:read_device_variable_response_extended_field_device_status_undefined_bits +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_function_check=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_function_check;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_extended_field_device_status_function_check;help:read_device_variable_response_extended_field_device_status_function_check +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_out_of_specification=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_out_of_specification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_extended_field_device_status_out_of_specification;help:read_device_variable_response_extended_field_device_status_out_of_specification +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_failure=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_extended_field_device_status_failure;help:read_device_variable_response_extended_field_device_status_failure +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_extended_field_device_status_critical_power_failure;help:read_device_variable_response_extended_field_device_status_critical_power_failure +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_extended_field_device_status_device_variable_alert;help:read_device_variable_response_extended_field_device_status_device_variable_alert +zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_maintenance_required=db:zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_maintenance_required;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_extended_field_device_status_maintenance_required;help:read_device_variable_response_extended_field_device_status_maintenance_required +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot0_device_variable_code;help:read_device_variable_response_slot0_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot0_device_variable_class;help:read_device_variable_response_slot0_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot0_units_code;help:read_device_variable_response_slot0_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot0_device_variable;help:read_device_variable_response_slot0_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot0_device_variable_status_process_data_status;help:read_device_variable_response_slot0_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot0_device_variable_status_limit_status;help:read_device_variable_response_slot0_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot0_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot0_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot1_device_variable_code;help:read_device_variable_response_slot1_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot1_device_variable_class;help:read_device_variable_response_slot1_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot1_units_code;help:read_device_variable_response_slot1_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot1_device_variable;help:read_device_variable_response_slot1_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot1_device_variable_status_process_data_status;help:read_device_variable_response_slot1_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot1_device_variable_status_limit_status;help:read_device_variable_response_slot1_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot1_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot1_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot2_device_variable_code;help:read_device_variable_response_slot2_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot2_device_variable_class;help:read_device_variable_response_slot2_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot2_units_code;help:read_device_variable_response_slot2_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot2_device_variable;help:read_device_variable_response_slot2_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot2_device_variable_status_process_data_status;help:read_device_variable_response_slot2_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot2_device_variable_status_limit_status;help:read_device_variable_response_slot2_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot2_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot2_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot3_device_variable_code;help:read_device_variable_response_slot3_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot3_device_variable_class;help:read_device_variable_response_slot3_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot3_units_code;help:read_device_variable_response_slot3_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot3_device_variable;help:read_device_variable_response_slot3_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot3_device_variable_status_process_data_status;help:read_device_variable_response_slot3_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot3_device_variable_status_limit_status;help:read_device_variable_response_slot3_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot3_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot3_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot4_device_variable_code;help:read_device_variable_response_slot4_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot4_device_variable_class;help:read_device_variable_response_slot4_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot4_units_code;help:read_device_variable_response_slot4_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot4_device_variable;help:read_device_variable_response_slot4_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot4_device_variable_status_process_data_status;help:read_device_variable_response_slot4_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot4_device_variable_status_limit_status;help:read_device_variable_response_slot4_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot4_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot4_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot5_device_variable_code;help:read_device_variable_response_slot5_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot5_device_variable_class;help:read_device_variable_response_slot5_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot5_units_code;help:read_device_variable_response_slot5_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot5_device_variable;help:read_device_variable_response_slot5_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot5_device_variable_status_process_data_status;help:read_device_variable_response_slot5_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot5_device_variable_status_limit_status;help:read_device_variable_response_slot5_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot5_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot5_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot6_device_variable_code;help:read_device_variable_response_slot6_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot6_device_variable_class;help:read_device_variable_response_slot6_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot6_units_code;help:read_device_variable_response_slot6_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot6_device_variable;help:read_device_variable_response_slot6_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot6_device_variable_status_process_data_status;help:read_device_variable_response_slot6_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot6_device_variable_status_limit_status;help:read_device_variable_response_slot6_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot6_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot6_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_code;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot7_device_variable_code;help:read_device_variable_response_slot7_device_variable_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_class=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_class;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot7_device_variable_class;help:read_device_variable_response_slot7_device_variable_class +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_units_code=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_units_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot7_units_code;help:read_device_variable_response_slot7_units_code +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot7_device_variable;help:read_device_variable_response_slot7_device_variable +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_process_data_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_process_data_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot7_device_variable_status_process_data_status;help:read_device_variable_response_slot7_device_variable_status_process_data_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_limit_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_limit_status;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot7_device_variable_status_limit_status;help:read_device_variable_response_slot7_device_variable_status_limit_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available;help:read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available +zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_device_family_specific_status=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_device_family_specific_status;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot7_device_variable_status_device_family_specific_status;help:read_device_variable_response_slot7_device_variable_status_device_family_specific_status +zeek.hart_ip_universal_commands.read_device_variable_response_slot0_time=db:zeek.hart_ip_universal_commands.read_device_variable_response_slot0_time;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_variable_response_slot0_time;help:read_device_variable_response_slot0_time +zeek.hart_ip_universal_commands.read_unique_identifier_tag_request_tag=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_request_tag;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_request_tag;help:read_unique_identifier_tag_request_tag +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_254=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_254;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_254;help:read_unique_identifier_tag_response_254 +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_expanded_device_type=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_expanded_device_type;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_expanded_device_type;help:read_unique_identifier_tag_response_expanded_device_type +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_minimum_preambles_master_slave=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_minimum_preambles_master_slave;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_minimum_preambles_master_slave;help:read_unique_identifier_tag_response_minimum_preambles_master_slave +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hart_protocol_major_revision=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hart_protocol_major_revision;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_hart_protocol_major_revision;help:read_unique_identifier_tag_response_hart_protocol_major_revision +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_device_revision_level;help:read_unique_identifier_tag_response_device_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_software_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_software_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_software_revision_level;help:read_unique_identifier_tag_response_software_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;help:read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;help:read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only;help:read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_capable_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_capable_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_c8_psk_capable_field_device;help:read_unique_identifier_tag_response_flags_c8_psk_capable_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_undefined_5=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_undefined_5;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_undefined_5;help:read_unique_identifier_tag_response_flags_undefined_5 +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_safehart_capable_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_safehart_capable_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_safehart_capable_field_device;help:read_unique_identifier_tag_response_flags_safehart_capable_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;help:read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_protocol_bridge_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_protocol_bridge_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_protocol_bridge_device;help:read_unique_identifier_tag_response_flags_protocol_bridge_device +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_eeprom_control=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_eeprom_control;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_eeprom_control;help:read_unique_identifier_tag_response_flags_eeprom_control +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_mutli_sensor_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_mutli_sensor_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_flags_mutli_sensor_field_device;help:read_unique_identifier_tag_response_flags_mutli_sensor_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_id=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_id;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_device_id;help:read_unique_identifier_tag_response_device_id +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_number_preambles_slave_master=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_number_preambles_slave_master;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_number_preambles_slave_master;help:read_unique_identifier_tag_response_number_preambles_slave_master +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_last_device_variable_this=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_last_device_variable_this;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_last_device_variable_this;help:read_unique_identifier_tag_response_last_device_variable_this +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_configuration_change_counter=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_configuration_change_counter;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_configuration_change_counter;help:read_unique_identifier_tag_response_configuration_change_counter +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_undefined_bits=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_tag_response_extended_field_device_status_undefined_bits;help:read_unique_identifier_tag_response_extended_field_device_status_undefined_bits +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_function_check=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_function_check;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_extended_field_device_status_function_check;help:read_unique_identifier_tag_response_extended_field_device_status_function_check +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_out_of_specification=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_out_of_specification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_extended_field_device_status_out_of_specification;help:read_unique_identifier_tag_response_extended_field_device_status_out_of_specification +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_failure=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_extended_field_device_status_failure;help:read_unique_identifier_tag_response_extended_field_device_status_failure +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure;help:read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert;help:read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_maintenance_required=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_maintenance_required;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_extended_field_device_status_maintenance_required;help:read_unique_identifier_tag_response_extended_field_device_status_maintenance_required +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_manufacturer_identification_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_manufacturer_identification_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_manufacturer_identification_code;help:read_unique_identifier_tag_response_manufacturer_identification_code +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_private_label_distributor_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_private_label_distributor_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_private_label_distributor_code;help:read_unique_identifier_tag_response_private_label_distributor_code +zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_profile=db:zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_profile;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_tag_response_device_profile;help:read_unique_identifier_tag_response_device_profile +zeek.hart_ip_universal_commands.read_message_response_message=db:zeek.hart_ip_universal_commands.read_message_response_message;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_message_response_message;help:read_message_response_message +zeek.hart_ip_universal_commands.read_tag_response_tag=db:zeek.hart_ip_universal_commands.read_tag_response_tag;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_tag_response_tag;help:read_tag_response_tag +zeek.hart_ip_universal_commands.read_tag_response_descriptor=db:zeek.hart_ip_universal_commands.read_tag_response_descriptor;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_tag_response_descriptor;help:read_tag_response_descriptor +zeek.hart_ip_universal_commands.read_tag_response_date_code=db:zeek.hart_ip_universal_commands.read_tag_response_date_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_tag_response_date_code;help:read_tag_response_date_code +zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_serial_number=db:zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_serial_number;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_primary_variable_transducer_information_response_p_v_transducer_serial_number;help:read_primary_variable_transducer_information_response_p_v_transducer_serial_number +zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_limits_units=db:zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_limits_units;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_primary_variable_transducer_information_response_p_v_transducer_limits_units;help:read_primary_variable_transducer_information_response_p_v_transducer_limits_units +zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_upper_transducer_limit=db:zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_upper_transducer_limit;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_primary_variable_transducer_information_response_p_v_upper_transducer_limit;help:read_primary_variable_transducer_information_response_p_v_upper_transducer_limit +zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_lower_transducer_limit=db:zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_lower_transducer_limit;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_primary_variable_transducer_information_response_p_v_lower_transducer_limit;help:read_primary_variable_transducer_information_response_p_v_lower_transducer_limit +zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_minimum_span=db:zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_minimum_span;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_primary_variable_transducer_information_response_p_v_minimum_span;help:read_primary_variable_transducer_information_response_p_v_minimum_span +zeek.hart_ip_universal_commands.read_device_information_response_p_v_alarm_selection_code=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_alarm_selection_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_alarm_selection_code;help:read_device_information_response_p_v_alarm_selection_code +zeek.hart_ip_universal_commands.read_device_information_response_p_v_transfer_function_code=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_transfer_function_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_transfer_function_code;help:read_device_information_response_p_v_transfer_function_code +zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_lower_range=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_lower_range;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_upper_lower_range;help:read_device_information_response_p_v_upper_lower_range +zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_range_value=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_range_value;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_upper_range_value;help:read_device_information_response_p_v_upper_range_value +zeek.hart_ip_universal_commands.read_device_information_response_p_v_lower_range_value=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_lower_range_value;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_lower_range_value;help:read_device_information_response_p_v_lower_range_value +zeek.hart_ip_universal_commands.read_device_information_response_p_v_damping_value=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_damping_value;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_damping_value;help:read_device_information_response_p_v_damping_value +zeek.hart_ip_universal_commands.read_device_information_response_write_protect_code=db:zeek.hart_ip_universal_commands.read_device_information_response_write_protect_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_write_protect_code;help:read_device_information_response_write_protect_code +zeek.hart_ip_universal_commands.read_device_information_response_250=db:zeek.hart_ip_universal_commands.read_device_information_response_250;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_information_response_250;help:read_device_information_response_250 +zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_undefined_bits=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_device_information_response_p_v_analog_channel_flags_undefined_bits;help:read_device_information_response_p_v_analog_channel_flags_undefined_bits +zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_analog_channel=db:zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_analog_channel;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_device_information_response_p_v_analog_channel_flags_analog_channel;help:read_device_information_response_p_v_analog_channel_flags_analog_channel +zeek.hart_ip_universal_commands.read_final_assembly_number_response_final_assembly_number=db:zeek.hart_ip_universal_commands.read_final_assembly_number_response_final_assembly_number;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_final_assembly_number_response_final_assembly_number;help:read_final_assembly_number_response_final_assembly_number +zeek.hart_ip_universal_commands.write_message_message_string=db:zeek.hart_ip_universal_commands.write_message_message_string;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:write_message_message_string;help:write_message_message_string +zeek.hart_ip_universal_commands.write_tag_descriptor_date_tag=db:zeek.hart_ip_universal_commands.write_tag_descriptor_date_tag;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:write_tag_descriptor_date_tag;help:write_tag_descriptor_date_tag +zeek.hart_ip_universal_commands.write_tag_descriptor_date_record_keeping_descriptor=db:zeek.hart_ip_universal_commands.write_tag_descriptor_date_record_keeping_descriptor;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:write_tag_descriptor_date_record_keeping_descriptor;help:write_tag_descriptor_date_record_keeping_descriptor +zeek.hart_ip_universal_commands.write_tag_descriptor_date_date_code=db:zeek.hart_ip_universal_commands.write_tag_descriptor_date_date_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:write_tag_descriptor_date_date_code;help:write_tag_descriptor_date_date_code +zeek.hart_ip_universal_commands.write_final_assembly_number_final_assembly_number=db:zeek.hart_ip_universal_commands.write_final_assembly_number_final_assembly_number;group:zeek_hart_ip_universal_commands;kind:integer;friendly:write_final_assembly_number_final_assembly_number;help:write_final_assembly_number_final_assembly_number +zeek.hart_ip_universal_commands.read_long_tag_response_long_tag=db:zeek.hart_ip_universal_commands.read_long_tag_response_long_tag;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_long_tag_response_long_tag;help:read_long_tag_response_long_tag +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_request_long_tag=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_request_long_tag;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_request_long_tag;help:read_unique_identifier_long_tag_request_long_tag +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_254=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_254;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_254;help:read_unique_identifier_long_tag_response_254 +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_expanded_device_type=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_expanded_device_type;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_expanded_device_type;help:read_unique_identifier_long_tag_response_expanded_device_type +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_minimum_preambles_master_slave=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_minimum_preambles_master_slave;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_minimum_preambles_master_slave;help:read_unique_identifier_long_tag_response_minimum_preambles_master_slave +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hart_protocol_major_revision=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hart_protocol_major_revision;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_hart_protocol_major_revision;help:read_unique_identifier_long_tag_response_hart_protocol_major_revision +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_device_revision_level;help:read_unique_identifier_long_tag_response_device_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_software_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_software_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_software_revision_level;help:read_unique_identifier_long_tag_response_software_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level;help:read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code;help:read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only;help:read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device;help:read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_undefined_5=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_undefined_5;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_undefined_5;help:read_unique_identifier_long_tag_response_flags_undefined_5 +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_safehart_capable_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_safehart_capable_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_safehart_capable_field_device;help:read_unique_identifier_long_tag_response_flags_safehart_capable_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation;help:read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_protocol_bridge_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_protocol_bridge_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_protocol_bridge_device;help:read_unique_identifier_long_tag_response_flags_protocol_bridge_device +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_eeprom_control=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_eeprom_control;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_eeprom_control;help:read_unique_identifier_long_tag_response_flags_eeprom_control +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device;help:read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_id=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_id;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_device_id;help:read_unique_identifier_long_tag_response_device_id +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_number_preambles_slave_master=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_number_preambles_slave_master;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_number_preambles_slave_master;help:read_unique_identifier_long_tag_response_number_preambles_slave_master +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_last_device_variable_this=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_last_device_variable_this;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_last_device_variable_this;help:read_unique_identifier_long_tag_response_last_device_variable_this +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_configuration_change_counter=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_configuration_change_counter;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_configuration_change_counter;help:read_unique_identifier_long_tag_response_configuration_change_counter +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits;help:read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_function_check=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_function_check;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_function_check;help:read_unique_identifier_long_tag_response_extended_field_device_status_function_check +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification;help:read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_failure=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_failure;help:read_unique_identifier_long_tag_response_extended_field_device_status_failure +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure;help:read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert;help:read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required;help:read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_manufacturer_identification_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_manufacturer_identification_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_manufacturer_identification_code;help:read_unique_identifier_long_tag_response_manufacturer_identification_code +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_private_label_distributor_code=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_private_label_distributor_code;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_private_label_distributor_code;help:read_unique_identifier_long_tag_response_private_label_distributor_code +zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_profile=db:zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_profile;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_unique_identifier_long_tag_response_device_profile;help:read_unique_identifier_long_tag_response_device_profile +zeek.hart_ip_universal_commands.write_long_tag_long_tag=db:zeek.hart_ip_universal_commands.write_long_tag_long_tag;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:write_long_tag_long_tag;help:write_long_tag_long_tag +zeek.hart_ip_universal_commands.reset_configuration_changed_flag_configuration_change_counter=db:zeek.hart_ip_universal_commands.reset_configuration_changed_flag_configuration_change_counter;group:zeek_hart_ip_universal_commands;kind:integer;friendly:reset_configuration_changed_flag_configuration_change_counter;help:reset_configuration_changed_flag_configuration_change_counter +zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_0=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_0;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_device_specific_status_0;help:read_additional_device_status_contents_device_specific_status_0 +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_undefined_bits=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_additional_device_status_contents_extended_field_device_status_undefined_bits;help:read_additional_device_status_contents_extended_field_device_status_undefined_bits +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_function_check=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_function_check;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_extended_field_device_status_function_check;help:read_additional_device_status_contents_extended_field_device_status_function_check +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_out_of_specification=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_out_of_specification;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_extended_field_device_status_out_of_specification;help:read_additional_device_status_contents_extended_field_device_status_out_of_specification +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_failure=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_extended_field_device_status_failure;help:read_additional_device_status_contents_extended_field_device_status_failure +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_critical_power_failure=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_critical_power_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_extended_field_device_status_critical_power_failure;help:read_additional_device_status_contents_extended_field_device_status_critical_power_failure +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_device_variable_alert=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_device_variable_alert;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_extended_field_device_status_device_variable_alert;help:read_additional_device_status_contents_extended_field_device_status_device_variable_alert +zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_maintenance_required=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_maintenance_required;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_extended_field_device_status_maintenance_required;help:read_additional_device_status_contents_extended_field_device_status_maintenance_required +zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_operating_mode=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_operating_mode;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_device_operating_mode;help:read_additional_device_status_contents_device_operating_mode +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_configuration_lock=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_configuration_lock;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_device_configuration_lock;help:read_additional_device_status_contents_standardized_status0_device_configuration_lock +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_electronic_defect=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_electronic_defect;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_electronic_defect;help:read_additional_device_status_contents_standardized_status0_electronic_defect +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range;help:read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range;help:read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_watchdog_reset_executed=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_watchdog_reset_executed;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_watchdog_reset_executed;help:read_additional_device_status_contents_standardized_status0_watchdog_reset_executed +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_volatile_memory_defect=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_volatile_memory_defect;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_volatile_memory_defect;help:read_additional_device_status_contents_standardized_status0_volatile_memory_defect +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect;help:read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_variable_simulation_active=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_variable_simulation_active;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status0_device_variable_simulation_active;help:read_additional_device_status_contents_standardized_status0_device_variable_simulation_active +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_undefined_bits=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_additional_device_status_contents_standardized_status1_undefined_bits;help:read_additional_device_status_contents_standardized_status1_undefined_bits +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_reserved=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_reserved;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status1_reserved;help:read_additional_device_status_contents_standardized_status1_reserved +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance;help:read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_event_notification_overflow=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_event_notification_overflow;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status1_event_notification_overflow;help:read_additional_device_status_contents_standardized_status1_event_notification_overflow +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active;help:read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_status_simulation_active=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_status_simulation_active;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status1_status_simulation_active;help:read_additional_device_status_contents_standardized_status1_status_simulation_active +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_undefined_bits=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_additional_device_status_contents_analog_channel_saturated_undefined_bits;help:read_additional_device_status_contents_analog_channel_saturated_undefined_bits +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quinary_analog=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quinary_analog;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_analog_channel_saturated_quinary_analog;help:read_additional_device_status_contents_analog_channel_saturated_quinary_analog +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quaternary_analog=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quaternary_analog;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_analog_channel_saturated_quaternary_analog;help:read_additional_device_status_contents_analog_channel_saturated_quaternary_analog +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_tertiary_analog=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_tertiary_analog;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_analog_channel_saturated_tertiary_analog;help:read_additional_device_status_contents_analog_channel_saturated_tertiary_analog +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_secondary_analog=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_secondary_analog;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_analog_channel_saturated_secondary_analog;help:read_additional_device_status_contents_analog_channel_saturated_secondary_analog +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_undefined_bits=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_additional_device_status_contents_standardized_status2_undefined_bits;help:read_additional_device_status_contents_standardized_status2_undefined_bits +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_stale_data_notice=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_stale_data_notice;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status2_stale_data_notice;help:read_additional_device_status_contents_standardized_status2_stale_data_notice +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id;help:read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_mismatch=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_mismatch;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status2_sub_device_mismatch;help:read_additional_device_status_contents_standardized_status2_sub_device_mismatch +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_duplicate_master_detected=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_duplicate_master_detected;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status2_duplicate_master_detected;help:read_additional_device_status_contents_standardized_status2_duplicate_master_detected +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_list_changed=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_list_changed;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status2_sub_device_list_changed;help:read_additional_device_status_contents_standardized_status2_sub_device_list_changed +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_undefined_bits=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_additional_device_status_contents_standardized_status3_undefined_bits;help:read_additional_device_status_contents_standardized_status3_undefined_bits +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_radio_failure=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_radio_failure;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status3_radio_failure;help:read_additional_device_status_contents_standardized_status3_radio_failure +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_block_transfer_pending=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_block_transfer_pending;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status3_block_transfer_pending;help:read_additional_device_status_contents_standardized_status3_block_transfer_pending +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending;help:read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_resereved=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_resereved;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status3_resereved;help:read_additional_device_status_contents_standardized_status3_resereved +zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_capacity_denied=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_capacity_denied;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_standardized_status3_capacity_denied;help:read_additional_device_status_contents_standardized_status3_capacity_denied +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_undefined_bits=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_undefined_bits;group:zeek_hart_ip_universal_commands;kind:integer;friendly:read_additional_device_status_contents_analog_channel_undefined_bits;help:read_additional_device_status_contents_analog_channel_undefined_bits +zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_analog_channel=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_analog_channel;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_analog_channel_analog_channel;help:read_additional_device_status_contents_analog_channel_analog_channel +zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_1=db:zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_1;group:zeek_hart_ip_universal_commands;kind:termfield;friendly:read_additional_device_status_contents_device_specific_status_1;help:read_additional_device_status_contents_device_specific_status_1 + # http.log # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info zeek.http.trans_depth=db:zeek.http.trans_depth;group:zeek_http;kind:integer;viewerOnly:true;friendly:Pipeline Depth;help:Pipeline Depth @@ -621,6 +1232,8 @@ zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:term zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST User;help:POST User zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST Password;help:POST Password zeek.http.ja4h=db:zeek.http.ja4h;group:zeek_http;kind:termfield;viewerOnly:true;friendly:JA4 HTTP Fingerprint;help:JA4 HTTP Fingerprint +zeek.http.client_header_names=db:zeek.http.client_header_names;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Client Header Names;help:Client Header Names +zeek.http.server_header_names=db:zeek.http.server_header_names;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Server Header Names;help:Server Header Names # intel.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info @@ -709,6 +1322,10 @@ zeek.known_certs.serial=db:zeek.known_certs.serial;group:zeek_x509;kind:termfiel # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo zeek.known_modbus.device_type=db:zeek.known_modbus.device_type;group:zeek_modbus;kind:termfield;viewerOnly:true;friendly:Role;help:Role +# known_routers.log +zeek.known_routers.ttl=db:zeek.known_routers.ttl;group:zeek_conn;kind:integer;viewerOnly:true;friendly:IPv4 Packet Time To Live;help:IPv4 Packet Time To Live +zeek.known_routers.hlim=db:zeek.known_routers.hlim;group:zeek_conn;kind:termfield;viewerOnly:true;friendly:IPv6 Packet Hop Limit;help:IPv6 Packet Hop Limit + # ldap.log # https://github.com/zeek/spicy-ldap/blob/main/analyzer/main.zeek zeek.ldap.message_id=db:zeek.ldap.message_id;group:zeek_ldap;kind:termfield;viewerOnly:true;friendly:Message ID;help:Message ID @@ -2685,9 +3302,9 @@ o_zeek_bsap_ip_rdb=require:zeek.bsap_ip_rdb;title:Zeek bsap_ip_rdb.log;fields:ze o_zeek_bsap_serial_header=require:zeek.bsap_serial_header;title:Zeek bsap_serial_header.log;fields:zeek.bsap_serial_header.ctl,zeek.bsap_serial_header.dadd,zeek.bsap_serial_header.dfun,zeek.bsap_serial_header.nsb,zeek.bsap_serial_header.sadd,zeek.bsap_serial_header.seq,zeek.bsap_serial_header.ser,zeek.bsap_serial_header.sfun,zeek.bsap_serial_header.type_name o_zeek_bsap_serial_rdb=require:zeek.bsap_serial_rdb;title:Zeek bsap_serial_rdb.log;fields:zeek.bsap_serial_rdb.variables.var,zeek.bsap_serial_rdb.variables.val,zeek.bsap_serial_rdb.variable_count,zeek.bsap_serial_rdb.func_code o_zeek_bsap_serial_rdb_ext=require:zeek.bsap_serial_rdb_ext;title:Zeek bsap_serial_rdb_ext.log;fields:zeek.bsap_serial_rdb_ext.data,zeek.bsap_serial_rdb_ext.dfun,zeek.bsap_serial_rdb_ext.extfun,zeek.bsap_serial_rdb_ext.nsb,zeek.bsap_serial_rdb_ext.seq,zeek.bsap_serial_rdb_ext.sfun -o_zeek_cip=require:zeek.cip;title:Zeek cip.log;fields:zeek.cip.cip_sequence_count,zeek.cip.direction,zeek.cip.cip_service,zeek.cip.cip_service_code,zeek.cip.cip_status,zeek.cip.class_id,zeek.cip.class_name,zeek.cip.instance_id,zeek.cip.attribute_id,zeek.cip.cip_status_code,zeek.cip.cip_extended_status_code,zeek.cip.cip_extended_status -o_zeek_cip_identity=require:zeek.cip_identity;title:Zeek cip_identity.log;fields:zeek.cip_identity.encapsulation_version,zeek.cip_identity.socket_address,zeek.cip_identity.socket_address_geo.city_name,zeek.cip_identity.socket_address_geo.country_name,zeek.cip_identity.socket_address_asn,zeek.cip_identity.socket_port,zeek.cip_identity.vendor_id,zeek.cip_identity.vendor_name,zeek.cip_identity.device_type_id,zeek.cip_identity.device_type_name,zeek.cip_identity.product_code,zeek.cip_identity.revision,zeek.cip_identity.device_status,zeek.cip_identity.serial_number,zeek.cip_identity.product_name,zeek.cip_identity.device_state -o_zeek_cip_io=require:zeek.cip_io;title:Zeek cip_io.log;fields:zeek.cip_io.connection_id,zeek.cip_io.sequence_number,zeek.cip_io.data_length,zeek.cip_io.io_data +o_zeek_cip=require:zeek.cip;title:Zeek cip.log;fields:zeek.cip.packet_correlation_id,zeek.cip.cip_sequence_count,zeek.cip.direction,zeek.cip.cip_service,zeek.cip.cip_service_code,zeek.cip.cip_status,zeek.cip.class_id,zeek.cip.class_name,zeek.cip.instance_id,zeek.cip.attribute_id,zeek.cip.cip_status_code,zeek.cip.cip_extended_status_code,zeek.cip.cip_extended_status +o_zeek_cip_identity=require:zeek.cip_identity;title:Zeek cip_identity.log;fields:zeek.cip.packet_correlation_id,zeek.cip_identity.encapsulation_version,zeek.cip_identity.socket_address,zeek.cip_identity.socket_address_geo.city_name,zeek.cip_identity.socket_address_geo.country_name,zeek.cip_identity.socket_address_asn,zeek.cip_identity.socket_port,zeek.cip_identity.vendor_id,zeek.cip_identity.vendor_name,zeek.cip_identity.device_type_id,zeek.cip_identity.device_type_name,zeek.cip_identity.product_code,zeek.cip_identity.revision,zeek.cip_identity.device_status,zeek.cip_identity.serial_number,zeek.cip_identity.product_name,zeek.cip_identity.device_state +o_zeek_cip_io=require:zeek.cip_io;title:Zeek cip_io.log;fields:zeek.cip.packet_correlation_id,zeek.cip_io.connection_id,zeek.cip_io.sequence_number,zeek.cip_io.data_length,zeek.cip_io.io_data o_zeek_conn=require:zeek.conn;title:Zeek conn.log;fields:zeek.conn.duration,zeek.conn.orig_bytes,zeek.conn.resp_bytes,zeek.conn.conn_state,zeek.conn.conn_state_description,zeek.conn.local_orig,zeek.conn.local_resp,zeek.conn.missed_bytes,zeek.conn.history,zeek.conn.orig_pkts,zeek.conn.orig_ip_bytes,zeek.conn.resp_pkts,zeek.conn.resp_ip_bytes,zeek.conn.tunnel_parents,zeek.conn.vlan,zeek.conn.inner_vlan,zeek.conn.ja4l,zeek.conn.ja4ls,zeek.conn.ja4t,zeek.conn.ja4ts o_zeek_cotp=require:zeek.cotp;title:Zeek cotp.log;fields:zeek.cotp.pdu_code,zeek.cotp.pdu_name o_zeek_dce_rpc=require:zeek.dce_rpc;title:Zeek dce_rpc.log;fields:zeek.dce_rpc.rtt,zeek.dce_rpc.named_pipe,zeek.dce_rpc.endpoint,zeek.dce_rpc.operation @@ -2705,13 +3322,18 @@ o_zeek_ecat_foe_info=require:zeek.ecat_foe_info;title:Zeek ecat_foe_info.log;fie o_zeek_ecat_log_address=require:zeek.ecat_log_address;title:Zeek ecat_log_address.log;fields:zeek.ecat_log_address.log_addr,zeek.ecat_log_address.length,zeek.ecat_log_address.command,zeek.ecat_log_address.data o_zeek_ecat_registers=require:zeek.ecat_registers;title:Zeek ecat_registers.log;fields:zeek.ecat_registers.command,zeek.ecat_registers.server_addr,zeek.ecat_registers.register_type,zeek.ecat_registers.register_addr,zeek.ecat_registers.data o_zeek_ecat_soe_info=require:zeek.ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek.ecat_soe_info.opcode,zeek.ecat_soe_info.incomplete,zeek.ecat_soe_info.error,zeek.ecat_soe_info.drive_num,zeek.ecat_soe_info.element,zeek.ecat_soe_info.index -o_zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.enip.enip_command,zeek.enip.enip_command_code,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options +o_zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.cip.packet_correlation_id,zeek.enip.enip_command,zeek.enip.enip_command_code,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options o_zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.ftime,zeek.files.duration,zeek.files.local_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_uri,zeek.files.extracted_cutoff,zeek.files.extracted_size o_zeek_ftp=require:zeek.ftp;title:Zeek ftp.log;fields:zeek.ftp.command,zeek.ftp.arg,zeek.ftp.mime_type,zeek.ftp.file_size,zeek.ftp.reply_code,zeek.ftp.reply_msg,zeek.ftp.data_channel.passive,zeek.ftp.data_channel.orig_h,zeek.ftp.data_channel.resp_h,zeek.ftp.data_channel.resp_p o_zeek_ge_srtp=require:zeek.ge_srtp;title:Zeek ge_srtp.log;fields:zeek.ge_srtp.srtp_type,zeek.ge_srtp.sequence_number_1,zeek.ge_srtp.text_length,zeek.ge_srtp.time_seconds,zeek.ge_srtp.time_minutes,zeek.ge_srtp.time_hours,zeek.ge_srtp.sequence_number_2,zeek.ge_srtp.message_type,zeek.ge_srtp.mailbox_source,zeek.ge_srtp.mailbox_destination,zeek.ge_srtp.packet_number,zeek.ge_srtp.total_packet_number,zeek.ge_srtp.service_request_code,zeek.ge_srtp.segment_selector,zeek.ge_srtp.memory_offset,zeek.ge_srtp.data_length,zeek.ge_srtp.status_code,zeek.ge_srtp.minor_status_code,zeek.ge_srtp.data_requested,zeek.ge_srtp.control_program_number,zeek.ge_srtp.current_privilege_level,zeek.ge_srtp.last_sweep_time,zeek.ge_srtp.oversweep_flag,zeek.ge_srtp.constant_sweep_mode,zeek.ge_srtp.plc_fault_entry_last_read,zeek.ge_srtp.io_fault_entry_last_read,zeek.ge_srtp.plc_fault_entry_present,zeek.ge_srtp.io_fault_entry_present,zeek.ge_srtp.programmer_attachment,zeek.ge_srtp.front_panel_enable_switch,zeek.ge_srtp.front_panel_run_switch,zeek.ge_srtp.oem_protected,zeek.ge_srtp.plc_state o_zeek_genisys=require:zeek.genisys;title:Zeek genisys.log;fields:zeek.genisys.header,zeek.genisys.server,zeek.genisys.direction,zeek.genisys.crc_transmitted,zeek.genisys.crc_calculated,zeek.genisys.payload.address,zeek.genisys.payload.data o_zeek_gquic=require:zeek.gquic;title:Zeek gquic.log;fields:zeek.gquic.version,zeek.gquic.server_name,zeek.gquic.user_agent,zeek.gquic.tag_count,zeek.gquic.cyu,zeek.gquic.cyutags -o_zeek_http=require:zeek.http;title:Zeek http.log;fields:zeek.http.trans_depth,zeek.http.method,zeek.http.host,zeek.http.uri,zeek.http.origin,zeek.http.post_password_plain,zeek.http.post_username,zeek.http.referrer,zeek.http.version,zeek.http.user_agent,zeek.http.request_body_len,zeek.http.response_body_len,zeek.http.status_code,zeek.http.status_msg,zeek.http.info_code,zeek.http.info_msg,zeek.http.tags,zeek.http.proxied,zeek.http.orig_fuids,zeek.http.orig_filenames,zeek.http.orig_mime_types,zeek.http.resp_fuids,zeek.http.resp_filenames,zeek.http.resp_mime_types,zeek.http.ja4h +o_zeek_hart_ip_common_commands=require:zeek.hart_ip_common_commands;title:Zeek hart_ip_common_commands.log;fields:zeek.hart_ip.command_number_link_id,zeek.hart_ip_common_commands.read_device_variables_request_slot0_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_request_slot1_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_request_slot2_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_request_slot3_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_response_slot0_units_code,zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable,zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_response_slot1_units_code,zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable,zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_response_slot2_units_code,zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable,zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable_code,zeek.hart_ip_common_commands.read_device_variables_response_slot3_units_code,zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable,zeek.hart_ip_common_commands.write_primary_variable_damping_value_pv_damping_value,zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code,zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_range_value,zeek.hart_ip_common_commands.write_primary_variable_range_values_p_v_lower_range_value,zeek.hart_ip_common_commands.eeprom_control_eeprom_control_code,zeek.hart_ip_common_commands.enter_exit_fixed_current_mode_pv_fixed_current_level,zeek.hart_ip_common_commands.write_primary_variable_units_pv_unit_codes,zeek.hart_ip_common_commands.trim_loop_current_zero_measured_pv_loop_current_level,zeek.hart_ip_common_commands.trim_loop_current_gain_measured_pv_loop_current_level,zeek.hart_ip_common_commands.write_primary_variable_transfer_function_p_v_transfer_function_code,zeek.hart_ip_common_commands.write_primary_variable_transducer_serial_number_pv_transducer_serial_number,zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable,zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable,zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable,zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable,zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable,zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable,zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable,zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable,zeek.hart_ip_common_commands.set_device_variable_zero_device_variable_zeroed,zeek.hart_ip_common_commands.write_device_variable_units_device_variable_code,zeek.hart_ip_common_commands.write_device_variable_units_device_variable_units_code,zeek.hart_ip_common_commands.read_device_variable_information_request_device_variable_code,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_code,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_transducer_serial_number,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_limits_minimum_span_units_code,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_upper_transducer_limit,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_lower_transducer_limit,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_damping_value,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_minimum_span,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_classification,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_family,zeek.hart_ip_common_commands.read_device_variable_information_response_acquisition_period,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_simulated,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_undefined_bits_1_6,zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_input,zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_code,zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_damping_value,zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_code,zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_transducer_serial_number,zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_tag,zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_descriptor,zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_date,zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_tag,zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_descriptor,zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_date,zeek.hart_ip_common_commands.write_number_of_response_preambles_number_of_preambles,zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_request_analog_channel_number_code,zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_number_code,zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_units_code,zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_level,zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code,zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable,zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot0,zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot1,zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot2,zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot3,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot0,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot0,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot0,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot1,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot1,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot1,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot2,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot2,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot2,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot3,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot3,zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot3,zeek.hart_ip_common_commands.read_analog_channel_information_request_analog_channel_number_code,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_number_code,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_alarm_selection_code,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_transfer_function_code,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_range_value,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_lower_range_value,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_damping_value,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_simulated,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6,zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_input,zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_number_code,zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_damping_value,zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_number_code,zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code,zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_range_value,zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_lower_range_value,zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_number_code,zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_units_code,zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level,zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_number_code,zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_units_code,zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_level,zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_number_code,zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_units_code,zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_level,zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_number_code,zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_units_code,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_request_analog_channel_number_code,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_number_code,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value,zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value,zeek.hart_ip_common_commands.lock_device_lock_code,zeek.hart_ip_common_commands.squawk_squawk_control,zeek.hart_ip_common_commands.find_device_response_254,zeek.hart_ip_common_commands.find_device_response_expanded_device_type,zeek.hart_ip_common_commands.find_device_response_minimum_preambles_master_slave,zeek.hart_ip_common_commands.find_device_response_hart_protocol_major_revision,zeek.hart_ip_common_commands.find_device_response_device_revision_level,zeek.hart_ip_common_commands.find_device_response_software_revision_level,zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level,zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code,zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_in_multi_drop_only,zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_capable_field_device,zeek.hart_ip_common_commands.find_device_response_flags_undefined_5,zeek.hart_ip_common_commands.find_device_response_flags_safehart_capable_field_device,zeek.hart_ip_common_commands.find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation,zeek.hart_ip_common_commands.find_device_response_flags_protocol_bridge_device,zeek.hart_ip_common_commands.find_device_response_flags_eeprom_control,zeek.hart_ip_common_commands.find_device_response_flags_mutli_sensor_field_device,zeek.hart_ip_common_commands.find_device_response_device_id,zeek.hart_ip_common_commands.find_device_response_number_preambles_slave_master,zeek.hart_ip_common_commands.find_device_response_last_device_variable_this,zeek.hart_ip_common_commands.find_device_response_configuration_change_counter,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_undefined_bits,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_function_check,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_out_of_specification,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_failure,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_critical_power_failure,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_device_variable_alert,zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_maintenance_required,zeek.hart_ip_common_commands.find_device_response_manufacturer_identification_code,zeek.hart_ip_common_commands.find_device_response_private_label_distributor_code,zeek.hart_ip_common_commands.find_device_response_device_profile,zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_io_cards,zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_channels_per_io_card,zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_sub_devices_per_channel,zeek.hart_ip_common_commands.read_io_system_capabilities_response_number_of_devices_detected,zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_delayed_responses_supported,zeek.hart_ip_common_commands.read_io_system_capabilities_response_master_mode,zeek.hart_ip_common_commands.read_io_system_capabilities_response_retry_count,zeek.hart_ip_common_commands.poll_sub_device_request_io_card,zeek.hart_ip_common_commands.poll_sub_device_request_channel,zeek.hart_ip_common_commands.poll_sub_device_request_sub_device_polling_address,zeek.hart_ip_common_commands.poll_sub_device_response_254,zeek.hart_ip_common_commands.poll_sub_device_response_expanded_device_type,zeek.hart_ip_common_commands.poll_sub_device_response_minimum_preambles_master_slave,zeek.hart_ip_common_commands.poll_sub_device_response_hart_protocol_major_revision,zeek.hart_ip_common_commands.poll_sub_device_response_device_revision_level,zeek.hart_ip_common_commands.poll_sub_device_response_software_revision_level,zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level,zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code,zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_in_multi_drop_only,zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_capable_field_device,zeek.hart_ip_common_commands.poll_sub_device_response_flags_undefined_5,zeek.hart_ip_common_commands.poll_sub_device_response_flags_safehart_capable_field_device,zeek.hart_ip_common_commands.poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation,zeek.hart_ip_common_commands.poll_sub_device_response_flags_protocol_bridge_device,zeek.hart_ip_common_commands.poll_sub_device_response_flags_eeprom_control,zeek.hart_ip_common_commands.poll_sub_device_response_flags_mutli_sensor_field_device,zeek.hart_ip_common_commands.poll_sub_device_response_device_id,zeek.hart_ip_common_commands.poll_sub_device_response_number_preambles_slave_master,zeek.hart_ip_common_commands.poll_sub_device_response_last_device_variable_this,zeek.hart_ip_common_commands.poll_sub_device_response_configuration_change_counter,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_undefined_bits,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_function_check,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_out_of_specification,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_failure,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_critical_power_failure,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_device_variable_alert,zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_maintenance_required,zeek.hart_ip_common_commands.poll_sub_device_response_manufacturer_identification_code,zeek.hart_ip_common_commands.poll_sub_device_response_private_label_distributor_code,zeek.hart_ip_common_commands.poll_sub_device_response_device_profile,zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_undefined_bits,zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_gateway,zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_configuration_locked,zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_primary,zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_permanent,zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_device_locked,zeek.hart_ip_common_commands.write_device_variable_device_variable_code,zeek.hart_ip_common_commands.write_device_variable_write_device_variable_command_code,zeek.hart_ip_common_commands.write_device_variable_units_code,zeek.hart_ip_common_commands.write_device_variable_device_variable_value,zeek.hart_ip_common_commands.write_device_variable_device_variable_status_process_data_status,zeek.hart_ip_common_commands.write_device_variable_device_variable_status_limit_status,zeek.hart_ip_common_commands.write_device_variable_device_variable_status_more_device_variable_status_available,zeek.hart_ip_common_commands.write_device_variable_device_variable_status_device_family_specific_status,zeek.hart_ip_common_commands.read_device_variable_trim_points_device_variable_code,zeek.hart_ip_common_commands.read_device_variable_trim_points_response_trim_points_units_code,zeek.hart_ip_common_commands.read_device_variable_trim_points_response_lower_or_single_trim_point,zeek.hart_ip_common_commands.read_device_variable_trim_points_response_upper_trim_point,zeek.hart_ip_common_commands.read_device_variable_trim_guidelines_device_variable_guidelines,zeek.hart_ip_common_commands.write_device_variable_trim_point_device_variable_to_trim,zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point,zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_points_units_code,zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point_value,zeek.hart_ip_common_commands.reset_device_variable_trim_device_variable_trim_to_reset,zeek.hart_ip_common_commands.read_sub_device_identity_summary_sub_device_index,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_io_card,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_channel,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_manufacturer_identification_code,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_expanded_device_type,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_id,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_universal_command_revision_level,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_long_tag,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_revision,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_profile,zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_private_label_distributor_code,zeek.hart_ip_common_commands.read_io_channel_statistics_io_card,zeek.hart_ip_common_commands.read_io_channel_statistics_channel,zeek.hart_ip_common_commands.read_io_channel_statistics_response_stx_count,zeek.hart_ip_common_commands.read_io_channel_statistics_response_ack_count,zeek.hart_ip_common_commands.read_io_channel_statistics_response_ostx_count,zeek.hart_ip_common_commands.read_io_channel_statistics_response_oack_count,zeek.hart_ip_common_commands.read_io_channel_statistics_response_back_count,zeek.hart_ip_common_commands.read_sub_device_statistics_sub_device_index,zeek.hart_ip_common_commands.read_sub_device_statistics_response_stx_count,zeek.hart_ip_common_commands.read_sub_device_statistics_response_ack_count,zeek.hart_ip_common_commands.read_sub_device_statistics_response_back_count,zeek.hart_ip_common_commands.write_io_system_master_mode_master_mode,zeek.hart_ip_common_commands.write_io_system_retry_count_retry_count,zeek.hart_ip_common_commands.set_real_time_clock_time_set_code,zeek.hart_ip_common_commands.set_real_time_clock_date,zeek.hart_ip_common_commands.set_real_time_clock_time_of_day,zeek.hart_ip_common_commands.set_real_time_clock_null_bytes +o_zeek_hart_ip_direct_pdu_command=require:zeek.hart_ip_direct_pdu_command;title:Zeek hart_ip_direct_pdu_command.log;fields:zeek.hart_ip.direct_pdu_command_link_id,zeek.hart_ip.command_number_link_id,zeek.hart_ip_direct_pdu_command.direct_pdu_command_data_data,zeek.hart_ip_direct_pdu_command.direct_pdu_command_command_number,zeek.hart_ip_direct_pdu_command.direct_pdu_command_byte_count,zeek.hart_ip_direct_pdu_command.direct_pdu_contents_response_response_code +o_zeek_hart_ip=require:zeek.hart_ip;title:Zeek hart_ip.log;fields:zeek.hart_ip.command_number_link_id,zeek.hart_ip.direct_pdu_command_link_id,zeek.hart_ip.session_log_record_link_id,zeek.hart_ip.message_packet_bytes,zeek.hart_ip.header_version,zeek.hart_ip.header_message_type_reserved,zeek.hart_ip.header_message_type_message_type,zeek.hart_ip.header_message_id,zeek.hart_ip.header_status_code,zeek.hart_ip.header_sequence_number,zeek.hart_ip.header_length,zeek.hart_ip.session_initiate_master_type,zeek.hart_ip.session_initiate_inactivity_close_timer,zeek.hart_ip.token_passing_pdu_delimiter_address_type,zeek.hart_ip.token_passing_pdu_delimiter_expansion_bytes,zeek.hart_ip.token_passing_pdu_delimiter_physical_layer_type,zeek.hart_ip.token_passing_pdu_delimiter_frame_type,zeek.hart_ip.token_passing_pdu_address_v4,zeek.hart_ip.token_passing_pdu_address_v6,zeek.hart_ip.token_passing_pdu_command_number,zeek.hart_ip.token_passing_pdu_byte_count,zeek.hart_ip.token_passing_pdu_check_byte,zeek.hart_ip.token_passing_pdu_contents_data_data,zeek.hart_ip.token_passing_pdu_contents_response_response_code,zeek.hart_ip.token_passing_pdu_contents_response_device_status_device_malfunction,zeek.hart_ip.token_passing_pdu_contents_response_device_status_configuration_changed,zeek.hart_ip.token_passing_pdu_contents_response_device_status_cold_start,zeek.hart_ip.token_passing_pdu_contents_response_device_status_more_status_available,zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_fixed,zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_saturated,zeek.hart_ip.token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits,zeek.hart_ip.token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits,zeek.hart_ip.direct_pdu_device_status_device_malfunction,zeek.hart_ip.direct_pdu_device_status_configuration_changed,zeek.hart_ip.direct_pdu_device_status_cold_start,zeek.hart_ip.direct_pdu_device_status_more_status_available,zeek.hart_ip.direct_pdu_device_status_loop_current_fixed,zeek.hart_ip.direct_pdu_device_status_loop_current_saturated,zeek.hart_ip.direct_pdu_device_status_non_primary_variable_out_of_limits,zeek.hart_ip.direct_pdu_device_status_primary_variable_out_of_limits,zeek.hart_ip.direct_pdu_extended_status_undefined_bits,zeek.hart_ip.direct_pdu_extended_status_function_check,zeek.hart_ip.direct_pdu_extended_status_out_of_specification,zeek.hart_ip.direct_pdu_extended_status_failure,zeek.hart_ip.direct_pdu_extended_status_critical_power_failure,zeek.hart_ip.direct_pdu_extended_status_device_variable_alert,zeek.hart_ip.direct_pdu_extended_status_maintenance_required,zeek.hart_ip.read_audit_log_start_record,zeek.hart_ip.read_audit_log_number_of_records,zeek.hart_ip.read_audit_log_power_up_time,zeek.hart_ip.read_audit_log_last_security_change,zeek.hart_ip.read_audit_log_server_status_undefined_bits,zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection,zeek.hart_ip.read_audit_log_server_status_syslog_server_located_but_connection_failed,zeek.hart_ip.read_audit_log_server_status_unable_to_locate_syslog_server,zeek.hart_ip.read_audit_log_session_record_size +o_zeek_hart_ip_session_record=require:zeek.hart_ip_session_record;title:Zeek hart_ip_session_record.log;fields:zeek.hart_ip.session_log_record_link_id,zeek.hart_ip_session_record.session_log_record_client_i_pv4_address,zeek.hart_ip_session_record.session_log_record_client_i_pv6_address,zeek.hart_ip_session_record.session_log_record_client_port,zeek.hart_ip_session_record.session_log_record_server_port,zeek.hart_ip_session_record.session_log_record_connect_time,zeek.hart_ip_session_record.session_log_record_disconnect_time,zeek.hart_ip_session_record.session_log_record_session_status_summary_undefined_bits,zeek.hart_ip_session_record.session_log_record_session_status_summary_insecure_session,zeek.hart_ip_session_record.session_log_record_session_status_summary_session_timeout,zeek.hart_ip_session_record.session_log_record_session_status_summary_aborted_session,zeek.hart_ip_session_record.session_log_record_session_status_summary_bad_session_initialization,zeek.hart_ip_session_record.session_log_record_session_status_summary_writes_occured,zeek.hart_ip_session_record.session_log_record_start_configuration_change_count,zeek.hart_ip_session_record.session_log_record_end_configuration_change_count,zeek.hart_ip_session_record.session_log_record_num_publish_pdu,zeek.hart_ip_session_record.session_log_record_num_request_pdu,zeek.hart_ip_session_record.session_log_record_num_response_pdu +o_zeek_hart_ip_universal_commands=require:zeek.hart_ip_universal_commands;title:Zeek hart_ip_universal_commands.log;fields:zeek.hart_ip.command_number_link_id,zeek.hart_ip_universal_commands.read_unique_identifier_response_254,zeek.hart_ip_universal_commands.read_unique_identifier_response_expanded_device_type,zeek.hart_ip_universal_commands.read_unique_identifier_response_minimum_preambles_master_slave,zeek.hart_ip_universal_commands.read_unique_identifier_response_hart_protocol_major_revision,zeek.hart_ip_universal_commands.read_unique_identifier_response_device_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_response_software_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_in_multi_drop_only,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_capable_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_undefined_5,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_safehart_capable_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_protocol_bridge_device,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_eeprom_control,zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_mutli_sensor_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_response_device_id,zeek.hart_ip_universal_commands.read_unique_identifier_response_number_preambles_slave_master,zeek.hart_ip_universal_commands.read_unique_identifier_response_last_device_variable_this,zeek.hart_ip_universal_commands.read_unique_identifier_response_configuration_change_counter,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_undefined_bits,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_function_check,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_out_of_specification,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_failure,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_critical_power_failure,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_device_variable_alert,zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_maintenance_required,zeek.hart_ip_universal_commands.read_unique_identifier_response_manufacturer_identification_code,zeek.hart_ip_universal_commands.read_unique_identifier_response_private_label_distributor_code,zeek.hart_ip_universal_commands.read_unique_identifier_response_device_profile,zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable_units,zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable,zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_loop_current,zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_percent_range,zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_loop_current,zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_units,zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable,zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable_units,zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable,zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable_units,zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable,zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable_units,zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable,zeek.hart_ip_universal_commands.write_polling_address_polling_address_device,zeek.hart_ip_universal_commands.write_polling_address_loop_current_mode,zeek.hart_ip_universal_commands.read_loop_configuration_response_polling_address_device,zeek.hart_ip_universal_commands.read_loop_configuration_response_loop_current_mode,zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_primary_variable_classification,zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_secondary_variable_classification,zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_tertiary_variable_classification,zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_quaternary_variable_classification,zeek.hart_ip_universal_commands.read_device_variable_request_slot0_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot1_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot2_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot3_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot4_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot5_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot6_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_request_slot7_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_undefined_bits,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_function_check,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_out_of_specification,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_failure,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_critical_power_failure,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_device_variable_alert,zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_maintenance_required,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_class,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_units_code,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_process_data_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_limit_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available,zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_device_family_specific_status,zeek.hart_ip_universal_commands.read_device_variable_response_slot0_time,zeek.hart_ip_universal_commands.read_unique_identifier_tag_request_tag,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_254,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_expanded_device_type,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_minimum_preambles_master_slave,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hart_protocol_major_revision,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_software_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_capable_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_undefined_5,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_safehart_capable_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_protocol_bridge_device,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_eeprom_control,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_mutli_sensor_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_id,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_number_preambles_slave_master,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_last_device_variable_this,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_configuration_change_counter,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_undefined_bits,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_function_check,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_out_of_specification,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_failure,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_maintenance_required,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_manufacturer_identification_code,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_private_label_distributor_code,zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_profile,zeek.hart_ip_universal_commands.read_message_response_message,zeek.hart_ip_universal_commands.read_tag_response_tag,zeek.hart_ip_universal_commands.read_tag_response_descriptor,zeek.hart_ip_universal_commands.read_tag_response_date_code,zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_serial_number,zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_limits_units,zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_upper_transducer_limit,zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_lower_transducer_limit,zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_minimum_span,zeek.hart_ip_universal_commands.read_device_information_response_p_v_alarm_selection_code,zeek.hart_ip_universal_commands.read_device_information_response_p_v_transfer_function_code,zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_lower_range,zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_range_value,zeek.hart_ip_universal_commands.read_device_information_response_p_v_lower_range_value,zeek.hart_ip_universal_commands.read_device_information_response_p_v_damping_value,zeek.hart_ip_universal_commands.read_device_information_response_write_protect_code,zeek.hart_ip_universal_commands.read_device_information_response_250,zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_undefined_bits,zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_analog_channel,zeek.hart_ip_universal_commands.read_final_assembly_number_response_final_assembly_number,zeek.hart_ip_universal_commands.write_message_message_string,zeek.hart_ip_universal_commands.write_tag_descriptor_date_tag,zeek.hart_ip_universal_commands.write_tag_descriptor_date_record_keeping_descriptor,zeek.hart_ip_universal_commands.write_tag_descriptor_date_date_code,zeek.hart_ip_universal_commands.write_final_assembly_number_final_assembly_number,zeek.hart_ip_universal_commands.read_long_tag_response_long_tag,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_request_long_tag,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_254,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_expanded_device_type,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_minimum_preambles_master_slave,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hart_protocol_major_revision,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_software_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_undefined_5,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_safehart_capable_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_protocol_bridge_device,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_eeprom_control,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_id,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_number_preambles_slave_master,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_last_device_variable_this,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_configuration_change_counter,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_function_check,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_failure,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_manufacturer_identification_code,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_private_label_distributor_code,zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_profile,zeek.hart_ip_universal_commands.write_long_tag_long_tag,zeek.hart_ip_universal_commands.reset_configuration_changed_flag_configuration_change_counter,zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_0,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_undefined_bits,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_function_check,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_out_of_specification,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_failure,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_critical_power_failure,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_device_variable_alert,zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_maintenance_required,zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_operating_mode,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_configuration_lock,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_electronic_defect,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_watchdog_reset_executed,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_volatile_memory_defect,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_variable_simulation_active,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_undefined_bits,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_reserved,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_event_notification_overflow,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_status_simulation_active,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_undefined_bits,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quinary_analog,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quaternary_analog,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_tertiary_analog,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_secondary_analog,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_undefined_bits,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_stale_data_notice,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_mismatch,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_duplicate_master_detected,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_list_changed,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_undefined_bits,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_radio_failure,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_block_transfer_pending,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_resereved,zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_capacity_denied,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_undefined_bits,zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_analog_channel,zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_1 +o_zeek_http=require:zeek.http;title:Zeek http.log;fields:zeek.http.trans_depth,zeek.http.method,zeek.http.host,zeek.http.uri,zeek.http.origin,zeek.http.post_password_plain,zeek.http.post_username,zeek.http.referrer,zeek.http.version,zeek.http.user_agent,zeek.http.request_body_len,zeek.http.response_body_len,zeek.http.status_code,zeek.http.status_msg,zeek.http.info_code,zeek.http.info_msg,zeek.http.tags,zeek.http.proxied,zeek.http.orig_fuids,zeek.http.orig_filenames,zeek.http.orig_mime_types,zeek.http.resp_fuids,zeek.http.resp_filenames,zeek.http.resp_mime_types,zeek.http.ja4h,zeek.http.client_header_names,zeek.http.server_header_names o_zeek_intel=require:zeek.intel;title:Zeek intel.log;fields:zeek.intel.cif_tags,zeek.intel.cif_confidence,zeek.intel.cif_source,zeek.intel.cif_description,zeek.intel.cif_firstseen,zeek.intel.cif_lastseen,zeek.intel.seen_indicator,zeek.intel.seen_indicator_type,zeek.intel.seen_where,zeek.intel.seen_node,zeek.intel.matched,zeek.intel.sources,zeek.intel.file_mime_type,zeek.intel.file_description o_zeek_ipsec=require:zeek.ipsec;title:Zeek ipsec.log;fields:zeek.ipsec.initiator_spi,zeek.ipsec.responder_spi,zeek.ipsec.maj_ver,zeek.ipsec.min_ver,zeek.ipsec.exchange_type,zeek.ipsec.doi,zeek.ipsec.flag_e,zeek.ipsec.flag_c,zeek.ipsec.flag_a,zeek.ipsec.flag_i,zeek.ipsec.flag_v,zeek.ipsec.flag_r,zeek.ipsec.flags,zeek.ipsec.message_id,zeek.ipsec.vendor_ids,zeek.ipsec.notify_messages,zeek.ipsec.transforms,zeek.ipsec.ke_dh_groups,zeek.ipsec.proposals,zeek.ipsec.protocol_id,zeek.ipsec.certificates,zeek.ipsec.situation,zeek.ipsec.transform_attributes,zeek.ipsec.length,zeek.ipsec.hash o_zeek_irc=require:zeek.irc;title:Zeek irc.log;fields:zeek.irc.nick,zeek.irc.command,zeek.irc.value,zeek.irc.addl,zeek.irc.dcc_file_name,zeek.irc.dcc_file_size,zeek.irc.dcc_mime_type diff --git a/arkime/lua/.gitignore b/arkime/lua/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/arkime/lua/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/arkime/rules/ssh_trunate.yml b/arkime/rules/ssh_truncate.yml similarity index 100% rename from arkime/rules/ssh_trunate.yml rename to arkime/rules/ssh_truncate.yml diff --git a/arkime/rules/tls_trunate.yml b/arkime/rules/tls_truncate.yml similarity index 100% rename from arkime/rules/tls_trunate.yml rename to arkime/rules/tls_truncate.yml diff --git a/arkime/scripts/arkime_update_geo.sh b/arkime/scripts/arkime_update_geo.sh index aed3c1ccf..197f89f69 100755 --- a/arkime/scripts/arkime_update_geo.sh +++ b/arkime/scripts/arkime_update_geo.sh @@ -12,16 +12,4 @@ wget -nv -O oui.txt_new https://www.wireshark.org/download/automated/data/manuf mv -f oui.txt_new oui.txt || \ rm -f oui.txt_new -# MaxMind now requires a (free) license key to download the free versions of -# their GeoIP databases. This should be provided as an environment variable. -# see https://dev.maxmind.com/geoip/geoipupdate/#Direct_Downloads -# see https://github.com/arkime/arkime/issues/1350 -# see https://github.com/arkime/arkime/issues/1352 -if [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]; then - for DB in ASN Country City; do - curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" && \ - tar xf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 && \ - chmod 644 "GeoLite2-$DB.mmdb" && \ - rm -f "GeoLite2-$DB.mmdb.tar.gz" - done -fi +/usr/local/bin/maxmind-mmdb-download.sh -o "$(pwd)" diff --git a/arkime/scripts/docker_entrypoint.sh b/arkime/scripts/docker_entrypoint.sh index f402996c4..d0f3eb7ad 100755 --- a/arkime/scripts/docker_entrypoint.sh +++ b/arkime/scripts/docker_entrypoint.sh @@ -10,6 +10,7 @@ function urlencodeall() { ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"} ARKIME_RULES_DIR=${ARKIME_RULES_DIR:-"/opt/arkime/rules"} +ARKIME_LUA_DIR=${ARKIME_LUA_DIR:-"/opt/arkime/lua"} ARKIME_CONFIG_FILE="${ARKIME_DIR}"/etc/config.ini ARKIME_PASSWORD_SECRET=${ARKIME_PASSWORD_SECRET:-"Malcolm"} ARKIME_FREESPACEG=${ARKIME_FREESPACEG:-"10%"} @@ -150,6 +151,12 @@ if [[ ! -f "${ARKIME_CONFIG_FILE}" ]] && [[ -r "${ARKIME_DIR}"/etc/config.orig.i sed -r -i "s|(rulesFiles)\s*=\s*.*|\1=$RULES_FILES|" "${ARKIME_CONFIG_FILE}" fi + # lua plugins + if [[ -d "${ARKIME_LUA_DIR}" ]]; then + LUA_FILES="$(find "${ARKIME_LUA_DIR}" -mindepth 1 -maxdepth 1 -type f -size +0c -name '*.lua' | tr '\n' ';' | sed 's/;$//' )" + sed -r -i "s|(luaFiles)\s*=\s*.*|\1=$LUA_FILES|" "${ARKIME_CONFIG_FILE}" + fi + # comment-out features that are unused in hedgehog run profile mode and in live-capture mode if [[ "$MALCOLM_PROFILE" == "hedgehog" ]] || [[ "$LIVE_CAPTURE" == "true" ]]; then sed -i "s/^\(userNameHeader=\)/# \1/" "${ARKIME_CONFIG_FILE}" @@ -157,7 +164,6 @@ if [[ ! -f "${ARKIME_CONFIG_FILE}" ]] && [[ -r "${ARKIME_DIR}"/etc/config.orig.i sed -i "s/^\(userAutoCreateTmpl=\)/# \1/" "${ARKIME_CONFIG_FILE}" sed -i "s/^\(wiseHost=\)/# \1/" "${ARKIME_CONFIG_FILE}" sed -i "s/^\(wisePort=\)/# \1/" "${ARKIME_CONFIG_FILE}" - sed -i "s/^\(plugins=\).*/# \1/" "${ARKIME_CONFIG_FILE}" sed -i "s/^\(viewerPlugins=\)/# \1/" "${ARKIME_CONFIG_FILE}" sed -i '/^\[custom-fields\]/,$d' "${ARKIME_CONFIG_FILE}" fi diff --git a/arkime/scripts/live_capture.sh b/arkime/scripts/live_capture.sh index eb71ff24b..d45769383 100755 --- a/arkime/scripts/live_capture.sh +++ b/arkime/scripts/live_capture.sh @@ -67,8 +67,8 @@ until (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -XGET -H'Content-Type: applicatio sleep 1 done -# this will also allow viewer to kick off -touch /var/run/arkime/initialized +# this will also allow viewer and wise to kick off +touch /var/run/arkime/initialized /var/run/arkime/runwise echo "Arkime is initialized!" echo diff --git a/arkime/scripts/wise_service.sh b/arkime/scripts/wise_service.sh index 199d39977..d717dda10 100755 --- a/arkime/scripts/wise_service.sh +++ b/arkime/scripts/wise_service.sh @@ -3,7 +3,7 @@ # Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. while true; do - if [[ ("$WISE" == "on") && (-f /var/run/arkime/runwise) && (-f $ARKIME_DIR/etc/wise.ini) ]]; then + if [[ (("$WISE" == "on") || ("$ARKIME_LIVE_CAPTURE" == "true")) && (-f /var/run/arkime/runwise) && (-f $ARKIME_DIR/etc/wise.ini) ]]; then echo "Launch wise..." rm -f $ARKIME_DIR/logs/wise* pushd $ARKIME_DIR/wiseService >/dev/null 2>&1 diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index c6cd5d68d..61d78ac52 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -813,6 +813,7 @@ class MalcolmSource extends WISESource { "zeek.cip.class_name", "zeek.cip.direction", "zeek.cip.instance_id", + "zeek.cip.packet_correlation_id", "zeek.cip_identity.device_state", "zeek.cip_identity.device_status", "zeek.cip_identity.device_type_id", @@ -1043,10 +1044,605 @@ class MalcolmSource extends WISESource { "zeek.gquic.tag_count", "zeek.gquic.user_agent", "zeek.gquic.version", + "zeek.hart_ip_common_commands.eeprom_control_eeprom_control_code", + "zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_number_code", + "zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_units_code", + "zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level", + "zeek.hart_ip_common_commands.enter_exit_fixed_current_mode_pv_fixed_current_level", + "zeek.hart_ip_common_commands.find_device_response_254", + "zeek.hart_ip_common_commands.find_device_response_configuration_change_counter", + "zeek.hart_ip_common_commands.find_device_response_device_id", + "zeek.hart_ip_common_commands.find_device_response_device_profile", + "zeek.hart_ip_common_commands.find_device_response_device_revision_level", + "zeek.hart_ip_common_commands.find_device_response_expanded_device_type", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_failure", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_function_check", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_maintenance_required", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_out_of_specification", + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_undefined_bits", + "zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_capable_field_device", + "zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_in_multi_drop_only", + "zeek.hart_ip_common_commands.find_device_response_flags_eeprom_control", + "zeek.hart_ip_common_commands.find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation", + "zeek.hart_ip_common_commands.find_device_response_flags_mutli_sensor_field_device", + "zeek.hart_ip_common_commands.find_device_response_flags_protocol_bridge_device", + "zeek.hart_ip_common_commands.find_device_response_flags_safehart_capable_field_device", + "zeek.hart_ip_common_commands.find_device_response_flags_undefined_5", + "zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level", + "zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code", + "zeek.hart_ip_common_commands.find_device_response_hart_protocol_major_revision", + "zeek.hart_ip_common_commands.find_device_response_last_device_variable_this", + "zeek.hart_ip_common_commands.find_device_response_manufacturer_identification_code", + "zeek.hart_ip_common_commands.find_device_response_minimum_preambles_master_slave", + "zeek.hart_ip_common_commands.find_device_response_number_preambles_slave_master", + "zeek.hart_ip_common_commands.find_device_response_private_label_distributor_code", + "zeek.hart_ip_common_commands.find_device_response_software_revision_level", + "zeek.hart_ip_common_commands.lock_device_lock_code", + "zeek.hart_ip_common_commands.poll_sub_device_request_channel", + "zeek.hart_ip_common_commands.poll_sub_device_request_io_card", + "zeek.hart_ip_common_commands.poll_sub_device_request_sub_device_polling_address", + "zeek.hart_ip_common_commands.poll_sub_device_response_254", + "zeek.hart_ip_common_commands.poll_sub_device_response_configuration_change_counter", + "zeek.hart_ip_common_commands.poll_sub_device_response_device_id", + "zeek.hart_ip_common_commands.poll_sub_device_response_device_profile", + "zeek.hart_ip_common_commands.poll_sub_device_response_device_revision_level", + "zeek.hart_ip_common_commands.poll_sub_device_response_expanded_device_type", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_failure", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_function_check", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_maintenance_required", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_out_of_specification", + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_undefined_bits", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_capable_field_device", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_in_multi_drop_only", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_eeprom_control", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_mutli_sensor_field_device", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_protocol_bridge_device", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_safehart_capable_field_device", + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_undefined_5", + "zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level", + "zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code", + "zeek.hart_ip_common_commands.poll_sub_device_response_hart_protocol_major_revision", + "zeek.hart_ip_common_commands.poll_sub_device_response_last_device_variable_this", + "zeek.hart_ip_common_commands.poll_sub_device_response_manufacturer_identification_code", + "zeek.hart_ip_common_commands.poll_sub_device_response_minimum_preambles_master_slave", + "zeek.hart_ip_common_commands.poll_sub_device_response_number_preambles_slave_master", + "zeek.hart_ip_common_commands.poll_sub_device_response_private_label_distributor_code", + "zeek.hart_ip_common_commands.poll_sub_device_response_software_revision_level", + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_request_analog_channel_number_code", + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_level", + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_number_code", + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range", + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_units_code", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_request_analog_channel_number_code", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_number_code", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value", + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value", + "zeek.hart_ip_common_commands.read_analog_channel_information_request_analog_channel_number_code", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_alarm_selection_code", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_damping_value", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_input", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_simulated", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_lower_range_value", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_number_code", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_transfer_function_code", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code", + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_range_value", + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot0", + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot1", + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot2", + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot3", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot0", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot1", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot2", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot3", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot0", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot1", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot2", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot3", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot0", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot1", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot2", + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot3", + "zeek.hart_ip_common_commands.read_device_variable_information_request_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variable_information_response_acquisition_period", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_classification", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_damping_value", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_family", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_limits_minimum_span_units_code", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_lower_transducer_limit", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_minimum_span", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_input", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_simulated", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_undefined_bits_1_6", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_transducer_serial_number", + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_upper_transducer_limit", + "zeek.hart_ip_common_commands.read_device_variable_trim_guidelines_device_variable_guidelines", + "zeek.hart_ip_common_commands.read_device_variable_trim_points_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variable_trim_points_response_lower_or_single_trim_point", + "zeek.hart_ip_common_commands.read_device_variable_trim_points_response_trim_points_units_code", + "zeek.hart_ip_common_commands.read_device_variable_trim_points_response_upper_trim_point", + "zeek.hart_ip_common_commands.read_device_variables_request_slot0_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_request_slot1_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_request_slot2_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_request_slot3_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable", + "zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot0_units_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable", + "zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot1_units_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable", + "zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot2_units_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable", + "zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable_code", + "zeek.hart_ip_common_commands.read_device_variables_response_slot3_units_code", + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable", + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code", + "zeek.hart_ip_common_commands.read_io_channel_statistics_channel", + "zeek.hart_ip_common_commands.read_io_channel_statistics_io_card", + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_ack_count", + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_back_count", + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_oack_count", + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_ostx_count", + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_stx_count", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_master_mode", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_channels_per_io_card", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_delayed_responses_supported", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_io_cards", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_sub_devices_per_channel", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_number_of_devices_detected", + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_retry_count", + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_configuration_locked", + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_device_locked", + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_gateway", + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_permanent", + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_primary", + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_undefined_bits", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_channel", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_id", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_profile", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_revision", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_expanded_device_type", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_io_card", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_long_tag", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_manufacturer_identification_code", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_private_label_distributor_code", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_universal_command_revision_level", + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_sub_device_index", + "zeek.hart_ip_common_commands.read_sub_device_statistics_response_ack_count", + "zeek.hart_ip_common_commands.read_sub_device_statistics_response_back_count", + "zeek.hart_ip_common_commands.read_sub_device_statistics_response_stx_count", + "zeek.hart_ip_common_commands.read_sub_device_statistics_sub_device_index", + "zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_date", + "zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_descriptor", + "zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_tag", + "zeek.hart_ip_common_commands.reset_device_variable_trim_device_variable_trim_to_reset", + "zeek.hart_ip_common_commands.set_device_variable_zero_device_variable_zeroed", + "zeek.hart_ip_common_commands.set_real_time_clock_date", + "zeek.hart_ip_common_commands.set_real_time_clock_null_bytes", + "zeek.hart_ip_common_commands.set_real_time_clock_time_of_day", + "zeek.hart_ip_common_commands.set_real_time_clock_time_set_code", + "zeek.hart_ip_common_commands.squawk_squawk_control", + "zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_level", + "zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_number_code", + "zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_units_code", + "zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_level", + "zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_number_code", + "zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_units_code", + "zeek.hart_ip_common_commands.trim_loop_current_gain_measured_pv_loop_current_level", + "zeek.hart_ip_common_commands.trim_loop_current_zero_measured_pv_loop_current_level", + "zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_damping_value", + "zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_number_code", + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_lower_range_value", + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_number_code", + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code", + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_range_value", + "zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_number_code", + "zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_units_code", + "zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_code", + "zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_damping_value", + "zeek.hart_ip_common_commands.write_device_variable_device_variable_code", + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_device_family_specific_status", + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_limit_status", + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_process_data_status", + "zeek.hart_ip_common_commands.write_device_variable_device_variable_value", + "zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_code", + "zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_transducer_serial_number", + "zeek.hart_ip_common_commands.write_device_variable_trim_point_device_variable_to_trim", + "zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point", + "zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point_value", + "zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_points_units_code", + "zeek.hart_ip_common_commands.write_device_variable_units_code", + "zeek.hart_ip_common_commands.write_device_variable_units_device_variable_code", + "zeek.hart_ip_common_commands.write_device_variable_units_device_variable_units_code", + "zeek.hart_ip_common_commands.write_device_variable_write_device_variable_command_code", + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable", + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable", + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable", + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable", + "zeek.hart_ip_common_commands.write_io_system_master_mode_master_mode", + "zeek.hart_ip_common_commands.write_io_system_retry_count_retry_count", + "zeek.hart_ip_common_commands.write_number_of_response_preambles_number_of_preambles", + "zeek.hart_ip_common_commands.write_primary_variable_damping_value_pv_damping_value", + "zeek.hart_ip_common_commands.write_primary_variable_range_values_p_v_lower_range_value", + "zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code", + "zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_range_value", + "zeek.hart_ip_common_commands.write_primary_variable_transducer_serial_number_pv_transducer_serial_number", + "zeek.hart_ip_common_commands.write_primary_variable_transfer_function_p_v_transfer_function_code", + "zeek.hart_ip_common_commands.write_primary_variable_units_pv_unit_codes", + "zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_date", + "zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_descriptor", + "zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_tag", + "zeek.hart_ip_direct_pdu_command.direct_pdu_command_byte_count", + "zeek.hart_ip_direct_pdu_command.direct_pdu_command_command_number", + "zeek.hart_ip_direct_pdu_command.direct_pdu_command_data_data", + "zeek.hart_ip_direct_pdu_command.direct_pdu_contents_response_response_code", + "zeek.hart_ip.command_number_link_id", + "zeek.hart_ip.direct_pdu_command_link_id", + "zeek.hart_ip.direct_pdu_device_status_cold_start", + "zeek.hart_ip.direct_pdu_device_status_configuration_changed", + "zeek.hart_ip.direct_pdu_device_status_device_malfunction", + "zeek.hart_ip.direct_pdu_device_status_loop_current_fixed", + "zeek.hart_ip.direct_pdu_device_status_loop_current_saturated", + "zeek.hart_ip.direct_pdu_device_status_more_status_available", + "zeek.hart_ip.direct_pdu_device_status_non_primary_variable_out_of_limits", + "zeek.hart_ip.direct_pdu_device_status_primary_variable_out_of_limits", + "zeek.hart_ip.direct_pdu_extended_status_critical_power_failure", + "zeek.hart_ip.direct_pdu_extended_status_device_variable_alert", + "zeek.hart_ip.direct_pdu_extended_status_failure", + "zeek.hart_ip.direct_pdu_extended_status_function_check", + "zeek.hart_ip.direct_pdu_extended_status_maintenance_required", + "zeek.hart_ip.direct_pdu_extended_status_out_of_specification", + "zeek.hart_ip.direct_pdu_extended_status_undefined_bits", + "zeek.hart_ip.header_length", + "zeek.hart_ip.header_message_id", + "zeek.hart_ip.header_message_type_message_type", + "zeek.hart_ip.header_message_type_reserved", + "zeek.hart_ip.header_sequence_number", + "zeek.hart_ip.header_status_code", + "zeek.hart_ip.header_version", + "zeek.hart_ip.message_packet_bytes", + "zeek.hart_ip.read_audit_log_last_security_change", + "zeek.hart_ip.read_audit_log_number_of_records", + "zeek.hart_ip.read_audit_log_power_up_time", + "zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection", + "zeek.hart_ip.read_audit_log_server_status_syslog_server_located_but_connection_failed", + "zeek.hart_ip.read_audit_log_server_status_unable_to_locate_syslog_server", + "zeek.hart_ip.read_audit_log_server_status_undefined_bits", + "zeek.hart_ip.read_audit_log_session_record_size", + "zeek.hart_ip.read_audit_log_start_record", + "zeek.hart_ip.session_initiate_inactivity_close_timer", + "zeek.hart_ip.session_initiate_master_type", + "zeek.hart_ip.session_log_record_link_id", + "zeek.hart_ip.token_passing_pdu_address_v4", + "zeek.hart_ip.token_passing_pdu_address_v6", + "zeek.hart_ip.token_passing_pdu_byte_count", + "zeek.hart_ip.token_passing_pdu_check_byte", + "zeek.hart_ip.token_passing_pdu_command_number", + "zeek.hart_ip.token_passing_pdu_contents_data_data", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_cold_start", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_configuration_changed", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_device_malfunction", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_fixed", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_saturated", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_more_status_available", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits", + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits", + "zeek.hart_ip.token_passing_pdu_contents_response_response_code", + "zeek.hart_ip.token_passing_pdu_delimiter_address_type", + "zeek.hart_ip.token_passing_pdu_delimiter_expansion_bytes", + "zeek.hart_ip.token_passing_pdu_delimiter_frame_type", + "zeek.hart_ip.token_passing_pdu_delimiter_physical_layer_type", + "zeek.hart_ip_session_record.session_log_record_client_i_pv4_address", + "zeek.hart_ip_session_record.session_log_record_client_i_pv6_address", + "zeek.hart_ip_session_record.session_log_record_client_port", + "zeek.hart_ip_session_record.session_log_record_connect_time", + "zeek.hart_ip_session_record.session_log_record_disconnect_time", + "zeek.hart_ip_session_record.session_log_record_end_configuration_change_count", + "zeek.hart_ip_session_record.session_log_record_num_publish_pdu", + "zeek.hart_ip_session_record.session_log_record_num_request_pdu", + "zeek.hart_ip_session_record.session_log_record_num_response_pdu", + "zeek.hart_ip_session_record.session_log_record_server_port", + "zeek.hart_ip_session_record.session_log_record_session_status_summary_aborted_session", + "zeek.hart_ip_session_record.session_log_record_session_status_summary_bad_session_initialization", + "zeek.hart_ip_session_record.session_log_record_session_status_summary_insecure_session", + "zeek.hart_ip_session_record.session_log_record_session_status_summary_session_timeout", + "zeek.hart_ip_session_record.session_log_record_session_status_summary_undefined_bits", + "zeek.hart_ip_session_record.session_log_record_session_status_summary_writes_occured", + "zeek.hart_ip_session_record.session_log_record_start_configuration_change_count", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_analog_channel", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quaternary_analog", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quinary_analog", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_secondary_analog", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_tertiary_analog", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_undefined_bits", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_undefined_bits", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_operating_mode", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_0", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_1", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_failure", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_function_check", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_maintenance_required", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_out_of_specification", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_undefined_bits", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_configuration_lock", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_variable_simulation_active", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_electronic_defect", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_volatile_memory_defect", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_watchdog_reset_executed", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_event_notification_overflow", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_reserved", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_status_simulation_active", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_undefined_bits", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_duplicate_master_detected", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_stale_data_notice", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_list_changed", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_mismatch", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_undefined_bits", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_block_transfer_pending", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_capacity_denied", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_radio_failure", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_resereved", + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_undefined_bits", + "zeek.hart_ip_universal_commands.read_device_information_response_250", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_alarm_selection_code", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_analog_channel", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_undefined_bits", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_damping_value", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_lower_range_value", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_transfer_function_code", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_lower_range", + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_range_value", + "zeek.hart_ip_universal_commands.read_device_information_response_write_protect_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot0_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot1_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot2_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot3_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot4_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot5_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot6_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_request_slot7_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_failure", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_function_check", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_maintenance_required", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_out_of_specification", + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_undefined_bits", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_time", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_units_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_class", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_code", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_device_family_specific_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_limit_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_process_data_status", + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_units_code", + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_primary_variable_classification", + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_quaternary_variable_classification", + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_secondary_variable_classification", + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_tertiary_variable_classification", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_loop_current", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_units", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable_units", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable_units", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable", + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable_units", + "zeek.hart_ip_universal_commands.read_final_assembly_number_response_final_assembly_number", + "zeek.hart_ip_universal_commands.read_long_tag_response_long_tag", + "zeek.hart_ip_universal_commands.read_loop_configuration_response_loop_current_mode", + "zeek.hart_ip_universal_commands.read_loop_configuration_response_polling_address_device", + "zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_loop_current", + "zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_percent_range", + "zeek.hart_ip_universal_commands.read_message_response_message", + "zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable", + "zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable_units", + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_lower_transducer_limit", + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_minimum_span", + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_limits_units", + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_serial_number", + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_upper_transducer_limit", + "zeek.hart_ip_universal_commands.read_tag_response_date_code", + "zeek.hart_ip_universal_commands.read_tag_response_descriptor", + "zeek.hart_ip_universal_commands.read_tag_response_tag", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_request_long_tag", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_254", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_configuration_change_counter", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_id", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_profile", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_expanded_device_type", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_failure", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_function_check", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_eeprom_control", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_protocol_bridge_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_safehart_capable_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_undefined_5", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hart_protocol_major_revision", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_last_device_variable_this", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_manufacturer_identification_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_minimum_preambles_master_slave", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_number_preambles_slave_master", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_private_label_distributor_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_software_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_254", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_configuration_change_counter", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_device_id", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_device_profile", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_device_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_expanded_device_type", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_failure", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_function_check", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_maintenance_required", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_out_of_specification", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_undefined_bits", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_capable_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_in_multi_drop_only", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_eeprom_control", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_mutli_sensor_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_protocol_bridge_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_safehart_capable_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_undefined_5", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_hart_protocol_major_revision", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_last_device_variable_this", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_manufacturer_identification_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_minimum_preambles_master_slave", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_number_preambles_slave_master", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_private_label_distributor_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_response_software_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_request_tag", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_254", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_configuration_change_counter", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_id", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_profile", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_expanded_device_type", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_failure", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_function_check", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_maintenance_required", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_out_of_specification", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_undefined_bits", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_capable_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_eeprom_control", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_mutli_sensor_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_protocol_bridge_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_safehart_capable_field_device", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_undefined_5", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hart_protocol_major_revision", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_last_device_variable_this", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_manufacturer_identification_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_minimum_preambles_master_slave", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_number_preambles_slave_master", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_private_label_distributor_code", + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_software_revision_level", + "zeek.hart_ip_universal_commands.reset_configuration_changed_flag_configuration_change_counter", + "zeek.hart_ip_universal_commands.write_final_assembly_number_final_assembly_number", + "zeek.hart_ip_universal_commands.write_long_tag_long_tag", + "zeek.hart_ip_universal_commands.write_message_message_string", + "zeek.hart_ip_universal_commands.write_polling_address_loop_current_mode", + "zeek.hart_ip_universal_commands.write_polling_address_polling_address_device", + "zeek.hart_ip_universal_commands.write_tag_descriptor_date_date_code", + "zeek.hart_ip_universal_commands.write_tag_descriptor_date_record_keeping_descriptor", + "zeek.hart_ip_universal_commands.write_tag_descriptor_date_tag", + "zeek.http.client_header_names", "zeek.http.host", - "zeek.http.ja4h", "zeek.http.info_code", "zeek.http.info_msg", + "zeek.http.ja4h", "zeek.http.method", "zeek.http.orig_filenames", "zeek.http.orig_fuids", @@ -1061,6 +1657,7 @@ class MalcolmSource extends WISESource { "zeek.http.resp_fuids", "zeek.http.resp_mime_types", "zeek.http.response_body_len", + "zeek.http.server_header_names", "zeek.http.status_code", "zeek.http.status_msg", "zeek.http.tags", @@ -1132,6 +1729,8 @@ class MalcolmSource extends WISESource { "zeek.known_certs.serial", "zeek.known_certs.subject", "zeek.known_modbus.device_type", + "zeek.known_routers.ttl", + "zeek.known_routers.hlim", "zeek.ldap.argument", "zeek.ldap.message_id", "zeek.ldap.object", diff --git a/config/opensearch.env.example b/config/opensearch.env.example index ce43aa7ff..9366a83f7 100644 --- a/config/opensearch.env.example +++ b/config/opensearch.env.example @@ -47,14 +47,16 @@ MALCOLM_NETWORK_INDEX_PATTERN=arkime_sessions3-* # Default time field to use for network traffic logs in Logstash and Dashboards MALCOLM_NETWORK_INDEX_TIME_FIELD=firstPacket # Suffix used to create index to which network traffic logs are written -# (supports Ruby strftime strings in %{}; e.g., -# hourly: %{%y%m%dh%H}, twice daily: %{%P%y%m%d}, daily: %{%y%m%d}, weekly: %{%yw%U}, monthly: %{%ym%m}) +# * supports Ruby strftime strings in %{}; e.g., +# - hourly: %{%y%m%dh%H}, twice daily: %{%P%y%m%d}, daily: %{%y%m%d}, weekly: %{%yw%U}, monthly: %{%ym%m}) +# * supports expanding dot-delimited field names in {{ }}; e.g., +# - {{event.provider}}%{%y%m%d} MALCOLM_NETWORK_INDEX_SUFFIX=%{%y%m%d} # Index pattern for other logs written via Logstash (e.g., nginx, beats, fluent-bit, etc.) MALCOLM_OTHER_INDEX_PATTERN=malcolm_beats_* # Default time field to use for other logs in Logstash and Dashboards MALCOLM_OTHER_INDEX_TIME_FIELD=@timestamp -# Suffix used to create index to which other logs are written (supports Ruby strftime strings in %{}) +# Suffix used to create index to which other logs are written (same rules as MALCOLM_NETWORK_INDEX_TIME_FIELD) MALCOLM_OTHER_INDEX_SUFFIX=%{%y%m%d} # Index pattern used specifically by Arkime (will probably match MALCOLM_NETWORK_INDEX_PATTERN, should probably be arkime_sessions3-*) ARKIME_NETWORK_INDEX_PATTERN=arkime_sessions3-* diff --git a/config/process.env.example b/config/process.env.example index 8a4073475..e1cf2e7e1 100644 --- a/config/process.env.example +++ b/config/process.env.example @@ -5,5 +5,7 @@ PGID=1000 TINI_VERBOSITY=1 # profile, for running all Malcolm containers ("malcolm") vs. capture-only containers ("hedgehog") MALCOLM_PROFILE=malcolm +# Container runtime engine (e.g., docker, podman) +MALCOLM_CONTAINER_RUNTIME=docker # for handling configmap/secrets files/directories CONFIG_MAP_DIR=configmap;secretmap \ No newline at end of file diff --git a/config/zeek.env.example b/config/zeek.env.example index 512cb9d20..cc87221e6 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -68,6 +68,7 @@ ZEEK_DISABLE_HASH_ALL_FILES= ZEEK_DISABLE_LOG_PASSWORDS= ZEEK_DISABLE_SSL_VALIDATE_CERTS= ZEEK_DISABLE_TRACK_ALL_ASSETS= +ZEEK_DISABLE_DETECT_ROUTERS=true ZEEK_DISABLE_SPICY_IPSEC= ZEEK_DISABLE_SPICY_LDAP= ZEEK_DISABLE_SPICY_OPENVPN= @@ -84,6 +85,7 @@ ZEEK_DISABLE_ICS_ENIP= ZEEK_DISABLE_ICS_ETHERCAT= ZEEK_DISABLE_ICS_GENISYS=true ZEEK_DISABLE_ICS_GE_SRTP=true +ZEEK_DISABLE_ICS_HART_IP= ZEEK_DISABLE_ICS_OPCUA_BINARY= ZEEK_DISABLE_ICS_MODBUS= ZEEK_DISABLE_ICS_PROFINET= diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index 7d0f03330..e434649ee 100644 --- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -112,7 +112,7 @@ "version": "Wzc0MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json index 29b0d363f..50001dea6 100644 --- a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json +++ b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json @@ -87,7 +87,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json index 3af2ca737..cab9dbd70 100644 --- a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json +++ b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json @@ -92,7 +92,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json index 43777014b..28b70ce36 100644 --- a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json +++ b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index d29d3f65f..27db8f8a9 100644 --- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -87,7 +87,7 @@ "version": "WzkzNiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json index 9447a034d..161be0c69 100644 --- a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json +++ b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json @@ -87,7 +87,7 @@ "version": "Wzc5NSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json index 85808ed91..ab4e6e4b2 100644 --- a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json +++ b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json index 3c136cc6e..e977131e7 100644 --- a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json +++ b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index a63bb8da9..a6fd63905 100644 --- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -82,7 +82,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index d9ecc6eed..2e2f64890 100644 --- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json index 6ebc7a69d..d3336dc49 100644 --- a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json +++ b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json @@ -82,7 +82,7 @@ "version": "Wzc1NSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json index 733fe9339..326d68591 100644 --- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json +++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json @@ -127,7 +127,7 @@ "version": "Wzg1NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json index 887516f23..2317d148d 100644 --- a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json +++ b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json @@ -92,7 +92,7 @@ "version": "WzkzNiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json index 2734033df..24ae0643e 100644 --- a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 956904098..6750c90bd 100644 --- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -72,7 +72,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json index f0f011f09..55b56a2b0 100644 --- a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json @@ -112,7 +112,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -442,7 +442,8 @@ "zeek.cip.cip_sequence_count", "zeek.cip.class_id", "zeek.cip.class_name", - "zeek.cip.instance_id" + "zeek.cip.instance_id", + "zeek.cip.packet_correlation_id" ], "sort": [ [ @@ -485,7 +486,8 @@ "zeek.cip_identity.product_name", "zeek.cip_identity.vendor_name", "zeek.cip_identity.revision", - "zeek.cip_identity.serial_number" + "zeek.cip_identity.serial_number", + "zeek.cip.packet_correlation_id" ], "sort": [ [ @@ -529,6 +531,7 @@ "zeek.enip.options", "zeek.enip.sender_context", "zeek.enip.session_handle", + "zeek.cip.packet_correlation_id", "event.id" ], "sort": [ @@ -571,6 +574,7 @@ "zeek.cip_io.connection_id", "zeek.cip_io.sequence_number", "zeek.cip_io.data_length", + "zeek.cip.packet_correlation_id", "event.id" ], "sort": [ @@ -614,12 +618,13 @@ "zeek.notice.msg", "source.ip", "destination.ip", + "zeek.cip.packet_correlation_id", "event.id" ], "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json index 0539bfab8..3789273ac 100644 --- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json @@ -122,7 +122,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -678,7 +678,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json index aa1226c2a..95d2e37df 100644 --- a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json +++ b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json @@ -122,7 +122,7 @@ "version": "Wzg0OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index bd3f8c090..23bd223d4 100644 --- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -107,7 +107,7 @@ "version": "Wzg3OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json index 8e133fda5..63f13a019 100644 --- a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json +++ b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json @@ -117,7 +117,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json index 1edeeb042..e19515bff 100644 --- a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json @@ -72,7 +72,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json index 2e8d2ac12..1485445a6 100644 --- a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json +++ b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json @@ -97,7 +97,7 @@ "version": "Wzc2OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json index fb4ea4263..0386519c9 100644 --- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json +++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json @@ -127,7 +127,7 @@ "version": "Wzg1OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json index 3a41e64dc..e4d6458b2 100644 --- a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json b/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json new file mode 100644 index 000000000..73d1d4cf9 --- /dev/null +++ b/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json @@ -0,0 +1,1015 @@ +{ + "version": "2.17.0", + "objects": [ + { + "id": "3a9e3440-75e2-11ef-8138-03748f839a49", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:55:15.632Z", + "version": "WzEwNDAsMV0=", + "attributes": { + "title": "HART-IP", + "hits": 0, + "description": "", + "panelsJSON": "[{\"version\":\"2.17.0\",\"gridData\":{\"h\":36,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":36,\"i\":\"0e7a5dcf-cb39-4c77-9d3a-2bb2258be147\",\"w\":9,\"x\":8,\"y\":0},\"panelIndex\":\"0e7a5dcf-cb39-4c77-9d3a-2bb2258be147\",\"embeddableConfig\":{\"hidePanelTitles\":false},\"panelRefName\":\"panel_1\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":17,\"i\":\"e46db4cd-4d1f-4c20-b75b-d7f1c7bcef8f\",\"w\":31,\"x\":17,\"y\":0},\"panelIndex\":\"e46db4cd-4d1f-4c20-b75b-d7f1c7bcef8f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"vis\":{\"legendOpen\":true}},\"panelRefName\":\"panel_2\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":19,\"i\":\"54920a2a-b8fa-46cf-a521-fa42214f9f9d\",\"w\":9,\"x\":17,\"y\":17},\"panelIndex\":\"54920a2a-b8fa-46cf-a521-fa42214f9f9d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":19,\"i\":\"1cd3039b-0e24-4f4c-b741-1652c824b04f\",\"w\":9,\"x\":26,\"y\":17},\"panelIndex\":\"1cd3039b-0e24-4f4c-b741-1652c824b04f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":19,\"i\":\"7e30fe8f-6b9e-43c4-ac62-379aa080eaff\",\"w\":13,\"x\":35,\"y\":17},\"panelIndex\":\"7e30fe8f-6b9e-43c4-ac62-379aa080eaff\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"columnsWidth\":[{\"colIndex\":0,\"width\":291.66666666666663},{\"colIndex\":1,\"width\":127.66666666666669}],\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_5\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":19,\"i\":\"6c765c48-e225-4db0-9754-f357064a1a52\",\"w\":19,\"x\":0,\"y\":36},\"panelIndex\":\"6c765c48-e225-4db0-9754-f357064a1a52\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":19,\"i\":\"06dbbc88-188c-4fc8-9107-598bc9a809b0\",\"w\":16,\"x\":19,\"y\":36},\"panelIndex\":\"06dbbc88-188c-4fc8-9107-598bc9a809b0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":19,\"i\":\"3405cb8d-aadb-44b0-922a-eb6bd7d6ce33\",\"w\":13,\"x\":35,\"y\":36},\"panelIndex\":\"3405cb8d-aadb-44b0-922a-eb6bd7d6ce33\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"fdf3dd21-8f1f-4797-add9-f6f52943aacb\",\"w\":10,\"x\":0,\"y\":55},\"panelIndex\":\"fdf3dd21-8f1f-4797-add9-f6f52943aacb\",\"embeddableConfig\":{},\"title\":\"Header Version\",\"panelRefName\":\"panel_9\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"ebf47fd1-ae40-437e-a328-6a9d2456acde\",\"w\":10,\"x\":10,\"y\":55},\"panelIndex\":\"ebf47fd1-ae40-437e-a328-6a9d2456acde\",\"embeddableConfig\":{},\"title\":\"Protocol Major Revision\",\"panelRefName\":\"panel_10\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"3e5373c8-a4f8-4574-959c-ee70cc3dacc6\",\"w\":9,\"x\":20,\"y\":55},\"panelIndex\":\"3e5373c8-a4f8-4574-959c-ee70cc3dacc6\",\"embeddableConfig\":{},\"title\":\"Insecure Session\",\"panelRefName\":\"panel_11\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"9d4233ae-6985-49b0-a62d-473f7ddd746d\",\"w\":10,\"x\":29,\"y\":55},\"panelIndex\":\"9d4233ae-6985-49b0-a62d-473f7ddd746d\",\"embeddableConfig\":{},\"title\":\"Audit Log Insecure Syslog Connection\",\"panelRefName\":\"panel_12\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"6808e54b-9ea2-4a17-9c2a-72522fd140de\",\"w\":9,\"x\":39,\"y\":55},\"panelIndex\":\"6808e54b-9ea2-4a17-9c2a-72522fd140de\",\"embeddableConfig\":{},\"title\":\"Session Summary: Writes Occurred\",\"panelRefName\":\"panel_13\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"db4cc196-7993-4b65-be3e-859703e54b02\",\"w\":10,\"x\":0,\"y\":66},\"panelIndex\":\"db4cc196-7993-4b65-be3e-859703e54b02\",\"embeddableConfig\":{},\"title\":\"Device Malfunction (Token Passing PDU)\",\"panelRefName\":\"panel_14\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"6d78dfc8-e4c6-451a-b195-e57dcf7b731a\",\"w\":10,\"x\":10,\"y\":66},\"panelIndex\":\"6d78dfc8-e4c6-451a-b195-e57dcf7b731a\",\"embeddableConfig\":{},\"title\":\"Device Malfunction (Direct PDU)\",\"panelRefName\":\"panel_15\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"d4a91acf-8768-45f4-9d80-6bf38f5cd892\",\"w\":9,\"x\":20,\"y\":66},\"panelIndex\":\"d4a91acf-8768-45f4-9d80-6bf38f5cd892\",\"embeddableConfig\":{},\"title\":\"Configuration Changed (Token Passing PDU)\",\"panelRefName\":\"panel_16\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"6bd938f1-350c-4688-8bb6-8afd0e09568c\",\"w\":10,\"x\":29,\"y\":66},\"panelIndex\":\"6bd938f1-350c-4688-8bb6-8afd0e09568c\",\"embeddableConfig\":{},\"title\":\"Configuration Changed (Direct PDU)\",\"panelRefName\":\"panel_17\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"c152e068-0565-4c44-900c-b5b8b7d44b9a\",\"w\":9,\"x\":39,\"y\":66},\"panelIndex\":\"c152e068-0565-4c44-900c-b5b8b7d44b9a\",\"embeddableConfig\":{},\"title\":\"Maintenance Required\",\"panelRefName\":\"panel_18\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"17cc7733-85d2-4b1f-8f8b-1063c4e5f7d9\",\"w\":10,\"x\":10,\"y\":77},\"panelIndex\":\"17cc7733-85d2-4b1f-8f8b-1063c4e5f7d9\",\"embeddableConfig\":{},\"title\":\"Function Check\",\"panelRefName\":\"panel_19\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"e5fd90ac-860b-4a72-b7cf-470510885592\",\"w\":9,\"x\":20,\"y\":77},\"panelIndex\":\"e5fd90ac-860b-4a72-b7cf-470510885592\",\"embeddableConfig\":{},\"title\":\"Failure\",\"panelRefName\":\"panel_20\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"f63cdf55-9110-453f-8b87-d5d76f5f8873\",\"w\":10,\"x\":29,\"y\":77},\"panelIndex\":\"f63cdf55-9110-453f-8b87-d5d76f5f8873\",\"embeddableConfig\":{},\"title\":\"Device Variable Alert\",\"panelRefName\":\"panel_21\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"41cc63c7-6141-4361-91d4-bdabef94b16c\",\"w\":9,\"x\":39,\"y\":77},\"panelIndex\":\"41cc63c7-6141-4361-91d4-bdabef94b16c\",\"embeddableConfig\":{},\"title\":\"Critical Power Failure\",\"panelRefName\":\"panel_22\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":11,\"i\":\"141250b1-7ee8-4a0a-b5a4-1e237fa859cf\",\"w\":10,\"x\":0,\"y\":77},\"panelIndex\":\"141250b1-7ee8-4a0a-b5a4-1e237fa859cf\",\"embeddableConfig\":{},\"title\":\"Out of Specification\",\"panelRefName\":\"panel_23\"},{\"version\":\"2.17.0\",\"gridData\":{\"h\":26,\"i\":\"c0ffab03-20de-4ec6-a71a-0c234a86186b\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"c0ffab03-20de-4ec6-a71a-0c234a86186b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_24\"}]", + "optionsJSON": "{\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "d7935370-75e2-11ef-8138-03748f839a49" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "3e018e10-75e3-11ef-8138-03748f839a49" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "c6b3e160-75e6-11ef-8138-03748f839a49" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "ebc77520-75e6-11ef-8138-03748f839a49" + }, + { + "name": "panel_5", + "type": "visualization", + "id": "5e5bb110-75e6-11ef-8138-03748f839a49" + }, + { + "name": "panel_6", + "type": "visualization", + "id": "61af3920-75f7-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "ed339500-75f6-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_8", + "type": "visualization", + "id": "4ef1d190-75f6-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_9", + "type": "visualization", + "id": "411b2d50-75e7-11ef-8138-03748f839a49" + }, + { + "name": "panel_10", + "type": "visualization", + "id": "e1995c20-75fb-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_11", + "type": "visualization", + "id": "e9064990-75f7-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_12", + "type": "visualization", + "id": "1921d230-75fc-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_13", + "type": "visualization", + "id": "a373f700-75f8-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_14", + "type": "visualization", + "id": "e8ab02d0-75fa-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_15", + "type": "visualization", + "id": "772f9470-75fc-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_16", + "type": "visualization", + "id": "a2bd2d50-75fc-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_17", + "type": "visualization", + "id": "05823610-75fd-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_18", + "type": "visualization", + "id": "0b942a90-75fd-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_19", + "type": "visualization", + "id": "40cca0b0-75fe-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_20", + "type": "visualization", + "id": "1ae54230-75fe-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_21", + "type": "visualization", + "id": "f48642b0-75fd-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_22", + "type": "visualization", + "id": "b9b6df00-75fd-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_23", + "type": "visualization", + "id": "6736ead0-75fe-11ef-8f9c-27c6487e743a" + }, + { + "name": "panel_24", + "type": "search", + "id": "2485c560-75e2-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "dashboard": "7.9.3" + } + }, + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:51:28.231Z", + "version": "WzkxNywxXQ==", + "attributes": { + "title": "Navigation", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "d7935370-75e2-11ef-8138-03748f839a49", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMwOCwxXQ==", + "attributes": { + "title": "HART-IP - Logs Count", + "visState": "{\"title\":\"HART-IP - Logs Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Logs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"conn|known_services\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":32}}}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "2485c560-75e2-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "3e018e10-75e3-11ef-8138-03748f839a49", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMwOSwxXQ==", + "attributes": { + "title": "HART-IP - Logs Over Time", + "visState": "{\"title\":\"HART-IP - Logs Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Log Count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"timeRange\":{\"from\":\"now-16y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"conn|known_services\",\"customLabel\":\"Dataset\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Log Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Log Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "2485c560-75e2-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "c6b3e160-75e6-11ef-8138-03748f839a49", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxMCwxXQ==", + "attributes": { + "title": "HART-IP - Source IP", + "visState": "{\"title\":\"HART-IP - Source IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "2485c560-75e2-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "ebc77520-75e6-11ef-8138-03748f839a49", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxMSwxXQ==", + "attributes": { + "title": "HART-IP - Destination IP", + "visState": "{\"title\":\"HART-IP - Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "2485c560-75e2-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "5e5bb110-75e6-11ef-8138-03748f839a49", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxMiwxXQ==", + "attributes": { + "title": "HART-IP - Actions and Results", + "visState": "{\"title\":\"HART-IP - Actions and Results\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "2485c560-75e2-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "61af3920-75f7-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxMywxXQ==", + "attributes": { + "title": "HART-IP - Universal Commands Device Profile and Type", + "visState": "{\"title\":\"HART-IP - Universal Commands Device Profile and Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_universal_commands.read_unique_identifier_response_device_profile\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Device Profile\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_universal_commands.read_unique_identifier_response_expanded_device_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Device Type\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c4893b60-75f5-11ef-8f9c-27c6487e743a" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "ed339500-75f6-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxNCwxXQ==", + "attributes": { + "title": "HART-IP - Universal Commands Message and Response", + "visState": "{\"title\":\"HART-IP - Universal Commands Message and Response\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_universal_commands.write_message_message_string\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Universal Commands Message\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_universal_commands.read_message_response_message\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Universal Commands Message Response\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c4893b60-75f5-11ef-8f9c-27c6487e743a" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "4ef1d190-75f6-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxNSwxXQ==", + "attributes": { + "title": "HART-IP - PDU Command", + "visState": "{\"title\":\"HART-IP - PDU Command\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.token_passing_pdu_command_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"PDU Command\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "411b2d50-75e7-11ef-8138-03748f839a49", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxNiwxXQ==", + "attributes": { + "title": "HART-IP - Header Version", + "visState": "{\"title\":\"HART-IP - Header Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.header_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Header Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "e1995c20-75fb-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxNywxXQ==", + "attributes": { + "title": "HART-IP - Protocol Major Revision", + "visState": "{\"title\":\"HART-IP - Protocol Major Revision\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_universal_commands.read_unique_identifier_response_hart_protocol_major_revision\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"HART Protocol Major Revision\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c4893b60-75f5-11ef-8f9c-27c6487e743a" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "e9064990-75f7-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxOCwxXQ==", + "attributes": { + "title": "HART-IP - Insecure Session", + "visState": "{\"title\":\"HART-IP - Insecure Session\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_session_record.session_log_record_session_status_summary_insecure_session\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Insecure Session\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "dffb2430-75f5-11ef-8f9c-27c6487e743a" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "1921d230-75fc-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMxOSwxXQ==", + "attributes": { + "title": "HART-IP - Audit Log Insecure Syslog Connection", + "visState": "{\"title\":\"HART-IP - Audit Log Insecure Syslog Connection\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Insecure Syslog Connection\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "a373f700-75f8-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyMCwxXQ==", + "attributes": { + "title": "HART-IP - Session Summary: Writes Occurred", + "visState": "{\"title\":\"HART-IP - Session Summary: Writes Occurred\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip_session_record.session_log_record_session_status_summary_writes_occured\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Writes Occurred\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "dffb2430-75f5-11ef-8f9c-27c6487e743a" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "e8ab02d0-75fa-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyMSwxXQ==", + "attributes": { + "title": "HART-IP - Device Malfunction (Token Passing PDU)", + "visState": "{\"title\":\"HART-IP - Device Malfunction (Token Passing PDU)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.token_passing_pdu_contents_response_device_status_device_malfunction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Malfunction\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "772f9470-75fc-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyMiwxXQ==", + "attributes": { + "title": "HART-IP - Device Malfunction (Direct PDU)", + "visState": "{\"title\":\"HART-IP - Device Malfunction (Direct PDU)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_device_status_device_malfunction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Malfunction\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "a2bd2d50-75fc-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyMywxXQ==", + "attributes": { + "title": "HART-IP - Device Status Configuration Changed (Token Passing PDU)", + "visState": "{\"title\":\"HART-IP - Device Status Configuration Changed (Token Passing PDU)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.token_passing_pdu_contents_response_device_status_configuration_changed\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Status Changed\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "05823610-75fd-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyNCwxXQ==", + "attributes": { + "title": "HART-IP - Configuration Changed (Direct PDU)", + "visState": "{\"title\":\"HART-IP - Configuration Changed (Direct PDU)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_device_status_configuration_changed\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Configuration Changed\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "0b942a90-75fd-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyNSwxXQ==", + "attributes": { + "title": "HART-IP - Maintenance Required", + "visState": "{\"title\":\"HART-IP - Maintenance Required\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_extended_status_maintenance_required\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Maintenance Required\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "40cca0b0-75fe-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyNiwxXQ==", + "attributes": { + "title": "HART-IP - Function Check", + "visState": "{\"title\":\"HART-IP - Function Check\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_extended_status_function_check\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Check\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "1ae54230-75fe-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyNywxXQ==", + "attributes": { + "title": "HART-IP - Failure", + "visState": "{\"title\":\"HART-IP - Failure\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_extended_status_failure\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Failure\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "f48642b0-75fd-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyOCwxXQ==", + "attributes": { + "title": "HART-IP - Device Variable Alert", + "visState": "{\"title\":\"HART-IP - Device Variable Alert\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_extended_status_device_variable_alert\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Device Variable Alert\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "b9b6df00-75fd-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMyOSwxXQ==", + "attributes": { + "title": "HART-IP - Critical Power Failure", + "visState": "{\"title\":\"HART-IP - Critical Power Failure\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_extended_status_critical_power_failure\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Critical Power Failure\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "6736ead0-75fe-11ef-8f9c-27c6487e743a", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMzMCwxXQ==", + "attributes": { + "title": "HART-IP - Out of Specification", + "visState": "{\"title\":\"HART-IP - Out of Specification\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.hart_ip.direct_pdu_extended_status_out_of_specification\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Out of Specification\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "87833150-75e4-11ef-8138-03748f839a49" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "2485c560-75e2-11ef-8138-03748f839a49", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMzMSwxXQ==", + "attributes": { + "title": "HART-IP - Logs", + "description": "", + "hits": 0, + "columns": [ + "event.dataset", + "source.ip", + "destination.ip", + "destination.port", + "event.action", + "event.result", + "event.id" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:hart_ip\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + }, + { + "id": "c4893b60-75f5-11ef-8f9c-27c6487e743a", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMzMiwxXQ==", + "attributes": { + "title": "HART-IP - Universal Commands Logs", + "description": "", + "hits": 0, + "columns": [ + "source.ip", + "destination.ip", + "event.id" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:hart_ip_universal_commands\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + }, + { + "id": "87833150-75e4-11ef-8138-03748f839a49", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMzMywxXQ==", + "attributes": { + "title": "HART-IP - General Logs", + "description": "", + "hits": 0, + "columns": [ + "zeek.hart_ip.header_version", + "source.ip", + "destination.ip", + "destination.port", + "event.action", + "event.result", + "zeek.hart_ip.header_sequence_number", + "zeek.hart_ip.token_passing_pdu_command_number", + "event.id" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:hart_ip\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + }, + { + "id": "dffb2430-75f5-11ef-8f9c-27c6487e743a", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2024-09-18T20:50:36.430Z", + "version": "WzMzNCwxXQ==", + "attributes": { + "title": "HART-IP - Session Record Logs", + "description": "", + "hits": 0, + "columns": [ + "source.ip", + "destination.ip", + "event.id" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:hart_ip_session_record\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + } + ] +} \ No newline at end of file diff --git a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json index d5e556c46..72326fc58 100644 --- a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json +++ b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json @@ -102,7 +102,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index 2849f2a74..a48786060 100644 --- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json index 4eefc09f3..38480910d 100644 --- a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json +++ b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json @@ -82,7 +82,7 @@ "version": "Wzg4MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json index 068a29e4d..a0a2eae4a 100644 --- a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json +++ b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json @@ -97,7 +97,7 @@ "version": "Wzg4OCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -447,7 +447,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json index 26b2de8c6..ac154935b 100644 --- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json +++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json @@ -87,7 +87,7 @@ "version": "Wzg1OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index 5ad4e6482..d5fd80bc8 100644 --- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index 9a2fcb403..5f4c65802 100644 --- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -97,7 +97,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json index 422c60b6d..acdbf661c 100644 --- a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json @@ -47,7 +47,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json index 16b9f96cc..b5565607e 100644 --- a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json +++ b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json @@ -97,7 +97,7 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json index 455db6434..3198f0e9e 100644 --- a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json +++ b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json index 77b16d754..95f464233 100644 --- a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json +++ b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json @@ -77,7 +77,7 @@ "version": "Wzc4NCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json index 15f90535c..f271925b6 100644 --- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json +++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json @@ -122,7 +122,7 @@ "version": "Wzg4NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -650,7 +650,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"tags:netbox OR ((source.segment:* OR destination.segment:*) AND (NOT (network.direction:external)))\",\"language\":\"kuery\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"tags:netbox OR ((source.segment:* OR destination.segment:*) AND (NOT (network.direction:external)))\",\"language\":\"kuery\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json index 2592d94b1..b58dd7b02 100644 --- a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json +++ b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json @@ -82,7 +82,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json index 7bfb8ade2..43509ff54 100644 --- a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index e542808e3..462e488b4 100644 --- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json index 306c8dd5b..595d4f9cd 100644 --- a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json +++ b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json @@ -117,7 +117,7 @@ "version": "Wzg1OCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json index c816eef78..c26c0d9f5 100644 --- a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json +++ b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json index 9d0c64324..94994fe52 100644 --- a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json +++ b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json index 6ef6a89f5..c339ed35c 100644 --- a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json +++ b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json index 53340ccce..d339fb53a 100644 --- a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json +++ b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json @@ -62,7 +62,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json index 096604fc0..cd9be901f 100644 --- a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json +++ b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json @@ -102,7 +102,7 @@ "version": "WzgzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index 1cc282a3d..374bb560d 100644 --- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json index 5079ea241..8ede6bef5 100644 --- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json +++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json @@ -102,7 +102,7 @@ "version": "Wzg1NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json index 71705e9bf..78474a3b9 100644 --- a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json +++ b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json @@ -122,7 +122,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json index 652ac77fb..8d25b5a6b 100644 --- a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json index 8a02e91fc..3495f67eb 100644 --- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json +++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json @@ -82,7 +82,7 @@ "version": "Wzg1OSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index a94ee12b5..2a94b378b 100644 --- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -87,7 +87,7 @@ "version": "Wzg2MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -349,7 +349,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(profinet OR profinet_dce_rpc OR profinet_io_cm)\",\"language\":\"lucene\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:(profinet OR profinet_dce_rpc OR profinet_io_cm)\",\"language\":\"lucene\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -393,7 +393,7 @@ ], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:profinet_io_cm\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:profinet_io_cm\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json index a519fe443..8db78e921 100644 --- a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json +++ b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json @@ -167,7 +167,7 @@ "version": "Wzc4NiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json index 4ec2c3e90..91aca6cf2 100644 --- a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json +++ b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json @@ -87,7 +87,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json index d1cfd86fd..0eeab6b94 100644 --- a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json +++ b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json @@ -87,7 +87,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json index aaad8e13f..6ba462415 100644 --- a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json +++ b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json index 17d9d0a6f..198595474 100644 --- a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json index cf21a558e..1d94d12a9 100644 --- a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json +++ b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json @@ -107,7 +107,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/beats/3768ef70-d819-11ee-820d-dd9fd73a3921.json b/dashboards/dashboards/beats/3768ef70-d819-11ee-820d-dd9fd73a3921.json index 5de33dce4..09b92d2c2 100644 --- a/dashboards/dashboards/beats/3768ef70-d819-11ee-820d-dd9fd73a3921.json +++ b/dashboards/dashboards/beats/3768ef70-d819-11ee-820d-dd9fd73a3921.json @@ -123,7 +123,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.module:kmsg\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30m\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.module:kmsg\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30m\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/beats/4ca94c70-d7da-11ee-9ed3-e7afff29e59a.json b/dashboards/dashboards/beats/4ca94c70-d7da-11ee-9ed3-e7afff29e59a.json index 2e63054dc..5b55478c9 100644 --- a/dashboards/dashboards/beats/4ca94c70-d7da-11ee-9ed3-e7afff29e59a.json +++ b/dashboards/dashboards/beats/4ca94c70-d7da-11ee-9ed3-e7afff29e59a.json @@ -223,7 +223,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:capture_loss\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30s\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:capture_loss\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30s\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -334,7 +334,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:stats\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30s\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:stats\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30s\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -375,7 +375,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:suricata AND event.kind:metric\",\"language\":\"lucene\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30m\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:suricata AND event.kind:metric\",\"language\":\"lucene\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30m\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -444,7 +444,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:analyzer\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"firstPacket\",\"fixed_interval\":\"30s\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:analyzer\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"firstPacket\",\"fixed_interval\":\"30s\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -509,7 +509,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:reporter\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek and event.dataset:reporter\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/beats/53bff390-5027-11ef-b744-23222ad0b42a.json b/dashboards/dashboards/beats/53bff390-5027-11ef-b744-23222ad0b42a.json index 112a3254d..00b2005c7 100644 --- a/dashboards/dashboards/beats/53bff390-5027-11ef-b744-23222ad0b42a.json +++ b/dashboards/dashboards/beats/53bff390-5027-11ef-b744-23222ad0b42a.json @@ -113,7 +113,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.module:winstat\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_OTHER_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30s\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.module:winstat\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_OTHER_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30s\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/beats/79202ee0-d811-11ee-820d-dd9fd73a3921.json b/dashboards/dashboards/beats/79202ee0-d811-11ee-820d-dd9fd73a3921.json index 41d05342d..aadb80b83 100644 --- a/dashboards/dashboards/beats/79202ee0-d811-11ee-820d-dd9fd73a3921.json +++ b/dashboards/dashboards/beats/79202ee0-d811-11ee-820d-dd9fd73a3921.json @@ -267,7 +267,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.module:(winlog OR winevtlog) AND process.command_line:*\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_OTHER_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.module:(winlog OR winevtlog) AND process.command_line:*\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_OTHER_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ @@ -304,7 +304,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.module:(winlog OR winevtlog)\",\"language\":\"lucene\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_OTHER_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30s\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.module:(winlog OR winevtlog)\",\"language\":\"lucene\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_OTHER_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30s\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json b/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json index 9947bb6c2..2ebe7fffc 100644 --- a/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json +++ b/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json @@ -233,7 +233,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"miscbeat.systemd:*\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"calendar_interval\":\"1w\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"miscbeat.systemd:*\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"calendar_interval\":\"1w\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json index 9927cca5e..e5c206731 100644 --- a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json @@ -72,7 +72,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json index ceb8bf04b..b793a3092 100644 --- a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json +++ b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json @@ -82,7 +82,7 @@ "version": "WzY5MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json index 8b072a2ba..bdafb1f1e 100644 --- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json +++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -77,7 +77,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json index 4a74dc322..b6215b367 100644 --- a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json +++ b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json @@ -92,7 +92,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index bc93baaa7..84da7d3be 100644 --- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json index 1a7969747..d0b785710 100644 --- a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json +++ b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json @@ -112,7 +112,7 @@ "version": "WzczOSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json index 6baf5ca48..13b9588c5 100644 --- a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json index 87ae63cf8..f203dc194 100644 --- a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json +++ b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json index 597deee1b..816986635 100644 --- a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json +++ b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json @@ -107,7 +107,7 @@ "version": "WzgzOCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json index 9772190cc..57fd769eb 100644 --- a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json +++ b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json b/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json index bd197abcf..082c58868 100644 --- a/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json +++ b/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json @@ -127,7 +127,7 @@ "version": "Wzg3NywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -651,7 +651,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek AND event.dataset:ge_srtp\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek AND event.dataset:ge_srtp\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index 9c7d0227b..ecfd7f99d 100644 --- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -97,7 +97,7 @@ "version": "Wzg2MCwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, @@ -596,7 +596,7 @@ "sort": [], "version": 1, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + "searchSourceJSON": "{\"query\":{\"query\":\"threat.framework:\\\"MITRE ATT&CK for ICS\\\"\",\"language\":\"lucene\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" } }, "references": [ diff --git a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json index 1a12f8a7f..e5fe54a1a 100644 --- a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json +++ b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json @@ -47,7 +47,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json index f8b85f677..6479af002 100644 --- a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json +++ b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json @@ -137,7 +137,7 @@ "version": "Wzg2MSwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json index 1e38d0494..1bb8e62d1 100644 --- a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json +++ b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json @@ -57,7 +57,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json index d4295467d..e3aaae309 100644 --- a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json +++ b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json @@ -102,7 +102,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json index 10e6460d0..917cc227e 100644 --- a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json +++ b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json @@ -77,7 +77,7 @@ "version": "Wzg3MiwxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json index 8ee4a9081..a5193063e 100644 --- a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json +++ b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json @@ -102,7 +102,7 @@ "version": "WzkzNywxXQ==", "attributes": { "title": "Navigation", - "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", "uiStateJSON": "{}", "description": "", "version": 1, diff --git a/dashboards/scripts/shared-object-creation.sh b/dashboards/scripts/shared-object-creation.sh index 8abf9b6cd..8f150b5da 100755 --- a/dashboards/scripts/shared-object-creation.sh +++ b/dashboards/scripts/shared-object-creation.sh @@ -425,6 +425,17 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then # end OpenSearch Tweaks ############################################################################################################################# + + # OpenSearch Create Initial Indices + + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPUT "$OPENSEARCH_URL_TO_USE/${MALCOLM_NETWORK_INDEX_PATTERN%?}initial" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPUT "$OPENSEARCH_URL_TO_USE/${MALCOLM_OTHER_INDEX_PATTERN%?}initial" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + # before we go on to create the anomaly detectors, we need to wait for actual network log documents /data/opensearch_status.sh -w >/dev/null 2>&1 sleep 60 diff --git a/dashboards/templates/composable/component/arkime.json b/dashboards/templates/composable/component/arkime.json index 050af4805..c8a362ced 100644 --- a/dashboards/templates/composable/component/arkime.json +++ b/dashboards/templates/composable/component/arkime.json @@ -11,6 +11,8 @@ "destination.geo.location": { "type": "geo_point" }, "destination.geo.longitude": { "type": "float" }, "destination.mac-cnt": { "type": "long" }, + "huntId": { "type": "keyword" }, + "huntName": { "type": "keyword" }, "network.vlan.id-cnt": { "type": "long" }, "source.as.full": { "type": "keyword" }, "source.geo.country_code2": { "type": "keyword" }, diff --git a/dashboards/templates/composable/component/zeek.json b/dashboards/templates/composable/component/zeek.json index e60b3c19f..1c8b30860 100644 --- a/dashboards/templates/composable/component/zeek.json +++ b/dashboards/templates/composable/component/zeek.json @@ -1,5 +1,12 @@ { "template": { + "settings" : { + "index" : { + "mapping.total_fields.limit" : "6000", + "mapping.nested_fields.limit" : "250", + "max_docvalue_fields_search" : "200" + } + }, "mappings": { "properties": { "zeek.analyzer.cause": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, @@ -104,6 +111,7 @@ "zeek.gquic.tag_count": { "type": "integer" }, "zeek.gquic.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, "zeek.gquic.version": { "type": "keyword" }, + "zeek.http.client_header_names": { "type": "keyword" }, "zeek.http.host": { "type": "keyword" }, "zeek.http.info_code": { "type": "short" }, "zeek.http.info_msg": { "type": "keyword" }, @@ -122,6 +130,7 @@ "zeek.http.resp_fuids": { "type": "keyword" }, "zeek.http.resp_mime_types": { "type": "keyword" }, "zeek.http.response_body_len": { "type": "long" }, + "zeek.http.server_header_names": { "type": "keyword" }, "zeek.http.status_code": { "type": "short" }, "zeek.http.status_msg": { "type": "keyword", "ignore_above": 1024 }, "zeek.http.tags": { "type": "keyword" }, @@ -192,6 +201,8 @@ "zeek.known_certs.issuer_subject": { "type": "keyword" }, "zeek.known_certs.serial": { "type": "keyword" }, "zeek.known_certs.subject": { "type": "keyword" }, + "zeek.known_routers.ttl": { "type": "integer" }, + "zeek.known_routers.hlim": { "type": "integer" }, "zeek.ldap.argument": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } }, "zeek.ldap.message_id": { "type": "keyword" }, "zeek.ldap.object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json index 0ae0e69f4..93877c03b 100644 --- a/dashboards/templates/composable/component/zeek_ot.json +++ b/dashboards/templates/composable/component/zeek_ot.json @@ -1,5 +1,12 @@ { "template": { + "settings" : { + "index" : { + "mapping.total_fields.limit" : "6000", + "mapping.nested_fields.limit" : "250", + "max_docvalue_fields_search" : "200" + } + }, "mappings": { "properties": { "zeek.bacnet.bvlc_function": { "type": "keyword" }, @@ -69,6 +76,7 @@ "zeek.bsap_serial_rdb_ext.seq": { "type": "integer" }, "zeek.bsap_serial_rdb_ext.sfun": { "type": "keyword" }, "zeek.cip.attribute_id": { "type": "keyword" }, + "zeek.cip.packet_correlation_id": { "type": "keyword" }, "zeek.cip.cip_extended_status": { "type": "keyword" }, "zeek.cip.cip_extended_status_code": { "type": "keyword" }, "zeek.cip.cip_sequence_count": { "type": "integer" }, @@ -185,6 +193,600 @@ "zeek.enip.options": { "type": "keyword" }, "zeek.enip.sender_context": { "type": "keyword" }, "zeek.enip.session_handle": { "type": "keyword" }, + "zeek.hart_ip_common_commands.eeprom_control_eeprom_control_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_analog_channel_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level": { "type": "float" }, + "zeek.hart_ip_common_commands.enter_exit_fixed_current_mode_pv_fixed_current_level": { "type": "float" }, + "zeek.hart_ip_common_commands.find_device_response_254": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_configuration_change_counter": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_device_id": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_device_profile": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_device_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_expanded_device_type": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_c8_psk_in_multi_drop_only": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_eeprom_control": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_mutli_sensor_field_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_protocol_bridge_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_safehart_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_flags_undefined_5": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_hart_protocol_major_revision": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_last_device_variable_this": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_manufacturer_identification_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_minimum_preambles_master_slave": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_number_preambles_slave_master": { "type": "long" }, + "zeek.hart_ip_common_commands.find_device_response_private_label_distributor_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.find_device_response_software_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.lock_device_lock_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_request_channel": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_request_io_card": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_request_sub_device_polling_address": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_254": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_configuration_change_counter": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_device_id": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_device_profile": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_device_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_expanded_device_type": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_c8_psk_in_multi_drop_only": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_eeprom_control": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_mutli_sensor_field_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_protocol_bridge_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_safehart_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_flags_undefined_5": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_hart_protocol_major_revision": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_last_device_variable_this": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_manufacturer_identification_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_minimum_preambles_master_slave": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_number_preambles_slave_master": { "type": "long" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_private_label_distributor_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.poll_sub_device_response_software_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_request_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_level": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_and_percent_of_range_response_analog_channel_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_request_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_request_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_alarm_selection_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_damping_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_input": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_is_simulated": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_lower_range_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_transfer_function_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channel_information_response_analog_channel_upper_range_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot0": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot1": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot2": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_request_analog_channel_number_code_slot3": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot0": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot1": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot2": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_level_slot3": { "type": "float" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot0": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot1": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot2": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_number_code_slot3": { "type": "long" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot0": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot1": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot2": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_analog_channels_response_analog_channel_units_code_slot3": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_request_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_acquisition_period": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_classification": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_damping_value": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_family": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_limits_minimum_span_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_lower_transducer_limit": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_minimum_span": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_input": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_is_simulated": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_properties_undefined_bits_1_6": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_transducer_serial_number": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variable_information_response_device_variable_upper_transducer_limit": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variable_trim_guidelines_device_variable_guidelines": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variable_trim_points_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variable_trim_points_response_lower_or_single_trim_point": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variable_trim_points_response_trim_points_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variable_trim_points_response_upper_trim_point": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variables_request_slot0_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_request_slot1_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_request_slot2_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_request_slot3_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot0_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot0_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot1_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot1_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot2_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot2_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot3_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.read_device_variables_response_slot3_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level": { "type": "float" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable": { "type": "float" }, + "zeek.hart_ip_common_commands.read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_channel": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_io_card": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_ack_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_back_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_oack_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_ostx_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_channel_statistics_response_stx_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_master_mode": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_channels_per_io_card": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_delayed_responses_supported": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_io_cards": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_max_sub_devices_per_channel": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_number_of_devices_detected": { "type": "long" }, + "zeek.hart_ip_common_commands.read_io_system_capabilities_response_retry_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_configuration_locked": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_device_locked": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_gateway": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_permanent": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_lock_primary": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_lock_device_state_response_lock_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_channel": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_id": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_profile": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_device_revision": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_expanded_device_type": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_io_card": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_long_tag": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_manufacturer_identification_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_private_label_distributor_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_response_universal_command_revision_level": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_identity_summary_sub_device_index": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_statistics_response_ack_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_statistics_response_back_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_statistics_response_stx_count": { "type": "long" }, + "zeek.hart_ip_common_commands.read_sub_device_statistics_sub_device_index": { "type": "long" }, + "zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_date": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_descriptor": { "type": "keyword" }, + "zeek.hart_ip_common_commands.read_unit_tag_descriptor_date_response_unit_tag": { "type": "keyword" }, + "zeek.hart_ip_common_commands.reset_device_variable_trim_device_variable_trim_to_reset": { "type": "long" }, + "zeek.hart_ip_common_commands.set_device_variable_zero_device_variable_zeroed": { "type": "long" }, + "zeek.hart_ip_common_commands.set_real_time_clock_date": { "type": "keyword" }, + "zeek.hart_ip_common_commands.set_real_time_clock_null_bytes": { "type": "long" }, + "zeek.hart_ip_common_commands.set_real_time_clock_time_of_day": { "type": "keyword" }, + "zeek.hart_ip_common_commands.set_real_time_clock_time_set_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.squawk_squawk_control": { "type": "keyword" }, + "zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_level": { "type": "float" }, + "zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.trim_analog_channel_gain_analog_channel_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_level": { "type": "float" }, + "zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.trim_analog_channel_zero_analog_channel_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.trim_loop_current_gain_measured_pv_loop_current_level": { "type": "float" }, + "zeek.hart_ip_common_commands.trim_loop_current_zero_measured_pv_loop_current_level": { "type": "float" }, + "zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_damping_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_analog_channel_additional_damping_value_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_lower_range_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_analog_channel_range_values_analog_channel_upper_range_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_number_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_analog_channel_transfer_function_analog_channel_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_damping_value_device_variable_damping_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_device_variable_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_device_variable_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_transducer_serial_no_device_variable_transducer_serial_number": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_trim_point_device_variable_to_trim": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_point_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_device_variable_trim_point_trim_points_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_units_device_variable_code": { "type": "long" }, + "zeek.hart_ip_common_commands.write_device_variable_units_device_variable_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_device_variable_write_device_variable_command_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable": { "type": "long" }, + "zeek.hart_ip_common_commands.write_io_system_master_mode_master_mode": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_io_system_retry_count_retry_count": { "type": "long" }, + "zeek.hart_ip_common_commands.write_number_of_response_preambles_number_of_preambles": { "type": "long" }, + "zeek.hart_ip_common_commands.write_primary_variable_damping_value_pv_damping_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_primary_variable_range_values_p_v_lower_range_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_primary_variable_range_values_pv_upper_range_value": { "type": "float" }, + "zeek.hart_ip_common_commands.write_primary_variable_transducer_serial_number_pv_transducer_serial_number": { "type": "long" }, + "zeek.hart_ip_common_commands.write_primary_variable_transfer_function_p_v_transfer_function_code": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_primary_variable_units_pv_unit_codes": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_date": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_descriptor": { "type": "keyword" }, + "zeek.hart_ip_common_commands.write_unit_tag_descriptor_date_unit_tag": { "type": "keyword" }, + "zeek.hart_ip_direct_pdu_command.direct_pdu_command_byte_count": { "type": "long" }, + "zeek.hart_ip_direct_pdu_command.direct_pdu_command_command_number": { "type": "keyword" }, + "zeek.hart_ip_direct_pdu_command.direct_pdu_command_data_data": { "type": "keyword" }, + "zeek.hart_ip_direct_pdu_command.direct_pdu_contents_response_response_code": { "type": "long" }, + "zeek.hart_ip.command_number_link_id": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_command_link_id": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_cold_start": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_configuration_changed": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_device_malfunction": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_loop_current_fixed": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_loop_current_saturated": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_more_status_available": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_non_primary_variable_out_of_limits": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_device_status_primary_variable_out_of_limits": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_failure": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_function_check": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip.direct_pdu_extended_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip.header_length": { "type": "long" }, + "zeek.hart_ip.header_message_id": { "type": "keyword" }, + "zeek.hart_ip.header_message_type_message_type": { "type": "keyword" }, + "zeek.hart_ip.header_message_type_reserved": { "type": "long" }, + "zeek.hart_ip.header_sequence_number": { "type": "long" }, + "zeek.hart_ip.header_status_code": { "type": "keyword" }, + "zeek.hart_ip.header_version": { "type": "long" }, + "zeek.hart_ip.message_packet_bytes": { "type": "keyword" }, + "zeek.hart_ip.read_audit_log_last_security_change": { "type": "date" }, + "zeek.hart_ip.read_audit_log_number_of_records": { "type": "long" }, + "zeek.hart_ip.read_audit_log_power_up_time": { "type": "date" }, + "zeek.hart_ip.read_audit_log_server_status_insecure_syslog_connection": { "type": "keyword" }, + "zeek.hart_ip.read_audit_log_server_status_syslog_server_located_but_connection_failed": { "type": "keyword" }, + "zeek.hart_ip.read_audit_log_server_status_unable_to_locate_syslog_server": { "type": "keyword" }, + "zeek.hart_ip.read_audit_log_server_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip.read_audit_log_session_record_size": { "type": "long" }, + "zeek.hart_ip.read_audit_log_start_record": { "type": "long" }, + "zeek.hart_ip.session_initiate_inactivity_close_timer": { "type": "long" }, + "zeek.hart_ip.session_initiate_master_type": { "type": "long" }, + "zeek.hart_ip.session_log_record_link_id": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_address_v4": { "type": "long" }, + "zeek.hart_ip.token_passing_pdu_address_v6": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_byte_count": { "type": "long" }, + "zeek.hart_ip.token_passing_pdu_check_byte": { "type": "long" }, + "zeek.hart_ip.token_passing_pdu_command_number": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_data_data": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_cold_start": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_configuration_changed": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_device_malfunction": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_fixed": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_loop_current_saturated": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_more_status_available": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_contents_response_response_code": { "type": "long" }, + "zeek.hart_ip.token_passing_pdu_delimiter_address_type": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_delimiter_expansion_bytes": { "type": "long" }, + "zeek.hart_ip.token_passing_pdu_delimiter_frame_type": { "type": "keyword" }, + "zeek.hart_ip.token_passing_pdu_delimiter_physical_layer_type": { "type": "keyword" }, + "zeek.hart_ip_session_record.session_log_record_client_i_pv4_address": { "type": "ip" }, + "zeek.hart_ip_session_record.session_log_record_client_i_pv6_address": { "type": "ip" }, + "zeek.hart_ip_session_record.session_log_record_client_port": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_connect_time": { "type": "date" }, + "zeek.hart_ip_session_record.session_log_record_disconnect_time": { "type": "date" }, + "zeek.hart_ip_session_record.session_log_record_end_configuration_change_count": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_num_publish_pdu": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_num_request_pdu": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_num_response_pdu": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_server_port": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_session_status_summary_aborted_session": { "type": "keyword" }, + "zeek.hart_ip_session_record.session_log_record_session_status_summary_bad_session_initialization": { "type": "keyword" }, + "zeek.hart_ip_session_record.session_log_record_session_status_summary_insecure_session": { "type": "keyword" }, + "zeek.hart_ip_session_record.session_log_record_session_status_summary_session_timeout": { "type": "keyword" }, + "zeek.hart_ip_session_record.session_log_record_session_status_summary_undefined_bits": { "type": "long" }, + "zeek.hart_ip_session_record.session_log_record_session_status_summary_writes_occured": { "type": "keyword" }, + "zeek.hart_ip_session_record.session_log_record_start_configuration_change_count": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_analog_channel": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quaternary_analog": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_quinary_analog": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_secondary_analog": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_tertiary_analog": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_saturated_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_analog_channel_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_operating_mode": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_0": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_device_specific_status_1": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_configuration_lock": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_device_variable_simulation_active": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_electronic_defect": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_volatile_memory_defect": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status0_watchdog_reset_executed": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_event_notification_overflow": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_reserved": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_status_simulation_active": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status1_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_duplicate_master_detected": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_stale_data_notice": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_list_changed": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_mismatch": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status2_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_block_transfer_pending": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_capacity_denied": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_radio_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_resereved": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_additional_device_status_contents_standardized_status3_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_information_response_250": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_alarm_selection_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_analog_channel": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_analog_channel_flags_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_damping_value": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_lower_range_value": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_transfer_function_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_lower_range": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_information_response_p_v_upper_range_value": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_information_response_write_protect_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot0_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot1_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot2_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot3_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot4_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot5_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot6_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_request_slot7_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_time": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot0_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot1_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot2_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot3_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot4_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot5_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot6_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_class": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_code": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_device_family_specific_status": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_limit_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_device_variable_status_process_data_status": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_device_variable_response_slot7_units_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_primary_variable_classification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_quaternary_variable_classification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_secondary_variable_classification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_classifications_response_tertiary_variable_classification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_loop_current": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_primary_variable_units": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_quaternary_variable_units": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_secondary_variable_units": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_dynamic_variable_response_tertiary_variable_units": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_final_assembly_number_response_final_assembly_number": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_long_tag_response_long_tag": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_loop_configuration_response_loop_current_mode": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_loop_configuration_response_polling_address_device": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_loop_current": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_loop_current_response_primary_variable_percent_range": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_message_response_message": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_primary_variable_response_primary_variable_units": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_lower_transducer_limit": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_minimum_span": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_limits_units": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_transducer_serial_number": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_primary_variable_transducer_information_response_p_v_upper_transducer_limit": { "type": "float" }, + "zeek.hart_ip_universal_commands.read_tag_response_date_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_tag_response_descriptor": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_tag_response_tag": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_request_long_tag": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_254": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_configuration_change_counter": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_id": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_profile": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_device_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_expanded_device_type": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_eeprom_control": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_protocol_bridge_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_safehart_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_flags_undefined_5": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_hart_protocol_major_revision": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_last_device_variable_this": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_manufacturer_identification_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_minimum_preambles_master_slave": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_number_preambles_slave_master": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_private_label_distributor_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_long_tag_response_software_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_254": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_configuration_change_counter": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_device_id": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_device_profile": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_device_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_expanded_device_type": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_c8_psk_in_multi_drop_only": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_eeprom_control": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_mutli_sensor_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_protocol_bridge_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_safehart_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_flags_undefined_5": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_hart_protocol_major_revision": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_last_device_variable_this": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_manufacturer_identification_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_minimum_preambles_master_slave": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_number_preambles_slave_master": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_private_label_distributor_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_response_software_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_request_tag": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_254": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_configuration_change_counter": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_id": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_profile": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_device_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_expanded_device_type": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_failure": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_function_check": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_maintenance_required": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_out_of_specification": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_extended_field_device_status_undefined_bits": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_eeprom_control": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_mutli_sensor_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_protocol_bridge_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_safehart_capable_field_device": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_flags_undefined_5": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_hart_protocol_major_revision": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_last_device_variable_this": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_manufacturer_identification_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_minimum_preambles_master_slave": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_number_preambles_slave_master": { "type": "long" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_private_label_distributor_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.read_unique_identifier_tag_response_software_revision_level": { "type": "long" }, + "zeek.hart_ip_universal_commands.reset_configuration_changed_flag_configuration_change_counter": { "type": "long" }, + "zeek.hart_ip_universal_commands.write_final_assembly_number_final_assembly_number": { "type": "long" }, + "zeek.hart_ip_universal_commands.write_long_tag_long_tag": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.write_message_message_string": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.write_polling_address_loop_current_mode": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.write_polling_address_polling_address_device": { "type": "long" }, + "zeek.hart_ip_universal_commands.write_tag_descriptor_date_date_code": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.write_tag_descriptor_date_record_keeping_descriptor": { "type": "keyword" }, + "zeek.hart_ip_universal_commands.write_tag_descriptor_date_tag": { "type": "keyword" }, "zeek.ge_srtp.srtp_type": { "type": "keyword" }, "zeek.ge_srtp.sequence_number_1": { "type": "long" }, "zeek.ge_srtp.text_length": { "type": "long" }, diff --git a/dashboards/templates/malcolm_beats_template.json b/dashboards/templates/malcolm_beats_template.json index e98ac84e1..31a10a144 100644 --- a/dashboards/templates/malcolm_beats_template.json +++ b/dashboards/templates/malcolm_beats_template.json @@ -29,7 +29,7 @@ "template" :{ "settings" : { "index" : { - "mapping.total_fields.limit" : "5000", + "mapping.total_fields.limit" : "6000", "mapping.nested_fields.limit" : "250", "max_docvalue_fields_search" : "200" } diff --git a/dashboards/templates/malcolm_template.json b/dashboards/templates/malcolm_template.json index dee0b4564..6f4e6ddf8 100644 --- a/dashboards/templates/malcolm_template.json +++ b/dashboards/templates/malcolm_template.json @@ -31,7 +31,7 @@ "template" :{ "settings" : { "index" : { - "mapping.total_fields.limit" : "5000", + "mapping.total_fields.limit" : "6000", "mapping.nested_fields.limit" : "250", "max_docvalue_fields_search" : "200" } diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index a8989ea3e..845c98cf2 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -5,12 +5,13 @@ services: build: context: . dockerfile: Dockerfiles/opensearch.Dockerfile - image: ghcr.io/idaholab/malcolm/opensearch:24.08.0 + image: ghcr.io/idaholab/malcolm/opensearch:24.10.0 # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case # OPENSEARCH_PRIMARY will be set to remote, which means the container will # start but not actually run OpenSearch. It's included in both profiles to # satisfy some other containers' depends_on. profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -82,8 +83,9 @@ services: build: context: . dockerfile: Dockerfiles/dashboards-helper.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards-helper:24.08.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -135,8 +137,9 @@ services: build: context: . dockerfile: Dockerfiles/dashboards.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards:24.08.0 + image: ghcr.io/idaholab/malcolm/dashboards:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -181,8 +184,9 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: ghcr.io/idaholab/malcolm/logstash-oss:24.08.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -295,8 +299,9 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: ghcr.io/idaholab/malcolm/filebeat-oss:24.08.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -371,8 +376,9 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:24.08.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -411,6 +417,12 @@ services: source: ./.opensearch.primary.curlrc target: /var/local/curlrc/.opensearch.primary.curlrc read_only: true + - type: bind + bind: + create_host_path: false + source: ./arkime/lua + target: /opt/arkime/lua + read_only: true - type: bind bind: create_host_path: false @@ -450,8 +462,9 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:24.08.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -495,6 +508,12 @@ services: source: ./.opensearch.primary.curlrc target: /var/local/curlrc/.opensearch.primary.curlrc read_only: true + - type: bind + bind: + create_host_path: false + source: ./arkime/lua + target: /opt/arkime/lua + read_only: true - type: bind bind: create_host_path: false @@ -528,8 +547,9 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:24.08.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -600,8 +620,9 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:24.08.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -664,8 +685,9 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:24.08.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -723,8 +745,9 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:24.08.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -780,8 +803,9 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/file-monitor:24.08.0 + image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -835,8 +859,9 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-capture:24.08.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -881,8 +906,9 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-monitor:24.08.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -935,8 +961,9 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: ghcr.io/idaholab/malcolm/file-upload:24.08.0 + image: ghcr.io/idaholab/malcolm/file-upload:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -976,8 +1003,9 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:24.08.0 + image: ghcr.io/idaholab/malcolm/htadmin:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1028,8 +1056,9 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:24.08.0 + image: ghcr.io/idaholab/malcolm/freq:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1065,8 +1094,9 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:24.08.0 + image: ghcr.io/idaholab/malcolm/netbox:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1131,8 +1161,9 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:24.08.0 + image: ghcr.io/idaholab/malcolm/postgresql:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1174,8 +1205,9 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:24.08.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1221,8 +1253,9 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:24.08.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1263,8 +1296,9 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:24.08.0 + image: ghcr.io/idaholab/malcolm/api:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1311,8 +1345,9 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: ghcr.io/idaholab/malcolm/nginx-proxy:24.08.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: diff --git a/docker-compose.yml b/docker-compose.yml index 705f3587a..b2260d162 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,12 +2,13 @@ services: opensearch: - image: ghcr.io/idaholab/malcolm/opensearch:24.08.0 + image: ghcr.io/idaholab/malcolm/opensearch:24.10.0 # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case # OPENSEARCH_PRIMARY will be set to remote, which means the container will # start but not actually run OpenSearch. It's included in both profiles to # satisfy some other containers' depends_on. profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -76,8 +77,9 @@ services: retries: 3 start_period: 180s dashboards-helper: - image: ghcr.io/idaholab/malcolm/dashboards-helper:24.08.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -126,8 +128,9 @@ services: retries: 3 start_period: 30s dashboards: - image: ghcr.io/idaholab/malcolm/dashboards:24.08.0 + image: ghcr.io/idaholab/malcolm/dashboards:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -169,8 +172,9 @@ services: retries: 3 start_period: 210s logstash: - image: ghcr.io/idaholab/malcolm/logstash-oss:24.08.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -256,8 +260,9 @@ services: retries: 3 start_period: 600s filebeat: - image: ghcr.io/idaholab/malcolm/filebeat-oss:24.08.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -329,8 +334,9 @@ services: retries: 3 start_period: 60s arkime: - image: ghcr.io/idaholab/malcolm/arkime:24.08.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -369,6 +375,12 @@ services: source: ./.opensearch.primary.curlrc target: /var/local/curlrc/.opensearch.primary.curlrc read_only: true + - type: bind + bind: + create_host_path: false + source: ./arkime/lua + target: /opt/arkime/lua + read_only: true - type: bind bind: create_host_path: false @@ -387,8 +399,9 @@ services: retries: 3 start_period: 210s arkime-live: - image: ghcr.io/idaholab/malcolm/arkime:24.08.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -432,6 +445,12 @@ services: source: ./.opensearch.primary.curlrc target: /var/local/curlrc/.opensearch.primary.curlrc read_only: true + - type: bind + bind: + create_host_path: false + source: ./arkime/lua + target: /opt/arkime/lua + read_only: true - type: bind bind: create_host_path: false @@ -444,8 +463,9 @@ services: source: ./pcap target: /data/pcap zeek: - image: ghcr.io/idaholab/malcolm/zeek:24.08.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -507,8 +527,9 @@ services: retries: 3 start_period: 60s zeek-live: - image: ghcr.io/idaholab/malcolm/zeek:24.08.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -562,8 +583,9 @@ services: target: /opt/zeek/share/zeek/site/custom read_only: true suricata: - image: ghcr.io/idaholab/malcolm/suricata:24.08.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -618,8 +640,9 @@ services: retries: 3 start_period: 120s suricata-live: - image: ghcr.io/idaholab/malcolm/suricata:24.08.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -672,8 +695,9 @@ services: target: /opt/suricata/include-configs read_only: true file-monitor: - image: ghcr.io/idaholab/malcolm/file-monitor:24.08.0 + image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -724,8 +748,9 @@ services: retries: 3 start_period: 60s pcap-capture: - image: ghcr.io/idaholab/malcolm/pcap-capture:24.08.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -767,8 +792,9 @@ services: source: ./pcap/upload target: /pcap pcap-monitor: - image: ghcr.io/idaholab/malcolm/pcap-monitor:24.08.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0 profiles: ["malcolm", "hedgehog"] + userns_mode: keep-id logging: driver: local options: @@ -818,8 +844,9 @@ services: retries: 3 start_period: 90s upload: - image: ghcr.io/idaholab/malcolm/file-upload:24.08.0 + image: ghcr.io/idaholab/malcolm/file-upload:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -859,8 +886,9 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:24.08.0 + image: ghcr.io/idaholab/malcolm/htadmin:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -908,8 +936,9 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:24.08.0 + image: ghcr.io/idaholab/malcolm/freq:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -942,8 +971,9 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:24.08.0 + image: ghcr.io/idaholab/malcolm/netbox:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1005,8 +1035,9 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:24.08.0 + image: ghcr.io/idaholab/malcolm/postgresql:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1045,8 +1076,9 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:24.08.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1089,8 +1121,9 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:24.08.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1128,8 +1161,9 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:24.08.0 + image: ghcr.io/idaholab/malcolm/api:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: @@ -1170,8 +1204,9 @@ services: retries: 3 start_period: 60s nginx-proxy: - image: ghcr.io/idaholab/malcolm/nginx-proxy:24.08.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0 profiles: ["malcolm"] + userns_mode: keep-id logging: driver: local options: diff --git a/docs/README.md b/docs/README.md index cbff488d8..f3880aa0f 100644 --- a/docs/README.md +++ b/docs/README.md @@ -17,10 +17,11 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation * [Quick start](quickstart.md#QuickStart) - [Getting Malcolm](quickstart.md#GetMalcolm) - [User interface](quickstart.md#UserInterfaceURLs) + - [Docker vs. Podman](quickstart.md#DockerVPodman) * [Components](components.md#Components) * [Supported Protocols](protocols.md#Protocols) * [Downloading Malcolm](download.md#DownloadMalcolm) - - [Docker images](download.md#DownloadDockerImages) + - [Container images](download.md#DownloadDockerImages) - [Installer ISOs](download.md#DownloadISOs) * [Development](development.md#Development) - [Building from source](development.md#Build) @@ -89,6 +90,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation * [Search Queries in Arkime and OpenSearch Dashboards](queries-cheat-sheet.md#SearchCheatSheet) * Other Malcolm features - [Custom Rules, Scripts and Plugins](custom-rules.md#CustomRulesAndScripts) + + [Arkime](custom-rules.md#Arkime) + [Suricata](custom-rules.md#Suricata) + [Zeek](custom-rules.md#Zeek) + [YARA](custom-rules.md#YARA) @@ -138,7 +140,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation * [Upgrading Malcolm](malcolm-upgrade.md#UpgradePlan) * [Modifying or Contributing to Malcolm](contributing-guide.md#Contributing) - [Local modifications](contributing-local-modifications.md#LocalMods) - - [Adding a new service (Docker image)](contributing-new-image.md#NewImage) + - [Adding a new service (image)](contributing-new-image.md#NewImage) - [Adding new log fields](contributing-new-log-fields.md#NewFields) - [Zeek](contributing-zeek.md#Zeek) - [PCAP processors](contributing-pcap.md#PCAP) diff --git a/docs/api-version.md b/docs/api-version.md index da67ccdcf..0c0fefe76 100644 --- a/docs/api-version.md +++ b/docs/api-version.md @@ -49,6 +49,6 @@ Returns version information about Malcolm and version/[health](https://opensearc } }, "sha": "dad18b1", - "version": "24.08.0" + "version": "24.10.0" } ``` diff --git a/docs/arkime.md b/docs/arkime.md index 557a33193..c929b207f 100644 --- a/docs/arkime.md +++ b/docs/arkime.md @@ -13,8 +13,6 @@ - [Statistics](#ArkimeStats) - [Settings](#ArkimeSettings) -The Arkime interface will be accessible over HTTPS on port 443 at the docker host's IP address (e.g., **https://localhost** if connecting locally). - ## Zeek log integration A stock installation of Arkime extracts all its network connection ("session") metadata ("SPI" or "Session Profile Information") from full packet capture artifacts (PCAP files). Zeek generates similar session metadata, linking network events to sessions via a connection UID. Malcolm aims to facilitate analysis of Zeek logs by mapping values from Zeek logs to the Arkime session database schema for equivalent fields, and by creating new "native" Arkime database fields for all other Zeek log values for which there is not currently an equivalent in Arkime: @@ -93,7 +91,7 @@ Arkime's **SPI** (**S**ession **P**rofile **I**nformation) **View** provides a q Click the the plus **➕** icon to the right of a category to expand it. The values for specific fields are displayed by clicking the field description in the field list underneath the category name. The list of field names can be filtered by typing part of the field name in the *Search for fields to display in this category* text input. The **Load All** and **Unload All** buttons can be used to toggle display of all fields belonging to that category. Once displayed, a field's name or one of its values may be clicked to provide further actions for filtering or displaying that field or its values. Of particular interest may be the **Open [fieldname] SPI Graph** option when clicking on a field's name. This will open a new tab with the SPI Graph ([see below](#ArkimeSPIGraph)) populated with the field's top values. -Note that because the SPIView page can run many queries, SPIView limits the search domain to 7 days (in other words, seven indices, as each index represents 1 day's worth of data). When using SPIView, users will have best results by limiting the search time frame to less than or equal to 7 days. This limit can be adjusted by editing the `spiDataMaxIndices` setting in [config.ini]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/arkime/etc/config.ini) and rebuilding the `ghcr.io/idaholab/malcolm/arkime` docker container. +Note that because the SPIView page can run many queries, SPIView limits the search domain to 7 days (in other words, seven indices, as each index represents 1 day's worth of data). When using SPIView, users will have best results by limiting the search time frame to less than or equal to 7 days. This limit can be adjusted by editing the `spiDataMaxIndices` setting in [config.ini]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/arkime/etc/config.ini) and rebuilding the `ghcr.io/idaholab/malcolm/arkime` container. See also Arkime's usage documentation for more information on [SPIView](https://localhost/help#spiview). diff --git a/docs/components.md b/docs/components.md index 5e7ccbb7d..122ccc113 100644 --- a/docs/components.md +++ b/docs/components.md @@ -15,7 +15,10 @@ Malcolm leverages the following excellent open source tools, among others. * [ClamAV](https://www.clamav.net/) - an antivirus engine for scanning files extracted by Zeek * [CyberChef](https://github.com/gchq/CyberChef) - a "Swiss Army Knife" data conversion tool * [jQuery File Upload](https://github.com/blueimp/jQuery-File-Upload) - for uploading PCAP files and Zeek logs for processing -* [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/) - for simple, reproducible deployment of the Malcolm appliance across environments and coordination of communication between its various components +* Providing application containerization and orchestration for simple, reproducible deployment of Malcolm across environments and coordination of communication between its various components, either of the following may be used: + - [Docker](https://www.docker.com/) + - [Podman](https://podman.io/) + - It should be noted that if rootless Podman is used, Malcolm itself cannot perform [traffic capture on local network interfaces](live-analysis.md#LocalPCAP), although it can accept network traffic metadata forwarded from a [a network sensor appliance](live-analysis.md#Hedgehog). * [NetBox](https://netbox.dev/) - a suite for modeling and documenting modern networks * [PostgreSQL](https://www.postgresql.org/) - a relational database for persisting NetBox's data * [Redis](https://redis.io/) - an in-memory data store for caching NetBox session information diff --git a/docs/contributing-dashboards.md b/docs/contributing-dashboards.md index 285b8f420..313e89fee 100644 --- a/docs/contributing-dashboards.md +++ b/docs/contributing-dashboards.md @@ -33,8 +33,8 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa } ``` 1. In your text editor, perform a global-search and replace, replacing the string `arkime_sessions3-*` with `MALCOLM_NETWORK_INDEX_PATTERN_REPLACER` and `malcolm_beats_*` with `MALCOLM_OTHER_INDEX_PATTERN_REPLACER`. These replacers are used to [allow customizing indexes for logs written to OpenSearch or Elasticsearch](https://github.com/idaholab/Malcolm/issues/313). -1. Include the new dashboard either by using a [bind mount](contributing-local-modifications.md#Bind) for the `./dashboards/dashboards/` directory or by [rebuilding](development.md#Build) the `dashboards-helper` Docker image. Dashboards are imported the first time Malcolm starts up. +1. Include the new dashboard either by using a [bind mount](contributing-local-modifications.md#Bind) for the `./dashboards/dashboards/` directory or by [rebuilding](development.md#Build) the `dashboards-helper` image. Dashboards are imported the first time Malcolm starts up. ## OpenSearch Dashboards plugins -The [dashboards.Dockerfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles/dashboards.Dockerfile) installs the OpenSearch Dashboards plugins used by Malcolm (search for `opensearch-dashboards-plugin install` in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `dashboards` Docker image. +The [dashboards.Dockerfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles/dashboards.Dockerfile) installs the OpenSearch Dashboards plugins used by Malcolm (search for `opensearch-dashboards-plugin install` in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `dashboards` image. diff --git a/docs/contributing-file-scanners.md b/docs/contributing-file-scanners.md index 8b38cc858..7280e56cf 100644 --- a/docs/contributing-file-scanners.md +++ b/docs/contributing-file-scanners.md @@ -11,4 +11,4 @@ When Zeek extracts a file it observes being transfered in network traffic, the ` Additional file scanners could either be added to the `file-monitor` service; or to avoid coupling with Malcolm's code users could simply define a new service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section and write custom scripts to subscribe and publish to the topics as described above. While this might be a bit of hand-waving, these general steps take care of the plumbing around extracting the file and notifying a new tool, as well as handling the logging of "hits": users shouldn't have to really edit any *existing* code to add a new carved file scanner. -The `EXTRACTED_FILE_PIPELINE_VERBOSITY` environment variables in can be set to `-v`, `-vv`, etc., to increase the verbosity of debug logging from the output of the Docker containers involved in the carved file processing pipeline. \ No newline at end of file +The `EXTRACTED_FILE_PIPELINE_VERBOSITY` environment variables in can be set to `-v`, `-vv`, etc., to increase the verbosity of debug logging from the output of the containers involved in the carved file processing pipeline. \ No newline at end of file diff --git a/docs/contributing-github-runners.md b/docs/contributing-github-runners.md index d009ef552..256ea8ba9 100644 --- a/docs/contributing-github-runners.md +++ b/docs/contributing-github-runners.md @@ -1,10 +1,10 @@ # Using GitHub runners to build Malcolm images -Users who have [forked](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) Malcolm on [GitHub]({{ site.github.repository_url }}) can use GitHub-hosted [runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) to build Malcolm docker images, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs, and push those images to GitHub's [ghcr.io container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). +Users who have [forked](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo) Malcolm on [GitHub]({{ site.github.repository_url }}) can use GitHub-hosted [runners](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) to build Malcolm images, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs, and push those images to GitHub's [ghcr.io container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The resulting images are named according to the pattern `ghcr.io/username/malcolm/image:branch` (e.g., if the user has forked Malcolm with the GitHub user `romeogdetlevjr`, the `Arkime` container built for the `main` branch would be named `ghcr.io/romeogdetlevjr/malcolm/arkime:main`). To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the Bash helper script `./shared/bin/github_image_helper.sh` to pull and re-tag the images. -[Workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions to build the docker images using GitHub-hosted runners, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. +[Workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions to build the images using GitHub-hosted runners, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. This document outlines the steps needed to configure and use GitHub runners to build Malcolm images. @@ -28,10 +28,25 @@ Expand **✴ Secrets and variables** in the left menu panel under **Security**, Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). This license key should be specified here as a repository secret so that the workflows may download the GeoLite2 databases to embed into the container images that use them. Keep in mind that MaxMind has a daily rate for the number of downloads allowed per license key. -Click **New repository secret** and create a secret with the name `MAXMIND_GEOIP_DB_LICENSE_KEY` and the **Secret** value containing the user's free license key obtained from MaxMind. Then click **Add secret**. Click **New repository secret** and create a secret with the name `MAXMIND_GEOIP_DB_LICENSE_KEY` and the **Secret** value containing the user's free license key obtained from MaxMind. Then click **Add secret**. +Click **New repository secret** and create a secret with the name `MAXMIND_GEOIP_DB_LICENSE_KEY` and the **Secret** value containing the user's free license key obtained from MaxMind. Then click **Add secret**. Click **New repository secret** and create a secret with the name `MAXMIND_GEOIP_DB_LICENSE_KEY` and the **Secret** value containing the user's free license key obtained from MaxMind. Then click **Add secret**. ![GitHub Actions secrets and variables](./images/screenshots/github-actions-secret.png) +As an alternative to (or fallback for) `MAXMIND_GEOIP_DB_LICENSE_KEY`, a URL prefix may be specified in `MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL` (e.g., `https://example.org/foo/bar`) which will be used as a fallback. This URL should serve up `.tar.gz` files in the same format as those provided by the official source: + +```bash +$ ls +GeoLite2-ASN.mmdb.tar.gz GeoLite2-City.mmdb.tar.gz GeoLite2-Country.mmdb.tar.gz + +$ for FILE in *.tar.gz; do tar -tvf "$FILE"; done +drwxr-xr-x user/user 0 2024-09-17 14:34 GeoLite2-ASN/ +-rw-r--r-- user/user 8655479 2024-09-17 13:48 GeoLite2-ASN/GeoLite2-ASN.mmdb +drwxr-xr-x user/user 0 2024-09-17 14:34 GeoLite2-City/ +-rw-r--r-- user/user 61133703 2024-09-17 13:48 GeoLite2-City/GeoLite2-City.mmdb +drwxr-xr-x user/user 0 2024-09-17 14:34 GeoLite2-Country/ +-rw-r--r-- user/user 7529760 2024-09-17 13:48 GeoLite2-Country/GeoLite2-Country.mmdb +``` + ### Enabling workflows Click the **▶ Actions** tab along the top of the page. Users will be prompted with this message: @@ -89,11 +104,11 @@ Each container build workflow actually runs two paths in parallel: one for build ## Convenience scripts for development -As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern `ghcr.io/username/malcolm/image:branch`. However, note that the `image:` values found in [`docker-compose.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the [Kubernetes](kubernetes.md#Kubernetes) [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like `ghcr.io/idaholab/malcolm/opensearch:24.08.0`, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) to pull the repository images and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.08.0`). +As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern `ghcr.io/username/malcolm/image:branch`. However, note that the `image:` values found in [`docker-compose.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the [Kubernetes](kubernetes.md#Kubernetes) [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like `ghcr.io/idaholab/malcolm/opensearch:24.10.0`, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) to pull the repository images and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`). Before explaining that script, a discussion of the workflow files for the [Hedgehog Linux](live-analysis.md#Hedgehog) ([hedgehog-iso-build-docker-wrap-push-ghcr.yml ]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml)) and [Malcolm](malcolm-iso.md#ISO) ([malcolm-iso-build-docker-wrap-push-ghcr.yml -]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml)) installer ISOs is warranted. The installer images are [ISO 9660](https://en.wikipedia.org/wiki/ISO_9660)-formatted files, not docker container images, so one may reasonably wonder about the purpose of the `ghcr.io/username/malcolm/malcolm:main` and `ghcr.io/username/malcolm/hedgehog:main` images pushed to ghcr.io. +]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml)) installer ISOs is warranted. The installer images are [ISO 9660](https://en.wikipedia.org/wiki/ISO_9660)-formatted files, not container images, so one may reasonably wonder about the purpose of the `ghcr.io/username/malcolm/malcolm:main` and `ghcr.io/username/malcolm/hedgehog:main` images pushed to ghcr.io. Examining [`malcolm-iso/Dockerfile`]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/malcolm-iso/Dockerfile) and [`hedgehog-iso/Dockerfile`]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/hedgehog-iso/Dockerfile), one will see that these container images are just [thin wrappers](https://github.com/mmguero/docker-qemu-live-iso) around the ISO 9660 image files built during their respective workflows. These wrapper images serve two purposes: @@ -126,13 +141,13 @@ These menu options are described below: 3. GithubTriggerPackagesBuild * This option will trigger a [repository dispatch](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch) via the [GitHub API](https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event) using `curl`. In order for this operation to work, an environment variable named `GITHUB_OAUTH_TOKEN` must be defined containing a [personal access token](https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28#basic-authentication) created for your GitHub user account with the "Actions (write)" repository permission. 4. PullAndTagGithubWorkflowImages - * This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.08.0`) so that they may be run without modifying the local `docker-compose.yml` file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does **not** extract them from the Malcolm installer ISO wrapper container image. + * This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`) so that they may be run without modifying the local `docker-compose.yml` file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does **not** extract them from the Malcolm installer ISO wrapper container image. 5. PullAndTagGithubWorkflowISOImages - * This option will pull latest Malcolm installer ISO wrapper container images from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.08.0`). + * This option will pull latest Malcolm installer ISO wrapper container images from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`). The script can also be run non-interactively by specifying the option number on the command line (e.g., `./scripts/github_image_helper.sh 4`). -In addition to requiring Docker, some of the options above also require the [xorriso](https://www.gnu.org/software/xorriso/) and [squashfs-tools](https://github.com/plougher/squashfs-tools) packages to extract from the ISO 9660 image file embedded in the Malcolm installer ISO wrapper container image. Consult your distribution's documentation for how to install these tools (something like `sudo apt-get -y install xorriso squashfs-tools` should work on distributions that use the apt package manager). +In addition to requiring Docker or Podman, some of the options above also require the [xorriso](https://www.gnu.org/software/xorriso/) and [squashfs-tools](https://github.com/plougher/squashfs-tools) packages to extract from the ISO 9660 image file embedded in the Malcolm installer ISO wrapper container image. Consult your distribution's documentation for how to install these tools (something like `sudo apt-get -y install xorriso squashfs-tools` should work on distributions that use the apt package manager). ### Example @@ -167,7 +182,7 @@ $ ./scripts/github_image_helper.sh 5 PullAndTagGithubWorkflowISOImages Operation:4 PullAndTagGithubWorkflowImages -Pulling images from ghcr.io/romeogdetlevjr (main) and tagging as 24.08.0... +Pulling images from ghcr.io/romeogdetlevjr (main) and tagging as 24.10.0... main: Pulling from romeogdetlevjr/malcolm/api Digest: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Status: Image is up to date for ghcr.io/romeogdetlevjr/malcolm/api:main @@ -181,46 +196,46 @@ ghcr.io/romeogdetlevjr/malcolm/zeek:main xxxxxxxxxxxx: Pull complete ``` -Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g., `ghcr.io/romeogdetlevjr/malcolm/api:main`) and another tagged with `ghcr.io/idaholab` and the Malcolm version (e.g., `ghcr.io/idaholab/malcolm/api:24.08.0`). +Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g., `ghcr.io/romeogdetlevjr/malcolm/api:main`) and another tagged with `ghcr.io/idaholab` and the Malcolm version (e.g., `ghcr.io/idaholab/malcolm/api:24.10.0`). ```bash $ docker images | grep romeogdetlevjr/malcolm -ghcr.io/idaholab/malcolm/zeek 24.08.0 xxxxxxxxxxxx 10 minutes ago 1.39GB +ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 10 minutes ago 1.39GB ghcr.io/romeogdetlevjr/malcolm/zeek main xxxxxxxxxxxx 10 minutes ago 1.39GB -ghcr.io/idaholab/malcolm/dashboards 24.08.0 xxxxxxxxxxxx 13 minutes ago 1.55GB +ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 13 minutes ago 1.55GB ghcr.io/romeogdetlevjr/malcolm/dashboards main xxxxxxxxxxxx 13 minutes ago 1.55GB -ghcr.io/idaholab/malcolm/suricata 24.08.0 xxxxxxxxxxxx 14 minutes ago 339MB +ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 14 minutes ago 339MB ghcr.io/romeogdetlevjr/malcolm/suricata main xxxxxxxxxxxx 14 minutes ago 339MB -ghcr.io/idaholab/malcolm/file-monitor 24.08.0 xxxxxxxxxxxx 15 minutes ago 712MB +ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 15 minutes ago 712MB ghcr.io/romeogdetlevjr/malcolm/file-monitor main xxxxxxxxxxxx 15 minutes ago 712MB -ghcr.io/idaholab/malcolm/redis 24.08.0 xxxxxxxxxxxx 15 minutes ago 55.4MB +ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 15 minutes ago 55.4MB ghcr.io/romeogdetlevjr/malcolm/redis main xxxxxxxxxxxx 15 minutes ago 55.4MB -ghcr.io/idaholab/malcolm/nginx-proxy 24.08.0 xxxxxxxxxxxx 16 minutes ago 160MB +ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 16 minutes ago 160MB ghcr.io/romeogdetlevjr/malcolm/nginx-proxy main xxxxxxxxxxxx 16 minutes ago 160MB -ghcr.io/idaholab/malcolm/pcap-capture 24.08.0 xxxxxxxxxxxx 16 minutes ago 137MB +ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 16 minutes ago 137MB ghcr.io/romeogdetlevjr/malcolm/pcap-capture main xxxxxxxxxxxx 16 minutes ago 137MB -ghcr.io/idaholab/malcolm/htadmin 24.08.0 xxxxxxxxxxxx 16 minutes ago 246MB +ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 16 minutes ago 246MB ghcr.io/romeogdetlevjr/malcolm/htadmin main xxxxxxxxxxxx 16 minutes ago 246MB ghcr.io/romeogdetlevjr/malcolm/file-upload main xxxxxxxxxxxx 16 minutes ago 250MB -ghcr.io/idaholab/malcolm/file-upload 24.08.0 xxxxxxxxxxxx 16 minutes ago 250MB -ghcr.io/idaholab/malcolm/logstash-oss 24.08.0 xxxxxxxxxxxx 16 minutes ago 1.49GB +ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 16 minutes ago 250MB +ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 16 minutes ago 1.49GB ghcr.io/romeogdetlevjr/malcolm/logstash-oss main xxxxxxxxxxxx 16 minutes ago 1.49GB -ghcr.io/idaholab/malcolm/netbox 24.08.0 xxxxxxxxxxxx 17 minutes ago 1.66GB +ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 17 minutes ago 1.66GB ghcr.io/romeogdetlevjr/malcolm/netbox main xxxxxxxxxxxx 17 minutes ago 1.66GB ghcr.io/romeogdetlevjr/malcolm/filebeat-oss main xxxxxxxxxxxx 18 minutes ago 405MB -ghcr.io/idaholab/malcolm/filebeat-oss 24.08.0 xxxxxxxxxxxx 18 minutes ago 405MB +ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 18 minutes ago 405MB ghcr.io/romeogdetlevjr/malcolm/postgresql main xxxxxxxxxxxx 18 minutes ago 303MB -ghcr.io/idaholab/malcolm/postgresql 24.08.0 xxxxxxxxxxxx 18 minutes ago 303MB -ghcr.io/idaholab/malcolm/arkime 24.08.0 xxxxxxxxxxxx 18 minutes ago 802MB +ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 18 minutes ago 303MB +ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 18 minutes ago 802MB ghcr.io/romeogdetlevjr/malcolm/arkime main xxxxxxxxxxxx 18 minutes ago 802MB -ghcr.io/idaholab/malcolm/opensearch 24.08.0 xxxxxxxxxxxx 18 minutes ago 1.42GB +ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 18 minutes ago 1.42GB ghcr.io/romeogdetlevjr/malcolm/opensearch main xxxxxxxxxxxx 18 minutes ago 1.42GB -ghcr.io/idaholab/malcolm/pcap-monitor 24.08.0 xxxxxxxxxxxx 18 minutes ago 176MB +ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 18 minutes ago 176MB ghcr.io/romeogdetlevjr/malcolm/pcap-monitor main xxxxxxxxxxxx 18 minutes ago 176MB -ghcr.io/idaholab/malcolm/dashboards-helper 24.08.0 xxxxxxxxxxxx 18 minutes ago 233MB +ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 18 minutes ago 233MB ghcr.io/romeogdetlevjr/malcolm/dashboards-helpermain xxxxxxxxxxxx 18 minutes ago 233MB -ghcr.io/idaholab/malcolm/freq 24.08.0 xxxxxxxxxxxx 18 minutes ago 153MB +ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 18 minutes ago 153MB ghcr.io/romeogdetlevjr/malcolm/freq main xxxxxxxxxxxx 18 minutes ago 153MB -ghcr.io/idaholab/malcolm/api 24.08.0 xxxxxxxxxxxx 18 minutes ago 169MB +ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 18 minutes ago 169MB ghcr.io/romeogdetlevjr/malcolm/api main xxxxxxxxxxxx 18 minutes ago 169MB ``` diff --git a/docs/contributing-guide.md b/docs/contributing-guide.md index 2c8ff86ec..3237717be 100644 --- a/docs/contributing-guide.md +++ b/docs/contributing-guide.md @@ -6,9 +6,9 @@ It is recommended before reviewing this guide to read the documentation on [cust * [Local modifications](contributing-local-modifications.md#LocalMods) - + [Docker bind mounts](contributing-local-modifications.md#Bind) - + [Building Malcolm's Docker images](contributing-local-modifications.md#ContribBuild) -* [Adding a new service (Docker image)](contributing-new-image.md#NewImage) + + [Volume bind mounts](contributing-local-modifications.md#Bind) + + [Building Malcolm's images](contributing-local-modifications.md#ContribBuild) +* [Adding a new service (image)](contributing-new-image.md#NewImage) + [Networking and firewall](contributing-new-image.md#NewImageFirewall) * [Adding new log fields](contributing-new-log-fields.md#NewFields) - [Zeek](contributing-zeek.md#Zeek) diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md index 2cd99546a..8dd152e77 100644 --- a/docs/contributing-local-modifications.md +++ b/docs/contributing-local-modifications.md @@ -2,9 +2,9 @@ There are several ways to customize Malcolm's runtime behavior via local changes to configuration files. Many commonly-tweaked settings are discussed in the project [README](README.md) (see [Environment Variable Files](malcolm-config.md#MalcolmConfigEnvVars) and [Customizing event severity scoring](severity.md#SeverityConfig) for some examples). -## Docker bind mounts +## Volume bind mounts -Some configuration changes can be put in place by modifying local copies of configuration files and then using a [Docker bind mount](https://docs.docker.com/storage/bind-mounts/) to overlay the modified file onto the running Malcolm container. This is already done for many files and directories used to persist Malcolm configuration and data. For example, the default list of bind mounted files and directories for each Malcolm service is as follows: +Some configuration changes can be put in place by modifying local copies of configuration files and then using a [bind mount](https://docs.docker.com/storage/bind-mounts/) to overlay the modified file onto the running Malcolm container. This is already done for many files and directories used to persist Malcolm configuration and data. For example, the default list of bind mounted files and directories for each Malcolm service is as follows: `$ yq eval '.services = (.services | with_entries(.value = {"volumes": .value.volumes}))' docker-compose.yml` ```yaml @@ -179,6 +179,12 @@ services: source: ./.opensearch.primary.curlrc target: /var/local/curlrc/.opensearch.primary.curlrc read_only: true + - type: bind + bind: + create_host_path: false + source: ./arkime/lua + target: /opt/arkime/lua + read_only: true - type: bind bind: create_host_path: false @@ -204,6 +210,12 @@ services: source: ./.opensearch.primary.curlrc target: /var/local/curlrc/.opensearch.primary.curlrc read_only: true + - type: bind + bind: + create_host_path: false + source: ./arkime/lua + target: /opt/arkime/lua + read_only: true - type: bind bind: create_host_path: false @@ -560,12 +572,12 @@ So, for example, if a user wanted to make a change to the `nginx-proxy` containe The change would take effect after stopping and starting Malcolm. -See the documentation on [Docker bind mount](https://docs.docker.com/storage/bind-mounts/) for more information on this technique. +See the documentation on [bind mounts](https://docs.docker.com/storage/bind-mounts/) for more information on this technique. -## Building Malcolm's Docker images +## Building Malcolm's images Another method for modifying local copies of Malcolm's services' containers is to [build custom](development.md#Build) containers with the modifications baked-in. -For example, imagine a user wanted to create a Malcolm container that includes a new dashboard for OpenSearch Dashboards and a new enrichment filter `.conf` file for Logstash. After placing these files under `./dashboards/dashboards` and `./logstash/pipelines/enrichment`, respectively, in the Malcolm working copy, run `./build.sh dashboards-helper logstash` to build just those containers. After the build completes, run `docker images` to see the fresh images for `ghcr.io/idaholab/malcolm/dashboards-helper` and `ghcr.io/idaholab/malcolm/logstash-oss`. Users may need to review the contents of the [Dockerfiles]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles) to determine the correct service and filesystem location within that service's Docker image depending on the nature of the task. +For example, imagine a user wanted to create a Malcolm container that includes a new dashboard for OpenSearch Dashboards and a new enrichment filter `.conf` file for Logstash. After placing these files under `./dashboards/dashboards` and `./logstash/pipelines/enrichment`, respectively, in the Malcolm working copy, run `./build.sh dashboards-helper logstash` to build just those containers. After the build completes, run `docker images` to see the fresh images for `ghcr.io/idaholab/malcolm/dashboards-helper` and `ghcr.io/idaholab/malcolm/logstash-oss`. Users may need to review the contents of the [Dockerfiles]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles) to determine the correct service and filesystem location within that service's image depending on the nature of the task. -Alternately, forks of Malcolm on GitHub contain [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) that contain instructions for GitHub to build the docker images and [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. The resulting images are named according to the pattern `ghcr.io/owner/malcolm/image:branch` (e.g., if the GitHub user `romeogdetlevjr` has forked Malcolm, the `arkime` container built for the `main` branch would be named `ghcr.io/romeogdetlevjr/malcolm/arkime:main`). To run a local instance of Malcolm using these images instead of the official ones, users would need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script `./shared/bin/github_image_helper.sh` to pull and re-tag the images. \ No newline at end of file +Alternately, forks of Malcolm on GitHub contain [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) that contain instructions for GitHub to build the images and [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. The resulting images are named according to the pattern `ghcr.io/owner/malcolm/image:branch` (e.g., if the GitHub user `romeogdetlevjr` has forked Malcolm, the `arkime` container built for the `main` branch would be named `ghcr.io/romeogdetlevjr/malcolm/arkime:main`). To run a local instance of Malcolm using these images instead of the official ones, users would need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script `./shared/bin/github_image_helper.sh` to pull and re-tag the images. \ No newline at end of file diff --git a/docs/contributing-logstash.md b/docs/contributing-logstash.md index 29650720a..2cfcb085d 100644 --- a/docs/contributing-logstash.md +++ b/docs/contributing-logstash.md @@ -50,4 +50,4 @@ Malcolm's Logstash instance will do a lot of enrichments automatically: see the ## Logstash plugins -The [logstash.Dockerfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles/logstash.Dockerfile) installs the Logstash plugins used by Malcolm (search for `logstash-plugin install` in that file). Additional Logstash plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `logstash` Docker image. \ No newline at end of file +The [logstash.Dockerfile]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/Dockerfiles/logstash.Dockerfile) installs the Logstash plugins used by Malcolm (search for `logstash-plugin install` in that file). Additional Logstash plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `logstash` image. \ No newline at end of file diff --git a/docs/contributing-new-image.md b/docs/contributing-new-image.md index 3dac78092..1427703be 100644 --- a/docs/contributing-new-image.md +++ b/docs/contributing-new-image.md @@ -1,4 +1,4 @@ -# Adding a new service (Docker image) +# Adding a new service (image) A new service can be added to Malcolm by following the following steps: diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index 21343e93d..c0feeab77 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -1,6 +1,6 @@ # PCAP processors -When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v24.08.0 release]({{ site.github.repository_url }}/releases/tag/v24.08.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: +When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v24.10.0 release]({{ site.github.repository_url }}/releases/tag/v24.10.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory @@ -9,4 +9,4 @@ When a PCAP is uploaded (either through Malcolm's [upload web interface](upload. While that might be a bit of hand-waving, these general steps take care of the PCAP processing piece: users shouldn't have to really edit any *existing* code to add a new PCAP processor, only create a *new* container to subscribe to ZeroMQ topic and handle the PCAPs it receives. -The `PCAP_PIPELINE_VERBOSITY` [environment variables](malcolm-config.md#MalcolmConfigEnvVars) in `./config/upload-common.env` can be set to `-v`, `-vv`, etc., to increase the verbosity of debug logging from the output of the Docker containers involved in the PCAP processing pipeline. \ No newline at end of file +The `PCAP_PIPELINE_VERBOSITY` [environment variables](malcolm-config.md#MalcolmConfigEnvVars) in `./config/upload-common.env` can be set to `-v`, `-vv`, etc., to increase the verbosity of debug logging from the output of the containers involved in the PCAP processing pipeline. \ No newline at end of file diff --git a/docs/contributing-zeek.md b/docs/contributing-zeek.md index b154cda89..c8d8ee72c 100644 --- a/docs/contributing-zeek.md +++ b/docs/contributing-zeek.md @@ -4,11 +4,11 @@ Some Zeek behavior can be tweaked through the use of [environment variables](malcolm-config.md#MalcolmConfigEnvVars) in the `.env` files beginning with `zeek…`. -Other changes to Zeek's behavior could be made by modifying [local.zeek]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) and either using a [bind mount](contributing-local-modifications.md#Bind) or [rebuilding](development.md#Build) the `zeek` Docker image with the modification. See the [Zeek documentation](https://docs.zeek.org/en/master/quickstart.html#local-site-customization) for more information on customizing a Zeek instance. Note that changing Zeek's behavior could result in changes to the format of the logs Zeek generates, which could break Malcolm's parsing of those logs, so exercise caution. +Other changes to Zeek's behavior could be made by modifying [local.zeek]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) and either using a [bind mount](contributing-local-modifications.md#Bind) or [rebuilding](development.md#Build) the `zeek` image with the modification. See the [Zeek documentation](https://docs.zeek.org/en/master/quickstart.html#local-site-customization) for more information on customizing a Zeek instance. Note that changing Zeek's behavior could result in changes to the format of the logs Zeek generates, which could break Malcolm's parsing of those logs, so exercise caution. ## Adding a new Zeek package -The easiest way to add a new Zeek package to Malcolm is to add the git URL of that package to the `ZKG_GITHUB_URLS` array in [zeek_install_plugins.sh]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_install_plugins.sh) script and then [rebuilding](development.md#Build) the `zeek` Docker image. This will cause the package to be installed (via the [`zkg`](https://docs.zeek.org/projects/package-manager/en/stable/zkg.html) command-line tool). See [Parsing new Zeek logs](contributing-logstash.md#LogstashZeek) on how to process any new `.log` files if the package generates them. +The easiest way to add a new Zeek package to Malcolm is to add the git URL of that package to the `ZKG_GITHUB_URLS` array in [zeek_install_plugins.sh]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_install_plugins.sh) script and then [rebuilding](development.md#Build) the `zeek` image. This will cause the package to be installed (via the [`zkg`](https://docs.zeek.org/projects/package-manager/en/stable/zkg.html) command-line tool). See [Parsing new Zeek logs](contributing-logstash.md#LogstashZeek) on how to process any new `.log` files if the package generates them. ## Zeek Intelligence Framework diff --git a/docs/custom-rules.md b/docs/custom-rules.md index 59ce9b7f0..82eae2f8e 100644 --- a/docs/custom-rules.md +++ b/docs/custom-rules.md @@ -1,5 +1,6 @@ # Custom Rules, Scripts and Plugins +* [Arkime](#Arkime) * [Suricata](#Suricata) * [Zeek](#Zeek) * [YARA](#YARA) @@ -8,20 +9,62 @@ Much of Malcolm's behavior can be adjusted through [environment variable files](malcolm-config.md#MalcolmConfigEnvVars). However, some components allow further customization through the use of custom scripts, configuration files, and rules. +## Arkime + +### Rules + +[Arkime rules](https://arkime.com/rulesformat) "allow you to specify actions to perform when criteria are met with certain fields or state." + +Arkime rules files (with the `*.yml` or `*.yaml` extension) may be placed in the `./arkime/rules/` subdirectory in the Malcolm installation directory. These new rules files can applied by restarting Malcolm, or this can be done manually without completely restarting Malcolm by running the following command from the Malcolm installation directory: + +``` +./scripts/restart -s arkime arkime-live +``` + +Malcolm comes with [a few Arkime rules]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/arkime/rules/) included by default. More sample Arkime rules can be found on the [Arkime web site](https://arkime.com/rules). + +On [Hedgehog Linux](hedgehog.md), the Arkime rules [directory]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/hedgehog-iso/interface/sensor_ctl/arkime/rules/) is `/opt/sensor/sensor_ctl/arkime/rules`. New rules can be applied by restarting capture processes: + +``` +/opt/sensor/sensor_ctl/shutdown && sleep 30 && /opt/sensor/sensor_ctl/supervisor.sh +``` + +### Lua Plugin + +Arkime's [Lua plugin](https://arkime.com/settings#lua) allows sessions to be modified via simple Lua scripts. See the [Arkime Lua plugin documentation](https://github.com/arkime/arkime/tree/main/capture/plugins/lua) for more information and [example scripts](https://github.com/arkime/arkime/tree/main/capture/plugins/lua/samples). + +Lua files for the Arkime Lua plugin (with the `*.lua` extension) may be placed in the `./arkime/lua/` subdirectory in the Malcolm installation directory. These new scripts can applied by restarting Malcolm, or this can be done manually without completely restarting Malcolm by running the following command from the Malcolm installation directory: + +``` +./scripts/restart -s arkime arkime-live +``` + +On [Hedgehog Linux](hedgehog.md), the Arkime Lua directory is `/opt/sensor/sensor_ctl/arkime/lua`. New scripts can be applied by restarting capture processes: + +``` +/opt/sensor/sensor_ctl/shutdown && sleep 30 && /opt/sensor/sensor_ctl/supervisor.sh +``` + ## Suricata ### Rules In addition to the [default Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and [Emerging Threads Open ruleset](https://rules.emergingthreats.net/open/), users may provide custom rules files for use by Suricata in Malcolm. -Suricata rules files (with the `*.rules` extension) may be placed in the `./suricata/rules/` subdirectory in the Malcolm installation directory. These new rules files will be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) will be applied by either restarting Malcolm or when the [automatic rule update process](https://suricata-update.readthedocs.io/en/latest/) runs (if automatic rule updates are enabled). This can also be done manually without restarting Malcolm by running the following command from the Malcolm installation directory: +Suricata rules files (with the `*.rules` extension) may be placed in the `./suricata/rules/` subdirectory in the Malcolm installation directory. These new rules files will be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) will be applied by either restarting Malcolm or when the [automatic rule update process](https://suricata-update.readthedocs.io/en/latest/) runs (if automatic rule updates are enabled). This can also be done manually without completely restarting Malcolm by running the following commands from the Malcolm installation directory: ``` -docker compose exec supervisorctl suricata-live restart live-suricata +docker compose exec suricata-live supervisorctl restart live-suricata ``` If the `SURICATA_CUSTOM_RULES_ONLY` [environment variable](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`, Malcolm will bypass the default Suricata rulesets and use only the user-defined rules. +On [Hedgehog Linux](hedgehog.md), the Suricata custom rules directory is `/opt/sensor/sensor_ctl/suricata/rules/`, and the `SURICATA_CUSTOM_RULES_ONLY` environment variable can be found in [`/opt/sensor/sensor_ctl/control_vars.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/hedgehog-iso/interface/sensor_ctl/control_vars.conf). New rules can be applied by restarting capture processes: + +``` +/opt/sensor/sensor_ctl/shutdown && sleep 30 && /opt/sensor/sensor_ctl/supervisor.sh +``` + ### Configuration Suricata uses the [YAML format for configuration](https://docs.suricata.io/en/latest/configuration/suricata-yaml.html), and the main `suricata.yaml` file is generated by Malcolm [dynamically at runtime]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py). @@ -46,6 +89,12 @@ docker compose exec suricata-live /usr/local/bin/docker_entrypoint.sh true docker compose exec suricata-live supervisorctl restart live-suricata ``` +On [Hedgehog Linux](hedgehog.md), the Suricata custom configuration directory is `/opt/sensor/sensor_ctl/suricata/include-configs/`. New configuration can be applied by restarting capture processes: + +``` +/opt/sensor/sensor_ctl/shutdown && sleep 30 && /opt/sensor/sensor_ctl/supervisor.sh +``` + ## Zeek Some aspects of Malcolm's instance of Zeek's [local site policy]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/zeek/config/local.zeek) can be adjusted via [environment variables](malcolm-config.md#MalcolmConfigEnvVars) found in [`zeek.env`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/zeek.env.example). @@ -55,7 +104,13 @@ For more control of Zeek's behavior, Malcolm's users may place Zeek files in the These new files should be picked up immediately for subsequent [PCAP upload](upload.md#Upload), and for [live analysis](live-analysis.md#LocalPCAP) they will take effect upon restarting Malcolm, or without restarting Malcolm by running the following command from the Malcolm installation directory: ``` -docker compose exec supervisorctl zeek-live restart live-zeek +docker compose exec zeek-live supervisorctl restart live-zeek +``` + +On [Hedgehog Linux](hedgehog.md), the Zeek custom scripts directory is `/opt/sensor/sensor_ctl/zeek/custom/`. New configuration can be applied by restarting capture processes: + +``` +/opt/sensor/sensor_ctl/shutdown && sleep 30 && /opt/sensor/sensor_ctl/supervisor.sh ``` ## YARA @@ -74,6 +129,12 @@ docker compose exec file-monitor supervisorctl restart yara If the `EXTRACTED_FILE_YARA_CUSTOM_ONLY` [environment variable](malcolm-config.md#MalcolmConfigEnvVars) is set to `true`, Malcolm will bypass the default Yara rulesets ([Neo23x0/signature-base](https://github.com/Neo23x0/signature-base), [reversinglabs/reversinglabs-yara-rules](https://github.com/reversinglabs/reversinglabs-yara-rules), and [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules)) and use only user-defined rules in `./yara/rules`. +On [Hedgehog Linux](hedgehog.md), the Yara custom rules directory is `/opt/yara-rules/`, and the `EXTRACTED_FILE_YARA_CUSTOM_ONLY` environment variable can be found in [`/opt/sensor/sensor_ctl/control_vars.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/hedgehog-iso/interface/sensor_ctl/control_vars.conf). New rules can be applied by restarting the Yara file scanning process: + +``` +/opt/sensor/sensor_ctl/restart zeek:yara +``` + ## NetBox Plugins NetBox's functionality can be extended with plugins that can provide "[new data models, integrations, and more](https://netboxlabs.com/netbox-plugins/)" (see also the [NetBox Wiki](https://github.com/netbox-community/netbox/wiki/Plugins)). diff --git a/docs/development.md b/docs/development.md index 8e3b6cdee..f5ec07289 100644 --- a/docs/development.md +++ b/docs/development.md @@ -10,7 +10,7 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{ * `arkime` - code and configuration for the `arkime` container that processes PCAP files using `capture`, which serves the Viewer application * `config` - a directory containing the environment variable files that define Malcolm's configuration * `dashboards` - code and configuration for the `dashboards` container for creating additional ad-hoc visualizations and dashboards beyond that which is provided by Arkime Viewer -* `Dockerfiles` - a directory containing build instructions for Malcolm's docker images +* `Dockerfiles` - a directory containing build instructions for Malcolm's images * `docs` - a directory containing instructions and documentation * `filebeat` - code and configuration for the `filebeat` container that ingests Zeek logs and forwards them to the `logstash` container * `file-monitor` - code and configuration for the `file-monitor` container that can scan files extracted by Zeek @@ -43,7 +43,7 @@ and the following files of special note: ## Building from source -Building the Malcolm docker images from scratch requires Internet access to pull source files for its components. Once Internet access is available, execute the following command to build all the Docker images used by the Malcolm appliance: +Building the Malcolm images from scratch requires Internet access to pull source files for its components. Once Internet access is available, execute the following command to build all the images used by the Malcolm appliance: ``` $ ./scripts/build.sh @@ -66,18 +66,18 @@ Then, go take a walk or something since it will be a while. When you are done, y * `ghcr.io/idaholab/malcolm/opensearch` (based on `opensearchproject/opensearch`) * `ghcr.io/idaholab/malcolm/pcap-capture` (based on `debian:12-slim`) * `ghcr.io/idaholab/malcolm/pcap-monitor` (based on `debian:12-slim`) -* `ghcr.io/idaholab/malcolm/postgresql` (based on `postgres:14-alpine`) +* `ghcr.io/idaholab/malcolm/postgresql` (based on `postgres:16-alpine`) * `ghcr.io/idaholab/malcolm/redis` (based on `redis:7-alpine`) * `ghcr.io/idaholab/malcolm/suricata` (based on `debian:12-slim`) * `ghcr.io/idaholab/malcolm/zeek` (based on `debian:12-slim`) -Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions for GitHub to build the docker images, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. The resulting images are named according to the pattern `ghcr.io/owner/malcolm/image:branch` (e.g., if you have forked Malcolm with the GitHub user `romeogdetlevjr`, the `Arkime` container built for the `main` branch would be named `ghcr.io/romeogdetlevjr/malcolm/arkime:main`). To run your local instance of Malcolm using these images instead of the official ones, you will need to edit your `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script `./shared/bin/github_image_helper.sh` to pull and re-tag the images. +Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions for GitHub to build the images, as well as [sensor](live-analysis.md#Hedgehog) and [Malcolm](malcolm-iso.md#ISO) installer ISOs. The resulting images are named according to the pattern `ghcr.io/owner/malcolm/image:branch` (e.g., if you have forked Malcolm with the GitHub user `romeogdetlevjr`, the `Arkime` container built for the `main` branch would be named `ghcr.io/romeogdetlevjr/malcolm/arkime:main`). To run your local instance of Malcolm using these images instead of the official ones, you will need to edit your `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script `./shared/bin/github_image_helper.sh` to pull and re-tag the images. # Pre-Packaged installation files ## Creating pre-packaged installation files -`scripts/malcolm_appliance_packager.sh` can be run to package up the configuration files (and, if necessary, the Docker images), which can be copied to a network share or USB drive for distribution to non-networked machines. For example: +`scripts/malcolm_appliance_packager.sh` can be run to package up the configuration files (and, if necessary, the images), which can be copied to a network share or USB drive for distribution to non-networked machines. For example: ``` $ ./scripts/malcolm_appliance_packager.sh @@ -103,10 +103,10 @@ Store username/password for email alert sender account? (y/N): n Packaged Malcolm to "/home/user/tmp/malcolm_20190513_101117_f0d052c.tar.gz" -Do you need to package docker images also [y/N]? y +Do you need to package images also [y/N]? y This might take a few minutes... -Packaged Malcolm docker images to "/home/user/tmp/malcolm_20190513_101117_f0d052c_images.tar.xz" +Packaged Malcolm images to "/home/user/tmp/malcolm_20190513_101117_f0d052c_images.tar.xz" To install Malcolm: @@ -142,7 +142,7 @@ If you have obtained pre-packaged installation files to install Malcolm on a non * `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.README.txt` - This readme file contains minimal setup instructions for extracting the contents of the other tarballs and running the Malcolm appliance. * `malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` - This tarball contains the configuration files and directory configuration used by an instance of Malcolm. It can be extracted via `tar -xf malcolm_YYYYMMDD_HHNNSS_xxxxxxx.tar.gz` upon which a directory will be created (named similarly to the tarball) containing the directories and configuration files. Alternatively, `install.py` can accept this filename as an argument and handle its extraction and initial configuration for you. -* `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` - This tarball contains the Docker images used by Malcolm. It can be imported manually via `docker load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` -* `install.py` - This install script can load the Docker images and extract Malcolm configuration files from the aforementioned tarballs and do some initial configuration for you. +* `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` - This tarball contains the images used by Malcolm. It can be imported manually via `docker load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` +* `install.py` - This install script can load the images and extract Malcolm configuration files from the aforementioned tarballs and do some initial configuration for you. Run `install.py malcolm_XXXXXXXX_XXXXXX_XXXXXXX.tar.gz` and follow the prompts. If you do not already have Docker and Docker Compose installed, the `install.py` script will help you install them. \ No newline at end of file diff --git a/docs/download.md b/docs/download.md index 91ab776ca..91f6165c1 100644 --- a/docs/download.md +++ b/docs/download.md @@ -1,19 +1,19 @@ # Downloading Malcolm -* [Docker images](#DownloadDockerImages) +* [Container images](#DownloadDockerImages) * [Installer ISOs](#DownloadISOs) - [Joining split ISOs](#JoinISOs) - [Warning](#ISOsWarning) -## Docker images +## Container images -Malcolm operates as a cluster of Docker containers, isolated sandboxes which each serve a dedicated function of the system. These Docker images can be pulled from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) by running `docker compose --profile malcolm pull` from within the Malcolm installation directory, or they can be built from source by following the instructions in the [Quick Start](quickstart.md#QuickStart) section of the documentation. +Malcolm operates as a cluster of containers, isolated sandboxes which each serve a dedicated function of the system. These images can be pulled from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) by running `docker compose --profile malcolm pull` from within the Malcolm installation directory, or they can be built from source by following the instructions in the [Quick Start](quickstart.md#QuickStart) section of the documentation. ## Installer ISOs * [Latest release]({{ site.github.repository_url }}/releases/latest) -Malcolm's Docker-based deployment model makes Malcolm able to run on a variety of platforms. However, in some circumstances (for example, as a long-running appliance as part of a security operations center, or inside of a virtual machine) it may be desirable to install Malcolm as a dedicated standalone installation. +Malcolm's container-based deployment model makes Malcolm able to run on a variety of platforms. However, in some circumstances (for example, as a long-running appliance as part of a security operations center, or inside of a virtual machine) it may be desirable to install Malcolm as a dedicated standalone installation. Malcolm is also packaged into an [installer ISO](malcolm-iso.md#ISO) based on the current [stable release](https://wiki.debian.org/DebianStable) of [Debian](https://www.debian.org/). This [customized Debian installation](https://wiki.debian.org/DebianLive) is preconfigured with the bare minimum software needed to run Malcolm. diff --git a/docs/hedgehog-config-zeek-intel.md b/docs/hedgehog-config-zeek-intel.md index e91d24ddc..610b8940d 100644 --- a/docs/hedgehog-config-zeek-intel.md +++ b/docs/hedgehog-config-zeek-intel.md @@ -1,6 +1,6 @@ # Zeek Intelligence Framework -Hedgehog Linux's management of intel files is identical to what is done by a Malcolm instance's Zeek docker containers. Please see [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) in the main Malcolm documentation for more information. For Hedgehog Linux, the only deviations from what is outlined in that document are that some of the file locations are different than they are on a Malcolm instance: +Hedgehog Linux's management of intel files is identical to what is done by a Malcolm instance's Zeek containers. Please see [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) in the main Malcolm documentation for more information. For Hedgehog Linux, the only deviations from what is outlined in that document are that some of the file locations are different than they are on a Malcolm instance: * the `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` environment variable can be found in `/opt/sensor/sensor_ctl/control_vars.conf` * the `./zeek/intel` directory is `/opt/sensor/sensor_ctl/zeek/intel` diff --git a/docs/hedgehog-custom-rules.md b/docs/hedgehog-custom-rules.md new file mode 100644 index 000000000..1f41829d4 --- /dev/null +++ b/docs/hedgehog-custom-rules.md @@ -0,0 +1,3 @@ +# Custom Rules, Scripts and Plugins + +Using custom rules, scripts and plugins on Hedgehog Linux is nearly identical to what is done for Malcolm, the only deviations being the locations of the related directories and environment variables. Please see [Custom Rules, Scripts and Plugins](custom-rules.md#CustomRulesAndScripts) in the main Malcolm documentation for more information. \ No newline at end of file diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index 6218210ec..7713cecb2 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -1,19 +1,21 @@ # Appendix A - Generating the ISO -Official downloads of the Hedgehog Linux installer ISO are not provided: however, it can be built easily on an internet-connected Linux host with Vagrant: +Official downloads of the Hedgehog Linux installer ISO [can be downloaded](download.md#DownloadISOs) from the GitHub releases page. It can also be built easily on an Internet-connected system with Vagrant: * [Vagrant](https://www.vagrantup.com/) - - [`vagrant-reload`](https://github.com/aidanns/vagrant-reload) plugin - [`vagrant-sshfs`](https://github.com/dustymabe/vagrant-sshfs) plugin - [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box -The build should work with either the [VirtualBox](https://www.virtualbox.org/) provider or the [libvirt](https://libvirt.org/) provider: +The build should work with a variety of [Vagrant providers](https://developer.hashicorp.com/vagrant/docs/providers): -* [VirtualBox](https://www.virtualbox.org/) [provider](https://www.vagrantup.com/docs/providers/virtualbox) - - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin +* [VMware](https://www.vmware.com/) [provider](https://developer.hashicorp.com/vagrant/docs/providers/vmware) + - [`vagrant-vmware-desktop`](https://github.com/hashicorp/vagrant-vmware-desktop) plugin * [libvirt](https://libvirt.org/) - [`vagrant-libvirt`](https://github.com/vagrant-libvirt/vagrant-libvirt) provider plugin - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box to `libvirt` format +* [VirtualBox](https://www.virtualbox.org/) [provider](https://developer.hashicorp.com/vagrant/docs/providers/virtualbox) + - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin + To perform a clean build the Hedgehog Linux installer ISO, navigate to your local [Malcolm]({{ site.github.repository_url }}/) working copy and run: @@ -29,8 +31,8 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-24.08.0.iso" +Finished, created "/sensor-build/hedgehog-24.10.0.iso" … ``` -Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided which contain instructions for GitHub to build the docker images and Hedgehog and [Malcolm]({{ site.github.repository_url }}) installer ISOs, specifically [`hedgehog-iso-build-docker-wrap-push-ghcr.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml) for the Hedgehog ISO. The resulting ISO file is wrapped in a Docker image that provides an HTTP server from which the ISO may be downloaded. \ No newline at end of file +Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided which contain instructions for GitHub to build the images and Hedgehog and [Malcolm]({{ site.github.repository_url }}) installer ISOs, specifically [`hedgehog-iso-build-docker-wrap-push-ghcr.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml) for the Hedgehog ISO. The resulting ISO file is wrapped in a image that provides an HTTP server from which the ISO may be downloaded. See [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) for more information. \ No newline at end of file diff --git a/docs/hedgehog-raspi-build.md b/docs/hedgehog-raspi-build.md index 6d1f0cf8d..1a1267e9a 100644 --- a/docs/hedgehog-raspi-build.md +++ b/docs/hedgehog-raspi-build.md @@ -10,19 +10,21 @@ Hedgehog Linux can [also be built]({{ site.github.repository_url }}/tree/{{ site ## Building the Image -Official downloads of the Hedgehog Linux Raspberry Pi image are not provided: however, it can be built easily on an internet-connected Linux host with Vagrant: +Official downloads of the Hedgehog Linux Raspberry Pi image [can be downloaded](download.md#DownloadISOs) from the GitHub releases page. It can also be built easily on an Internet-connected system with Vagrant: * [Vagrant](https://www.vagrantup.com/) - [`vagrant-sshfs`](https://github.com/dustymabe/vagrant-sshfs) plugin - [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box -The build should work with either the [VirtualBox](https://www.virtualbox.org/) provider or the [libvirt](https://libvirt.org/) provider: +The build should work with a variety of [Vagrant providers](https://developer.hashicorp.com/vagrant/docs/providers): -* [VirtualBox](https://www.virtualbox.org/) [provider](https://www.vagrantup.com/docs/providers/virtualbox) - - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin +* [VMware](https://www.vmware.com/) [provider](https://developer.hashicorp.com/vagrant/docs/providers/vmware) + - [`vagrant-vmware-desktop`](https://github.com/hashicorp/vagrant-vmware-desktop) plugin * [libvirt](https://libvirt.org/) - [`vagrant-libvirt`](https://github.com/vagrant-libvirt/vagrant-libvirt) provider plugin - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box to `libvirt` format +* [VirtualBox](https://www.virtualbox.org/) [provider](https://developer.hashicorp.com/vagrant/docs/providers/virtualbox) + - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin To perform a clean build the Hedgehog Linux Raspberry Pi image, navigate to your local [Malcolm]({{ site.github.repository_url }}/) working copy and run: diff --git a/docs/hedgehog.md b/docs/hedgehog.md index b9fa84ea3..358a4ec15 100644 --- a/docs/hedgehog.md +++ b/docs/hedgehog.md @@ -11,8 +11,6 @@ Hedgehog Linux is a Debian-based operating system built to * detect file transfers in network traffic and extract and scan those files for threats * generate and forward Zeek logs, Arkime sessions, and other information to [Malcolm]({{ site.github.repository_url }}) -![hedgehog-iso-build-docker-wrap-push-ghcr]({{ site.github.repository_url }}/workflows/hedgehog-iso-build-docker-wrap-push-ghcr/badge.svg) - * [Sensor installation](hedgehog-installation.md#HedgehogInstallation) - [Image boot options](hedgehog-installation.md#HedgehogBootOptions) @@ -34,6 +32,7 @@ Hedgehog Linux is a Debian-based operating system built to - [Autostart services](malcolm-hedgehog-e2e-iso-install.md#HedgehogConfigAutostart) - [Managing disk usage](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage) - [Zeek Intelligence Framework](hedgehog-config-zeek-intel.md#HedgehogZeekIntel) + - [Custom Rules, Scripts and Plugins](hedgehog-custom-rules.md#CustomRulesAndScripts) - [Tuning](live-analysis.md#LiveAnalysisTuning) + [Zeek](live-analysis.md#LiveAnalysisTuningZeek) + [Arkime](live-analysis.md#LiveAnalysisTuningArkime) diff --git a/docs/host-config-linux.md b/docs/host-config-linux.md index 57350c335..b45e2c162 100644 --- a/docs/host-config-linux.md +++ b/docs/host-config-linux.md @@ -1,6 +1,8 @@ # Linux host system configuration -## Installing Docker +## Docker + +### Installing Docker Docker installation instructions vary slightly by distribution. Please follow the links below to docker.com to find the instructions specific to your distribution: @@ -21,7 +23,7 @@ Docker starts automatically on DEB-based distributions. On RPM-based distributio You can test Docker by running `docker info`, or (assuming you have internet access), `docker run --rm hello-world`. -## Installing docker compose +### Installing docker compose Please follow [this link](https://docs.docker.com/compose/install/) on docker.com for instructions on installing the Docker Compose plugin. @@ -56,6 +58,13 @@ vm.dirty_background_ratio=40 vm.dirty_ratio=80 ``` +* In addition, the [some suggest](https://www.elastic.co/guide/en/elasticsearch/reference/current/system-config-tcpretries.html) lowering the TCP retransmission timeout to `5`. However, if your host communicates with other systems over a low-quality network, this low of a setting may be detrimental to those communications. To set this value, add the following to `/etc/sysctl.conf`: + +``` +# maximum number of TCP retransmissions +net.ipv4.tcp_retries2=5 +``` + * Depending on your distribution, create **either** the file `/etc/security/limits.d/limits.conf` containing: ``` @@ -84,8 +93,14 @@ DefaultLimitMEMLOCK=infinity blockdev --setra 512 /dev/sda ``` -* Change the I/O scheduler to `deadline` or `noop`. Again, this can be done in a variety of ways. The simplest is to add `elevator=deadline` to the arguments in `GRUB_CMDLINE_LINUX` in `/etc/default/grub`, then running `sudo update-grub2` +* Change the I/O scheduler to `deadline` or `noop`. Again, this can be done in a variety of ways. The simplest is to add `elevator=deadline` to the arguments in `GRUB_CMDLINE_LINUX` in `/etc/default/grub`, then running `sudo update-grub`. + +* Enable cgroup accounting for memory and swap space. This can be done by adding `cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem` to the arguments in `GRUB_CMDLINE_LINUX` in `/etc/default/grub`, then running `sudo update-grub`. * If you are planning on using very large data sets, consider formatting the drive containing the `opensearch` volume as XFS. -After making allthese changes, do a reboot for good measure! \ No newline at end of file +After making allthese changes, do a reboot for good measure! + +## Podman + +See [Docker vs. Podman](quickstart.md#DockerVPodman). \ No newline at end of file diff --git a/docs/host-config-macos.md b/docs/host-config-macos.md index d2df3cf6e..db05d1089 100644 --- a/docs/host-config-macos.md +++ b/docs/host-config-macos.md @@ -53,4 +53,8 @@ Some changes should be made for performance ([this link](http://markshust.com/20 * **Volume mount performance** - Users can speed up performance of volume mounts by removing unused paths from **Docker** → **Preferences** → **File Sharing**. For example, if volumes are mounted under the home directory only, users could share /Users but remove other paths. -After making these changes, right-click on the Docker 🐋 icon in the system tray and select **Restart**. \ No newline at end of file +After making these changes, right-click on the Docker 🐋 icon in the system tray and select **Restart**. + +## Podman + +See [Docker vs. Podman](quickstart.md#DockerVPodman). \ No newline at end of file diff --git a/docs/host-config-windows.md b/docs/host-config-windows.md index b7bfc7213..b2132df20 100644 --- a/docs/host-config-windows.md +++ b/docs/host-config-windows.md @@ -17,3 +17,7 @@ Installing and configuring Docker to run under the Windows Subsystem for Linux ( 1. Continue with the Malcolm installation and configuration as described in the [**Quick start**](quickstart.md#QuickStart) documentation or illustrated with the **[Installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample)**. Once the configuration is complete, Malcolm will be started and stopped from within your WSL distribution's terminal environment as described in [**Running Malcolm**](running.md). + +## Podman + +See [Docker vs. Podman](quickstart.md#DockerVPodman). \ No newline at end of file diff --git a/docs/kubernetes.md b/docs/kubernetes.md index beeeccc66..8bb51770b 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -272,28 +272,28 @@ agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 861.34m | 14.36% | 19.55Gi | 9.29Gi | 61.28Gi | 11 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:24.08.0 | -file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:24.08.0 | -zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:24.08.0 | -dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:24.08.0 | -upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:24.08.0 | -filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:24.08.0 | -zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:24.08.0 | -logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:24.08.0 | -netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:24.08.0 | -suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:24.08.0 | -dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:24.08.0 | -netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:24.08.0 | -suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:24.08.0 | -freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:24.08.0 | -arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:24.08.0 | -pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:24.08.0 | -pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:24.08.0 | -netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:24.08.0 | -htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:24.08.0 | -netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:24.08.0 | -nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:24.08.0 | -opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:24.08.0 | +api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:24.10.0 | +file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:24.10.0 | +zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:24.10.0 | +dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:24.10.0 | +upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:24.10.0 | +filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:24.10.0 | +zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:24.10.0 | +logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:24.10.0 | +netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:24.10.0 | +suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:24.10.0 | +dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:24.10.0 | +netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:24.10.0 | +suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:24.10.0 | +freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:24.10.0 | +arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:24.10.0 | +pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:24.10.0 | +pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:24.10.0 | +netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:24.10.0 | +htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:24.10.0 | +netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:24.10.0 | +nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:24.10.0 | +opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:24.10.0 | ``` The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes. @@ -554,28 +554,28 @@ agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 552.71m | 9.21% | 19.55Gi | 13.27Gi | 61.28Gi | 12 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:24.08.0 | -netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:24.08.0 | -dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:24.08.0 | -freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:24.08.0 | -pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:24.08.0 | -nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:24.08.0 | -htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:24.08.0 | -opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:24.08.0 | -zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:24.08.0 | -dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:24.08.0 | -arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:24.08.0 | -api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:24.08.0 | -netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:24.08.0 | -pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:24.08.0 | -suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:24.08.0 | -suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:24.08.0 | -netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:24.08.0 | -zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:24.08.0 | -filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:24.08.0 | -file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:24.08.0 | -upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:24.08.0 | -logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:24.08.0 | +netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:24.10.0 | +netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:24.10.0 | +dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:24.10.0 | +freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:24.10.0 | +pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:24.10.0 | +nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:24.10.0 | +htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:24.10.0 | +opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:24.10.0 | +zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:24.10.0 | +dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:24.10.0 | +arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:24.10.0 | +api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:24.10.0 | +netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:24.10.0 | +pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:24.10.0 | +suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:24.10.0 | +suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:24.10.0 | +netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:24.10.0 | +zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:24.10.0 | +filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:24.10.0 | +file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:24.10.0 | +upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:24.10.0 | +logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:24.10.0 | ``` View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`): diff --git a/docs/live-analysis.md b/docs/live-analysis.md index 7f57727b3..0d509778f 100644 --- a/docs/live-analysis.md +++ b/docs/live-analysis.md @@ -106,7 +106,7 @@ Malcolm's default values for Arkime's live traffic capture are mostly already co For Hedgehog Linux, those values are found in [`/opt/sensor/sensor_ctl/control_vars.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/hedgehog-iso/interface/sensor_ctl/control_vars.conf), from which they are read and are used to generate [`config.ini`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/hedgehog-iso/interface/sensor_ctl/arkime/config.ini) by the [`arkime_config_populate.sh` script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh) prior to starting `capture`. -When Malcolm is capturing traffic on it's own local network interfaces, the issue becomes a bit more complicated: as [described above](#LocalPCAP) in the section that references the `pcap-capture` capture, most Docker-based Malcolm deployments don't actually use Arkime's `capture` to generate Arkime sessions. Instead, intermediate PCAP files are generated by `netsniff-ng` or `tcpdump` are periodically rolled over for "offline" processing by Arkime `capture`. This being the case, most of the settings dealing with traffic capture don't apply, since (from it's point of view) `capture` isn't running against "live" traffic. The only exception to this behavior is when running the ["Hedgehog" run profile](#Profiles), when using [a remote OpenSearch or Elasticsearch instance](opensearch-instances.md#OpenSearchInstance), or in a [Kubernetes-based deployment](kubernetes.md#Kubernetes), in which cases users may choose to have Arkime's `capture` tool monitor live traffic on the network interface without using the intermediate PCAP file so that the `arkime-live` container will use [its environment variables]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/arkime-live.env.example) in its [entrypoint]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/interface/sensor_ctl/supervisor.init/arkime/scripts/docker_entrypoint.sh) to populate [`config.ini`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/arkime/etc/config.ini). +When Malcolm is capturing traffic on it's own local network interfaces, the issue becomes a bit more complicated: as [described above](#LocalPCAP) in the section that references the `pcap-capture` capture, most container-based Malcolm deployments don't actually use Arkime's `capture` to generate Arkime sessions. Instead, intermediate PCAP files are generated by `netsniff-ng` or `tcpdump` are periodically rolled over for "offline" processing by Arkime `capture`. This being the case, most of the settings dealing with traffic capture don't apply, since (from it's point of view) `capture` isn't running against "live" traffic. The only exception to this behavior is when running the ["Hedgehog" run profile](#Profiles), when using [a remote OpenSearch or Elasticsearch instance](opensearch-instances.md#OpenSearchInstance), or in a [Kubernetes-based deployment](kubernetes.md#Kubernetes), in which cases users may choose to have Arkime's `capture` tool monitor live traffic on the network interface without using the intermediate PCAP file so that the `arkime-live` container will use [its environment variables]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/config/arkime-live.env.example) in its [entrypoint]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/interface/sensor_ctl/supervisor.init/arkime/scripts/docker_entrypoint.sh) to populate [`config.ini`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/arkime/etc/config.ini). The relevant environment variables related to tuning Arkime for live packet capture are: diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 57a28f358..941a2880e 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -16,6 +16,7 @@ Although the configuration script automates many of the following configuration - `ARKIME_SPI_DATA_MAX_INDICES` - the maximum number of indices for querying SPI data, or set to `-1` to disable any max. The [Arkime documentation](https://arkime.com/settings#spiDataMaxIndices) warns "OpenSearch/Elasticsearch MAY blow up if we ... search too many indices." (default `7`) - `MANAGE_PCAP_FILES` and `ARKIME_FREESPACEG` - these variables deal with PCAP [deletion by Arkime](https://arkime.com/faq#pcap-deletion), see [**Managing disk usage**](#DiskUsage) below - `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time. + - `MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL` - As an alternative to (or fallback for) `MAXMIND_GEOIP_DB_LICENSE_KEY`, a URL prefix may be specified in this variable (e.g., `https://example.org/foo/bar`) which will be used as a fallback. This URL should serve up `.tar.gz` files in the same format as those provided by the official source (see the example [here](contributing-github-runners.md#GitHubRunners)). - The following variables configure [Arkime's use](index-management.md#ArkimeIndexPolicies) of OpenSearch [Index State Management (ISM)](https://opensearch.org/docs/latest/im-plugin/ism/index/) or Elasticsearch [Index Lifecycle Management (ILM)](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html): + `INDEX_MANAGEMENT_ENABLED` - if set to `true`, Malcolm's instance of Arkime will [use these features](https://arkime.com/faq#ilm) when indexing data + `INDEX_MANAGEMENT_OPTIMIZATION_PERIOD` - the period in hours or days that Arkime will keep records in the **hot** state (default `30d`) @@ -73,11 +74,13 @@ Although the configuration script automates many of the following configuration - The following variables control the OpenSearch indices to which network traffic metadata are written. Changing them from their defaults may cause logs from non-Arkime data sources (i.e., Zeek, Suricata) to not show up correctly in Arkime. + `MALCOLM_NETWORK_INDEX_PATTERN` - Index pattern for network traffic logs written via Logstash (default is `arkime_sessions3-*`) + `MALCOLM_NETWORK_INDEX_TIME_FIELD` - Default time field to use for network traffic logs in Logstash and Dashboards (default is `firstPacket`) - + `MALCOLM_NETWORK_INDEX_SUFFIX` - Suffix used to create index to which network traffic logs are written (supports [Ruby `strftime`](https://docs.ruby-lang.org/en/3.2/strftime_formatting_rdoc.html) strings in `%{}`) (e.g., hourly: `%{%y%m%dh%H}`, twice daily: `%{%P%y%m%d}`, daily (default): `%{%y%m%d}`, weekly: `%{%yw%U}`, monthly: `%{%ym%m}`) + + `MALCOLM_NETWORK_INDEX_SUFFIX` - Suffix used to create index to which network traffic logs are written + * supports [Ruby `strftime`](https://docs.ruby-lang.org/en/3.2/strftime_formatting_rdoc.html) strings in `%{}`) (e.g., hourly: `%{%y%m%dh%H}`, twice daily: `%{%P%y%m%d}`, daily (default): `%{%y%m%d}`, weekly: `%{%yw%U}`, monthly: `%{%ym%m}` + * supports expanding dot-delimited field names in `{{ }}` (e.g., `{{event.provider}}%{%y%m%d}`) - The following variables control the OpenSearch indices to which other logs ([third-party logs](third-party-logs.md#ThirdPartyLogs), resource utilization reports from network sensors, etc.) are written. + `MALCOLM_OTHER_INDEX_PATTERN` - Index pattern for other logs written via Logstash (default is `malcolm_beats_*`) + `MALCOLM_OTHER_INDEX_TIME_FIELD` - Default time field to use for other logs in Logstash and Dashboards (default is `@timestamp`) - + `MALCOLM_OTHER_INDEX_SUFFIX` - Suffix used to create index to which other logs are written (supports [Ruby `strftime`](https://docs.ruby-lang.org/en/3.2/strftime_formatting_rdoc.html) strings in `%{}`) (default is `%{%y%m%d}`) + + `MALCOLM_OTHER_INDEX_SUFFIX` - Suffix used to create index to which other logs are written (with the same rules as `MALCOLM_NETWORK_INDEX_SUFFIX` above) (default is `%{%y%m%d}`) * **`pcap-capture.env`** - settings specific to capturing traffic for [live traffic analysis](live-analysis.md#LocalPCAP) - `PCAP_ENABLE_NETSNIFF` – if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [netsniff-ng](http://netsniff-ng.org/) - `PCAP_ENABLE_TCPDUMP` – if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [tcpdump](https://www.tcpdump.org/); there is no reason to enable *both* `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP` diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index 6942fa743..bb7463020 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -4,7 +4,7 @@ This document outlines how to install [Malcolm]({{ site.github.repository_url }} The Malcolm and Hedgehog Linux installers as described in these instructions are intended to be used to **replace** the existing operating system (if any) of the respective systems onto which they are installed; and, as such, are designed to require as little user input as possible. For this reason, there are NO user prompts or confirmations about partitioning and reformatting hard disks for use by the operating system. The installer assumes that all non-removable storage media (eg., SSD, HDD, NVMe, etc.) are available for use and ⛔🆘😭💀 ***will partition and format them without warning*** 💀😭🆘⛔. -In contrast to using the ISO installer, Malcolm can also be installed on any x86-64 (also known as x64, x86_64, AMD64, and Intel 64) or AArch64 (also known as ARM64) platform capable of running Docker. See the [installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample) for that method of installation and configuration, or [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows) and [macOS host system configuration](host-config-macos.md#HostSystemConfigMac) for those platforms. +In contrast to using the ISO installer, Malcolm can also be installed on any x86-64 (also known as x64, x86_64, AMD64, and Intel 64) or AArch64 (also known as ARM64) platform capable of running Docker or Podman. See the [installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample) for that method of installation and configuration, or [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows) and [macOS host system configuration](host-config-macos.md#HostSystemConfigMac) for those platforms. ### Table of Contents @@ -141,13 +141,14 @@ The first time the Malcolm base operating system boots the **Malcolm Configurati The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's questions proceed as follows. Users may not see every question listed in the bulleted list below as some questions depend on earlier responses. Usually the default selection is recommended unless otherwise indicated. The configuration values resulting from these questions (in **bold**) are stored in [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) in the `./config` directory. - +* **Select container runtime engine** + - When deployed locally (i.e., not via Kubernetes), Malcolm can run under [Docker](https://docs.docker.com/get-started/docker-overview/) or [Podman](https://podman.io/). However, for brevity's sake, the term "Docker" is used throughout this documentation. It should be noted that if rootless Podman is used, Malcolm itself cannot perform [traffic capture on local network interfaces](live-analysis.md#LocalPCAP), although it can accept network traffic metadata forwarded from a [a network sensor appliance](live-analysis.md#Hedgehog). * **Malcolm processes will run as UID 1000 and GID 1000. Is this OK?** - Docker runs all of its containers as the privileged `root` user by default. For better security, Malcolm immediately drops to non-privileged user accounts for executing internal processes wherever possible. The `PUID` (**p**rocess **u**ser **ID**) and `PGID` (**p**rocess **g**roup **ID**) environment variables allow Malcolm to map internal non-privileged user accounts to a corresponding [user account](https://en.wikipedia.org/wiki/User_identifier) on the host. * **Run with Malcolm (all containers) or Hedgehog (capture only) profile?** - Malcolm can be run in either of two [profiles](https://docs.docker.com/compose/profiles/): the "malcolm" profile runs all containers including those for log enrichment and indexing, while the "hedgehog" (named as a nod to [Hedgehog Linux](hedgehog.md), Malcolm's [dedicated network sensor OS](live-analysis.md#Hedgehog)) profile rules only the containers required for [live traffic analysis](live-analysis.md#LocalPCAP). When using the "hedgehog" profile, captured network artifacts must be forwarded to another Malcolm instance: its [OpenSearch instance](opensearch-instances.md#OpenSearchInstance) connection parameters (e.g., `https://192.168.122.5:9200`) and Logstash connection parameters (e.g., `192.168.122.5:5044`) must be specified later on in the configuration. See [idaholab/Malcolm#254](https://github.com/idaholab/Malcolm/issues/254) for the origin of this feature. * **Should Malcolm use and maintain its own OpenSearch instance?** - - Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a Docker container to index and search network traffic metadata. See [OpenSearch and Elasticsearch instances](opensearch-instances.md#OpenSearchInstance) for more information about using a remote OpenSearch or Elasticsearch cluster instead. + - Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a container to index and search network traffic metadata. See [OpenSearch and Elasticsearch instances](opensearch-instances.md#OpenSearchInstance) for more information about using a remote OpenSearch or Elasticsearch cluster instead. * **Compress local OpenSearch index snapshots?** - Choose whether OpenSearch [index snapshots](https://opensearch.org/docs/2.6/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-management/) should be compressed or not, should users opt to configure them later in [OpenSearch index management](index-management.md#IndexManagement). * **Forward Logstash logs to a secondary remote document store?** @@ -156,7 +157,7 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - Two of Malcolm's main components, OpenSearch and Logstash, require a substantial amount of memory. The configuration script will suggest defaults for these values based on the amount of physical memory the system has. The minimum recommended amount of system memory for Malcolm is 16 GB. Users should not use a value under 10 GB for OpenSearch and 2500 MB for Logstash. * **Setting 3 workers for Logstash pipelines. Is this OK?** - This setting is used to tune the performance and resource utilization of the the `logstash` container. The default is calculated based on the number of logical CPUs the system has. See [Tuning and Profiling Logstash Performance](https://www.elastic.co/guide/en/logstash/current/tuning-logstash.html), [`logstash.yml`](https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) and [Multiple Pipelines](https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html). -* **Restart Malcolm upon system or Docker daemon restart?** +* **Restart Malcolm upon system or container daemon restart?** - This question allows users to configure Docker's [restart policy](https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy) for Malcolm (i.e., the behavior used to restart Malcolm should the system be shut down or rebooted, or should one of Malcolm's components crash). Possible options are: + no - do not automatically restart the container + on-failure - restart the container if it exits due to an error, which manifests as a non-zero exit code @@ -166,8 +167,8 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - Malcolm uses [TLS](authsetup.md#TLSCerts) encryption for its web browser-accessible user interfaces. Answering **Y** to this question is almost always preferred. The only situation where **N** would be appropriate would be when running Malcolm behind a third-party reverse proxy (e.g., [Traefik](https://doc.traefik.io/traefik/) or [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)) to handle the issuance of the certificates automatically and to broker the connections between clients and Malcolm. Reverse proxies such as these often implement the [ACME](https://datatracker.ietf.org/doc/html/rfc8555) protocol for domain name authentication and can be used to request certificates from certificate authorities such as [Let's Encrypt](https://letsencrypt.org/how-it-works/). In this configuration, the reverse proxy will be encrypting the connections instead of Malcolm. Users should ensure they understand these implications and ensure that external connections cannot reach ports over which Malcolm will be communicating without encryption, including verifying the local firewall configuration, when answering **N** to this question. * **Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?** - See the previous question. If Malcolm is configured behind a remote proxy, Malcolm can prompt users to *Configure labels for Traefik?* to allow it to identify itself to Traefik. -* **Specify external Docker network name (or leave blank for default networking)** - - This configures Malcolm to use [custom Docker networks](https://docs.docker.com/compose/networking/#specify-custom-networks). If unsure, leave this blank. +* **Specify external container network name (or leave blank for default networking)** + - This configures Malcolm to use [custom container networks](https://docs.docker.com/compose/networking/#specify-custom-networks). If unsure, leave this blank. * **Select authentication method** - Choose **Basic** to use Malcolm's own built-in [local account management](authsetup.md#AuthBasicAccountManagement), **LDAP** to use [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP) or **None** to not require authentication (not recommended) * **Select LDAP server compatibility type** diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index e93d2a0eb..7406ac341 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -6,26 +6,27 @@ - [Setup](#ISOSetup) - [Time synchronization](time-sync.md#ConfigTime) -Malcolm's Docker-based deployment model allows Malcolm to run on a variety of platforms. However, in some circumstances (for example, as a long-running appliance as part of a security operations center, or inside a virtual machine) it may be desirable to install Malcolm as a dedicated standalone installation. +Malcolm's container-based deployment model allows Malcolm to run on a variety of platforms. However, in some circumstances (for example, as a long-running appliance as part of a security operations center, or inside a virtual machine) it may be desirable to install Malcolm as a dedicated standalone installation. Malcolm can be packaged into an installer ISO based on the current [stable release](https://wiki.debian.org/DebianStable) of [Debian](https://www.debian.org/). This [customized Debian installation](https://wiki.debian.org/DebianLive) is preconfigured with the bare minimum software needed to run Malcolm. ## Generating the ISO -Official downloads of the Malcolm installer ISO are not provided: however, it can be built easily on an Internet-connected Linux host with Vagrant: +Official downloads of the Malcolm installer ISO [can be downloaded](download.md#DownloadISOs) from the GitHub releases page. It can also be built easily on an Internet-connected system with Vagrant: * [Vagrant](https://www.vagrantup.com/) - - [`vagrant-reload`](https://github.com/aidanns/vagrant-reload) plugin - [`vagrant-sshfs`](https://github.com/dustymabe/vagrant-sshfs) plugin - [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box -The build should work with either the [VirtualBox](https://www.virtualbox.org/) provider or the [libvirt](https://libvirt.org/) provider: +The build should work with a variety of [Vagrant providers](https://developer.hashicorp.com/vagrant/docs/providers): -* [VirtualBox](https://www.virtualbox.org/) [provider](https://www.vagrantup.com/docs/providers/virtualbox) - - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin +* [VMware](https://www.vmware.com/) [provider](https://developer.hashicorp.com/vagrant/docs/providers/vmware) + - [`vagrant-vmware-desktop`](https://github.com/hashicorp/vagrant-vmware-desktop) plugin * [libvirt](https://libvirt.org/) - [`vagrant-libvirt`](https://github.com/vagrant-libvirt/vagrant-libvirt) provider plugin - [`vagrant-mutate`](https://github.com/sciurus/vagrant-mutate) plugin to convert [`bento/debian-12`](https://app.vagrantup.com/bento/boxes/debian-12) Vagrant box to `libvirt` format +* [VirtualBox](https://www.virtualbox.org/) [provider](https://developer.hashicorp.com/vagrant/docs/providers/virtualbox) + - [`vagrant-vbguest`](https://github.com/dotless-de/vagrant-vbguest) plugin To perform a clean build of the Malcolm installer ISO, navigate to the local Malcolm working copy and run: @@ -41,20 +42,20 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-24.08.0.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-24.10.0.iso" … ``` -By default, Malcolm's Docker images are not packaged with the installer ISO. Malcolm assumes instead that users will pull the [latest images](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) with a `docker compose --profile malcolm pull` command as described in the [Quick start](quickstart.md#QuickStart) section. To build an ISO with the latest Malcolm images included, follow the directions to create [pre-packaged installation files](development.md#Packager), which include a tarball with a name such as `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz`. Then, pass that images tarball to the ISO build script with a `-d`, like this: +By default, Malcolm's images are not packaged with the installer ISO. Malcolm assumes instead that users will pull the [latest images](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) with a `docker compose --profile malcolm pull` command as described in the [Quick start](quickstart.md#QuickStart) section. To build an ISO with the latest Malcolm images included, follow the directions to create [pre-packaged installation files](development.md#Packager), which include a tarball with a name such as `malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz`. Then, pass that images tarball to the ISO build script with a `-d`, like this: ``` $ ./malcolm-iso/build_via_vagrant.sh -f -d malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz … ``` -A system installed from the resulting ISO will load the Malcolm Docker images upon first boot. This method is desirable when the ISO is to be installed in an "air gapped" environment or for distribution to non-networked machines. +A system installed from the resulting ISO will load the Malcolm images upon first boot. This method is desirable when the ISO is to be installed in an "air gapped" environment or for distribution to non-networked machines. -Alternately, if users have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions for GitHub to build the docker images and [sensor](live-analysis.md#Hedgehog) and [Malcolm](#ISO) installer ISOs - specifically [`malcolm-iso-build-docker-wrap-push-ghcr.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) for the Malcolm ISO. Users must run the workflows to build and push the fork's Malcolm docker images before building the ISO. The resulting ISO file is wrapped in a Docker image that provides an HTTP server from which the ISO may be downloaded. +Alternately, if users have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided that contain instructions for GitHub to build the images and [sensor](live-analysis.md#Hedgehog) and [Malcolm](#ISO) installer ISOs - specifically [`malcolm-iso-build-docker-wrap-push-ghcr.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) for the Malcolm ISO. Users must run the workflows to build and push the fork's Malcolm images before building the ISO. The resulting ISO file is wrapped in a image that provides an HTTP server from which the ISO may be downloaded. See [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) for more information. ## Installation @@ -82,7 +83,7 @@ Following these prompts, the installer will reboot and the Malcolm base operatin ## Setup -When the system boots for the first time, the Malcolm Docker images will load if the installer was built with pre-packaged installation files as described above. Wait for this operation to continue (the progress dialog will disappear when they have finished loading) before continuing the setup. +When the system boots for the first time, the Malcolm images will load if the installer was built with pre-packaged installation files as described above. Wait for this operation to continue (the progress dialog will disappear when they have finished loading) before continuing the setup. Open a terminal (click the red terminal 🗔 icon next to the Debian swirl logo 🍥 menu button in the menu bar). At this point, setup is similar to the steps described in the [Quick start](quickstart.md#QuickStart) section. Navigate to the Malcolm directory (`cd ~/Malcolm`) and run [`auth_setup`](authsetup.md#AuthSetup) to configure authentication. If the ISO does not include pre-packaged Malcolm images, or to retrieve the latest updates, run `docker compose --profile malcolm pull`. Finalize the configuration by running `scripts/configure` and follow the prompts as illustrated in the [installation example](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig). diff --git a/docs/malcolm-upgrade.md b/docs/malcolm-upgrade.md index aa79503c5..695253aa8 100644 --- a/docs/malcolm-upgrade.md +++ b/docs/malcolm-upgrade.md @@ -19,7 +19,7 @@ Here are the basic steps to perform an upgrade if Malcolm was checked with a `gi 1. save a backup of the [environment variable files](malcolm-config.md#MalcolmConfigEnvVars) in the Malcolm `./config/` directory 1. pull changes from GitHub repository * `git pull --rebase` -1. pull new Docker images (this will take a while) +1. pull new images (this will take a while) * `docker compose --profile malcolm pull` 1. apply saved configuration change stashed earlier * `git stash pop` @@ -59,8 +59,8 @@ If Malcolm was installed from [pre-packaged installation files]({{ site.github.r ../config/"$FILE.example" "$FILE"; \ done | bat --color=always ``` -1. pull the new docker images (this will take a while) - * `docker compose --profile malcolm pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` if an offline tarball of the Malcolm docker images is available +1. pull the new images (this will take a while) + * `docker compose --profile malcolm pull` to pull them from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm) or `docker compose load -i malcolm_YYYYMMDD_HHNNSS_xxxxxxx_images.tar.xz` if an offline tarball of the Malcolm images is available 1. start Malcolm * `./scripts/start` 1. users may be prompted to [configure authentication](authsetup.md#AuthSetup) if there are new authentication-related files that need to be generated @@ -72,7 +72,7 @@ If Malcolm was installed from [pre-packaged installation files]({{ site.github.r Technically minded users may wish to follow the debug output provided by `./scripts/start` (use `./scripts/logs` to re-open the log stream after it's been closed), although there is a lot there and it may be hard to distinguish whether or not something is okay. -Running `docker compose ps -a` should provide a good indication that all Malcolm's Docker containers started up and, in some cases, may be able to indicate if the containers are "healthy" or not. +Running `docker compose ps -a` should provide a good indication that all Malcolm's containers started up and, in some cases, may be able to indicate if the containers are "healthy" or not. After upgrading following one of the previous outlines, give Malcolm several minutes to get started. Once things are up and running, open one of Malcolm's [web interfaces](quickstart.md#UserInterfaceURLs) to verify that things are working. diff --git a/docs/opensearch-instances.md b/docs/opensearch-instances.md index ceb600d0a..ff8574193 100644 --- a/docs/opensearch-instances.md +++ b/docs/opensearch-instances.md @@ -3,7 +3,7 @@ * [OpenSearch and Elasticsearch instances](#OpenSearchInstance) - [Authentication and authorization for remote data store clusters](#OpenSearchAuth) -Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a Docker container to index and search network traffic metadata. OpenSearch can also run as a [cluster](https://opensearch.org/docs/latest/opensearch/cluster/) with instances distributed across multiple nodes with dedicated [roles](https://opensearch.org/docs/latest/opensearch/cluster/#nodes) such as cluster manager, data node, ingest node, etc. +Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a container to index and search network traffic metadata. OpenSearch can also run as a [cluster](https://opensearch.org/docs/latest/opensearch/cluster/) with instances distributed across multiple nodes with dedicated [roles](https://opensearch.org/docs/latest/opensearch/cluster/#nodes) such as cluster manager, data node, ingest node, etc. As the permutations of OpenSearch cluster configurations are numerous, it is beyond Malcolm's scope to set up multi-node clusters. However, Malcolm can be configured to use a remote OpenSearch cluster rather than its own internal instance. @@ -74,7 +74,7 @@ You must run auth_setup after configure to store data store connection credentia ## Authentication and authorization for remote data store clusters -In addition to setting the environment variables in [`opensearch.env`](malcolm-config.md#MalcolmConfigEnvVars) as described above, users must provide Malcolm with credentials for it to communicate with remote OpenSearch and Elasticsearch instances. These credentials are stored in the Malcolm installation directory as `.opensearch.primary.curlrc` and `.opensearch.secondary.curlrc` for the primary and secondary data store connections, respectively, and are bind-mounted into the Docker containers that need to communicate with OpenSearch/Elasticsearch. These [cURL-formatted](https://everything.curl.dev/cmdline/configfile) config files can be generated for you by the [`auth_setup`](authsetup.md#AuthSetup) script as illustrated: +In addition to setting the environment variables in [`opensearch.env`](malcolm-config.md#MalcolmConfigEnvVars) as described above, users must provide Malcolm with credentials for it to communicate with remote OpenSearch and Elasticsearch instances. These credentials are stored in the Malcolm installation directory as `.opensearch.primary.curlrc` and `.opensearch.secondary.curlrc` for the primary and secondary data store connections, respectively, and are bind-mounted into the containers that need to communicate with OpenSearch/Elasticsearch. These [cURL-formatted](https://everything.curl.dev/cmdline/configfile) config files can be generated for you by the [`auth_setup`](authsetup.md#AuthSetup) script as illustrated: ``` $ ./scripts/auth_setup diff --git a/docs/protocols.md b/docs/protocols.md index e92d1088f..7e69f78f2 100644 --- a/docs/protocols.md +++ b/docs/protocols.md @@ -18,6 +18,7 @@ Malcolm uses [Zeek](https://docs.zeek.org/en/stable/script-reference/proto-analy |GENISYS||[🔗](https://manualzz.com/doc/6363274/genisys-2000---ansaldo-sts---product-support#93)[🔗](https://gitlab.com/wireshark/wireshark/-/issues/3422)||[✓](https://github.com/cisagov/icsnpp-genisys)| |GE SRTP|[🔗](https://en.wikipedia.org/wiki/Service_Request_Transport_Protocol)|[🔗](https://github.com/cisagov/icsnpp-ge-srtp/tree/develop/reference-docs)||[✓](https://github.com/cisagov/icsnpp-ge-srtp)| |Google Quick UDP Internet Connections (gQUIC)|[🔗](https://en.wikipedia.org/wiki/QUIC#Google_QUIC_(gQUIC))|[🔗](https://www.chromium.org/quic)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/quic.c)|[✓](https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro)| +|HART IP|[🔗](https://en.wikipedia.org/wiki/Highway_Addressable_Remote_Transducer_Protocol)|[🔗](https://wiki.wireshark.org/HART-IP)[🔗](https://www.fieldcommgroup.org/hart-specifications)[🔗](https://www.fieldcommgroup.org/technologies/HART-IP/explained)||[✓](https://github.com/cisagov/icsnpp-hart-ip)| |Hypertext Transfer Protocol (HTTP)|[🔗](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol)|[🔗](https://tools.ietf.org/html/rfc7230)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/http.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info)| |IPsec|[🔗](https://en.wikipedia.org/wiki/IPsec)|[🔗](https://zeek.org/2021/04/20/zeeks-ipsec-protocol-analyzer/)||[✓](https://github.com/corelight/zeek-spicy-ipsec)| |Internet Relay Chat (IRC)|[🔗](https://en.wikipedia.org/wiki/Internet_Relay_Chat)|[🔗](https://tools.ietf.org/html/rfc1459)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/irc.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info)| diff --git a/docs/quickstart.md b/docs/quickstart.md index 906272f21..33f0a1f46 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -16,17 +16,23 @@ The files required to build and run Malcolm are available on its [GitHub page]({ ### Building Malcolm from scratch -The `build.sh` script can build Malcolm's Docker images from scratch. See [Building from source](development.md#Build) for more information. +The `build.sh` script can build Malcolm's images from scratch. See [Building from source](development.md#Build) for more information. ### Initial configuration The scripts to control Malcolm require Python 3. The [`install.py`](malcolm-config.md#ConfigAndTuning) script requires the [dotenv](https://github.com/theskumar/python-dotenv), [requests](https://docs.python-requests.org/en/latest/) and [ruamel.yaml](https://yaml.readthedocs.io/en/latest/) modules for Python 3, and will make use of the [pythondialog](https://pythondialog.sourceforge.io/) module for user interaction (on Linux) if it is available. -You must run [`auth_setup`](authsetup.md#AuthSetup) prior to pulling Malcolm's Docker images. You should also ensure your system configuration and Malcolm settings are tuned by running `./scripts/install.py` and `./scripts/configure` (see [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)). - -### Pull Malcolm's Docker images +You must run [`auth_setup`](authsetup.md#AuthSetup) prior to pulling Malcolm's images. You should also ensure your system configuration and Malcolm settings are tuned by running `./scripts/install.py` and `./scripts/configure` (see [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)). -Malcolm's Docker images are periodically built and hosted on [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker compose --profile malcolm pull` like this: +Users may wish to read the documentation on platform-specific host configuration: + +* [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux) +* [macOS host system configuration](host-config-macos.md#HostSystemConfigMac) +* [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows) + +### Pull Malcolm's Container images + +Malcolm's images are periodically built and hosted on [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker compose --profile malcolm pull` like this: ``` $ docker compose --profile malcolm pull Pulling api ... done @@ -54,25 +60,25 @@ You can then observe the images have been retrieved by running `docker images`: ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 24.08.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 24.08.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 24.08.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 24.08.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 24.08.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 24.08.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 24.08.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 24.08.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 24.08.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 24.08.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 24.08.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 24.08.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 24.08.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 24.08.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 24.08.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 24.08.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 24.08.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 24.08.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 24.08.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 3 days ago 1GB ``` ### Import from pre-packaged tarballs @@ -96,4 +102,12 @@ A few minutes after starting Malcolm (probably 5 or so for Logstash to be comple * [NetBox](asset-interaction-analysis.md#AssetInteractionAnalysis): **https://localhost/netbox/** * [Account Management](authsetup.md#AuthBasicAccountManagement): **https://localhost/auth/** -![Malcolm Landing Page](./images/screenshots/malcolm_landing_page.png) \ No newline at end of file +![Malcolm Landing Page](./images/screenshots/malcolm_landing_page.png) + +## Docker vs. Podman + +Malcolm can run on [Podman](https://podman.io) as a rootless alternative to Docker. When [Running Malcolm](running.md#Running) with Podman, [`podman compose`](https://docs.podman.io/en/latest/markdown/podman-compose.1.html) is used as a wrapper around an external compose provider (such as [`docker-compose`](https://docs.docker.com/compose/) or [`podman-compose`](https://github.com/containers/podman-compose)), which in turn uses the Podman back end to run and orchestrate containers. The same Malcolm runtime scripts (e.g., `./scripts/start`, `./scripts/stop`, etc.) are used whether using Docker or Podman. + +As it is a somewhat more advanced procedure, installation and configuration of Podman is not covered in this documentation. Please see the Podman [documentation](https://podman.io/docs/installation). + +It should be noted that if rootless Podman is used, Malcolm itself cannot perform [traffic capture on local network interfaces](live-analysis.md#LocalPCAP), although it can accept network traffic metadata forwarded from a [a network sensor appliance](live-analysis.md#Hedgehog). \ No newline at end of file diff --git a/docs/running.md b/docs/running.md index 832be809f..1b8789543 100644 --- a/docs/running.md +++ b/docs/running.md @@ -10,7 +10,7 @@ ## Starting Malcolm -[Docker compose](https://docs.docker.com/compose/) is used to coordinate running the Docker containers. To start Malcolm, navigate to the directory containing `docker-compose.yml` and run: +[Docker compose](https://docs.docker.com/compose/) is used to coordinate running the containers. To start Malcolm, navigate to the directory containing `docker-compose.yml` and run: ``` $ ./scripts/start ``` @@ -22,9 +22,9 @@ You can also use `docker stats` to monitor the resource utilization of running c ## Stopping and restarting Malcolm -You can run `./scripts/stop` to stop the Docker containers and remove their virtual network. Alternatively, `./scripts/restart` will restart an instance of Malcolm. Because the data on disk is stored on the host in Docker volumes, performing these operations will not result in loss of data. +You can run `./scripts/stop` to stop the containers and remove their virtual network. Alternatively, `./scripts/restart` will restart an instance of Malcolm. Because the data on disk is stored on the host in bind-mounted volumes, performing these operations will not result in loss of data. -Malcolm can be configured to automatically restart when the Docker system daemon restarts (for example, on system reboot). This behavior depends on the [value](https://docs.docker.com/config/containers/start-containers-automatically/) of the [`restart:`](https://docs.docker.com/compose/compose-file/#restart) setting for each service in the `docker-compose.yml` file. This value can be set by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Restart Malcolm upon system or Docker daemon restart?`." +Malcolm can be configured to automatically restart when the Docker system daemon restarts (for example, on system reboot). This behavior depends on the [value](https://docs.docker.com/config/containers/start-containers-automatically/) of the [`restart:`](https://docs.docker.com/compose/compose-file/#restart) setting for each service in the `docker-compose.yml` file. This value can be set by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Restart Malcolm upon system or container daemon restart?`." ## Clearing Malcolm's data diff --git a/docs/slides/Malcolm OT Protocol Support.odp b/docs/slides/Malcolm OT Protocol Support.odp deleted file mode 100644 index 8c85e1073..000000000 Binary files a/docs/slides/Malcolm OT Protocol Support.odp and /dev/null differ diff --git a/docs/slides/Malcolm OT Protocol Support.pdf b/docs/slides/Malcolm OT Protocol Support.pdf deleted file mode 100644 index cd4749bf2..000000000 Binary files a/docs/slides/Malcolm OT Protocol Support.pdf and /dev/null differ diff --git a/docs/slides/Network Traffic Analysis with Malcolm.odp b/docs/slides/Network Traffic Analysis with Malcolm.odp index 9bf8cc690..086240d84 100644 Binary files a/docs/slides/Network Traffic Analysis with Malcolm.odp and b/docs/slides/Network Traffic Analysis with Malcolm.odp differ diff --git a/docs/slides/Network Traffic Analysis with Malcolm.pdf b/docs/slides/Network Traffic Analysis with Malcolm.pdf index 8b78218e3..e04c5bfea 100644 Binary files a/docs/slides/Network Traffic Analysis with Malcolm.pdf and b/docs/slides/Network Traffic Analysis with Malcolm.pdf differ diff --git a/docs/system-requirements.md b/docs/system-requirements.md index a11571b2b..930a95043 100644 --- a/docs/system-requirements.md +++ b/docs/system-requirements.md @@ -1,7 +1,8 @@ # Recommended system requirements -Malcolm runs on top of [Docker](https://www.docker.com/), which runs on recent releases of Linux, Apple [macOS](host-config-macos.md#HostSystemConfigMac), and [Microsoft Windows](host-config-windows.md#HostSystemConfigWindows) 10 and up. Malcolm can also be deployed in the cloud [with Kubernetes](kubernetes.md#Kubernetes). +Malcolm runs on top of [Docker](https://www.docker.com/), which runs on recent releases of Linux, Apple [macOS](host-config-macos.md#HostSystemConfigMac), and [Microsoft Windows](host-config-windows.md#HostSystemConfigWindows) 10 and up. Malcolm can also be deployed with [Podman](https://podman.io), or in the cloud [with Kubernetes](kubernetes.md#Kubernetes). To quote the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/guide/current/hardware.html), "If there is one resource that you will run out of first, it will likely be memory." Malcolm requires a minimum of 8 CPU cores and 16 gigabytes of RAM on a dedicated server, but Malcolm developers recommend 16+ CPU cores and 32+ gigabytes of RAM for an optimal experience. Users will want as much available disk storage as possible (preferrably solid state storage), as the amount of PCAP data a machine can analyze and store will be limited by available storage space. -Arkime's wiki has documents ([here](https://github.com/arkime/arkime#hardware-requirements) and [here](https://github.com/arkime/arkime/wiki/FAQ#what-kind-of-capture-machines-should-we-buy) and [here](https://github.com/arkime/arkime/wiki/FAQ#how-many-elasticsearch-nodes-or-machines-do-i-need) and a [calculator here](https://arkime.com/estimators)) that may be helpful, although not everything in those documents will apply to a Docker-based setup such as Malcolm. \ No newline at end of file +Arkime's wiki has documents ([here](https://github.com/arkime/arkime#hardware-requirements) and [here](https://github.com/arkime/arkime/wiki/FAQ#what-kind-of-capture-machines-should-we-buy) and [here](https://github.com/arkime/arkime/wiki/FAQ#how-many-elasticsearch-nodes-or-machines-do-i-need) and a [calculator here](https://arkime.com/estimators)) that may be helpful, although not everything in those documents will apply to a containerized setup such as Malcolm. + diff --git a/docs/third-party-envs.md b/docs/third-party-envs.md index 4382fd76b..134b9b1ad 100644 --- a/docs/third-party-envs.md +++ b/docs/third-party-envs.md @@ -43,7 +43,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro amazon-ebs: output will be in this color. ==> amazon-ebs: Prevalidating any provided VPC information - ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.08.0-arm64-2024-05-30T13-57-31Z + ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z amazon-ebs: Found Image ID: ami-xxxxxxxxxxxxxxxxx ... @@ -53,7 +53,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro ==> amazon-ebs: Adding tags to AMI (ami-xxxxxxxxxxxxxxxxx)... ==> amazon-ebs: Tagging snapshot: snap-xxxxxxxxxxxxxxxxx ==> amazon-ebs: Creating AMI tags - amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.08.0" + amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.10.0" amazon-ebs: Adding tag: "source_ami_name": "amzn2-ami-kernel-5.10-hvm-2.0.20240521.0-arm64-gp2" ==> amazon-ebs: Creating snapshot tags ==> amazon-ebs: Terminating the source AWS instance... @@ -79,7 +79,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro "Architecture": "arm64", "CreationDate": "2024-05-30T14:02:21.000Z", "ImageId": "ami-xxxxxxxxxxxxxxxxx", - "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.08.0-arm64-2024-05-30T13-57-31Z", + "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z", "ImageType": "machine", "Public": false, "OwnerId": "xxxxxxxxxxxx", @@ -100,14 +100,14 @@ The files referenced in this section can be found in [scripts/third-party-enviro ], "EnaSupport": true, "Hypervisor": "xen", - "Name": "malcolm-v24.08.0-arm64-2024-05-30T13-57-31Z", + "Name": "malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z", "RootDeviceName": "/dev/xvda", "RootDeviceType": "ebs", "SriovNetSupport": "simple", "Tags": [ { "Key": "Malcolm", - "Value": "idaholab/Malcolm/v24.08.0" + "Value": "idaholab/Malcolm/v24.10.0" }, { "Key": "source_ami_name", diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 26fa5ba09..9e77c9c8d 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -98,6 +98,10 @@ Malcolm runtime files extracted to /home/user/Malcolm Now that any necessary system configuration changes have been made, the local Malcolm instance will be configured: ``` +1: docker +2: podman +Select container runtime engine (docker): 1 + Malcolm processes will run as UID 1000 and GID 1000. Is this OK? (Y / n): y Run with Malcolm (all containers) or Hedgehog (capture only) profile? (Y / n): y @@ -112,7 +116,7 @@ Setting 10g for OpenSearch and 3g for Logstash. Is this OK? (Y / n): y Setting 3 workers for Logstash pipelines. Is this OK? (Y / n): y -Restart Malcolm upon system or Docker daemon restart? (y / N): y +Restart Malcolm upon system or container daemon restart? (y / N): y 1: no 2: on-failure 3: always @@ -123,7 +127,7 @@ Require encrypted HTTPS connections? (Y / n): y Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)? (y / N): n -Specify external Docker network name (or leave blank for default networking) (): +Specify external container network name (or leave blank for default networking) (): 1: Basic 2: Lightweight Directory Access Protocol (LDAP) @@ -197,7 +201,7 @@ Specify capture interface(s) (comma-separated): eth0 Enable dark mode for OpenSearch Dashboards? (Y / n): y -Pull Malcolm Docker images (y / N): y +Pull Malcolm images (y / N): y Malcolm has been installed to /home/user/Malcolm. See README.md for more information. Scripts for starting and stopping Malcolm and changing authentication-related settings can be found in /home/user/Malcolm/scripts. @@ -257,25 +261,25 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 24.08.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 24.08.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 24.08.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 24.08.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 24.08.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 24.08.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 24.08.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 24.08.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 24.08.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 24.08.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 24.08.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 24.08.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 24.08.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 24.08.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 24.08.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 24.08.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 24.08.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 24.08.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 24.08.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 3 days ago 1GB ``` Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing. diff --git a/docs/zeek-intel.md b/docs/zeek-intel.md index cf71d810c..7d00bb1c2 100644 --- a/docs/zeek-intel.md +++ b/docs/zeek-intel.md @@ -6,7 +6,7 @@ To quote Zeek's [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html) documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek [intelligence](https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html) [indicator types](https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Type) include IP addresses, URLs, file names, hashes, email addresses, and more. -Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into a local instance. On [startup]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_intel_setup.sh), Malcolm's `ghcr.io/idaholab/malcolm/zeek` docker container enumerates the subdirectories under `./zeek/intel` (which is [bind mounted](https://docs.docker.com/storage/bind-mounts/) into the container's runtime) and configures Zeek so those intelligence files will be automatically included in its local policy. Subdirectories under `./zeek/intel` that contain their own `__load__.zeek` file will be `@load`-ed as-is, while subdirectories containing "loose" intelligence files will be [loaded](https://docs.zeek.org/en/master/frameworks/intel.html#loading-intelligence) automatically with a `redef Intel::read_files` directive. +Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into a local instance. On [startup]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/zeek_intel_setup.sh), Malcolm's `ghcr.io/idaholab/malcolm/zeek` container enumerates the subdirectories under `./zeek/intel` (which is [bind mounted](https://docs.docker.com/storage/bind-mounts/) into the container's runtime) and configures Zeek so those intelligence files will be automatically included in its local policy. Subdirectories under `./zeek/intel` that contain their own `__load__.zeek` file will be `@load`-ed as-is, while subdirectories containing "loose" intelligence files will be [loaded](https://docs.zeek.org/en/master/frameworks/intel.html#loading-intelligence) automatically with a `redef Intel::read_files` directive. Note that Malcolm does not manage updates for these intelligence files. Users use the update mechanism suggested by the feeds' maintainers to keep intelligence files up to date, or use a [TAXII](#ZeekIntelSTIX) or [MISP](#ZeekIntelMISP) feed as described below. diff --git a/hedgehog-iso/build.sh b/hedgehog-iso/build.sh index 301749cf3..8390e6c63 100755 --- a/hedgehog-iso/build.sh +++ b/hedgehog-iso/build.sh @@ -5,7 +5,7 @@ IMAGE_PUBLISHER=cisagov IMAGE_VERSION=1.0.0 IMAGE_DISTRIBUTION=bookworm -BEATS_VER="8.15.0" +BEATS_VER="8.15.2" BEATS_OSS="-oss" ARKIME_VER="5.4.0" @@ -176,17 +176,10 @@ if [ -d "$WORKDIR" ]; then # grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc. mkdir -p ./config/includes.chroot/opt/arkime/etc/ pushd ./config/includes.chroot/opt/arkime/etc/ - MAXMIND_GEOIP_DB_LICENSE_KEY="" - if [[ -f "$SCRIPT_PATH/shared/maxmind_license.txt" ]]; then - MAXMIND_GEOIP_DB_LICENSE_KEY="$(cat "$SCRIPT_PATH/shared/maxmind_license.txt" | head -n 1)" - if [[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]]; then - for DB in ASN Country City; do - curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" - tar xvf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 --no-same-owner - rm -f "GeoLite2-$DB.mmdb.tar.gz" - done - fi - fi + bash "$SCRIPT_PATH/shared/bin/maxmind-mmdb-download.sh" \ + -f "$SCRIPT_PATH/shared/maxmind_license.txt" \ + -r "$SCRIPT_PATH/shared/maxmind_url.txt" \ + -o "$(pwd)" curl -s -S -L -o ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" curl -s -S -L -o oui.txt "https://www.wireshark.org/download/automated/data/manuf" popd >/dev/null 2>&1 @@ -197,7 +190,7 @@ if [ -d "$WORKDIR" ]; then "https://github.com/arkime/arkime/releases/download/v${ARKIME_VER}/arkime_${ARKIME_VER}-1.debian12_amd64.deb" # download Zeek .deb packages - bash "$SCRIPT_PATH/shared/bin/zeek-deb-download.sh" -o ./config/packages.chroot/ + bash "$SCRIPT_PATH/shared/bin/zeek-deb-download.sh" -o ./config/packages.chroot/ -f "$SCRIPT_PATH/shared/zeek_url.txt" # reclaim some space docker system prune --volumes --force diff --git a/hedgehog-iso/build_via_vagrant.sh b/hedgehog-iso/build_via_vagrant.sh index 240361275..c15457f83 100755 --- a/hedgehog-iso/build_via_vagrant.sh +++ b/hedgehog-iso/build_via_vagrant.sh @@ -99,6 +99,8 @@ cp -r "$SCRIPT_PATH"/../nginx/landingpage/js "$SCRIPT_PATH"/nginx/ YML_IMAGE_VERSION="$(grep -P "^\s+image:.*/malcolm/" "$SCRIPT_PATH"/../docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && echo "$YML_IMAGE_VERSION" > "$SCRIPT_PATH"/shared/version.txt [[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]] && echo "$MAXMIND_GEOIP_DB_LICENSE_KEY" > "$SCRIPT_PATH"/shared/maxmind_license.txt +[[ ${#MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL} -gt 1 ]] && echo "$MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL" > "$SCRIPT_PATH"/shared/maxmind_url.txt +[[ ${#ZEEK_DEB_ALTERNATE_DOWNLOAD_URL} -gt 1 ]] && echo "$ZEEK_DEB_ALTERNATE_DOWNLOAD_URL" > "$SCRIPT_PATH"/shared/zeek_url.txt [[ ${#GITHUB_TOKEN} -gt 1 ]] && echo "GITHUB_TOKEN=$GITHUB_TOKEN" >> "$SCRIPT_PATH"/shared/environment.chroot echo "VCS_REVSION=$( git rev-parse --short HEAD 2>/dev/null || echo main )" >> "$SCRIPT_PATH"/shared/environment.chroot trap cleanup_shared_and_docs EXIT diff --git a/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot index 0667b4b72..2a992298c 100755 --- a/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -20,4 +20,4 @@ pip3 install --break-system-packages --no-compile --no-cache-dir --force-reinsta stix2 \ stream-zip \ taxii2-client \ - watchdog==4.0.2 + watchdog==5.0.3 diff --git a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot index 3116aa3c8..4801ca047 100755 --- a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -92,6 +92,7 @@ net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.ip_forward=0 +net.ipv4.tcp_retries2=5 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index a2794d2fe..9b66dccfc 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -35,6 +35,7 @@ global disable_ics_enip = (getenv("ZEEK_DISABLE_ICS_ENIP") == true_regex) ? T : global disable_ics_ethercat = (getenv("ZEEK_DISABLE_ICS_ETHERCAT") == true_regex) ? T : F; global disable_ics_genisys = (getenv("ZEEK_DISABLE_ICS_GENISYS") == true_regex) ? T : F; global disable_ics_ge_srtp = (getenv("ZEEK_DISABLE_ICS_GE_SRTP") == true_regex) ? T : F; +global disable_ics_hart_ip = (getenv("ZEEK_DISABLE_ICS_HART_IP") == true_regex) ? T : F; global disable_ics_opcua_binary = (getenv("ZEEK_DISABLE_ICS_OPCUA_BINARY") == true_regex) ? T : F; global disable_ics_modbus = (getenv("ZEEK_DISABLE_ICS_MODBUS") == true_regex) ? T : F; global disable_ics_profinet = (getenv("ZEEK_DISABLE_ICS_PROFINET") == true_regex) ? T : F; @@ -55,7 +56,6 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; redef LogAscii::use_json = T; @endif -@load tuning/defaults @load frameworks/software/vulnerable @load frameworks/software/version-changes @load frameworks/software/windows-version-detection @@ -69,6 +69,7 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; @load protocols/ftp/software @load protocols/http/detect-sqli @load protocols/http/detect-webapps +@load protocols/http/header-names @load protocols/http/software @load protocols/http/software-browser-plugins @load protocols/mysql/software @@ -148,6 +149,10 @@ event zeek_init() &priority=-5 { if (disable_ics_all || disable_ics_ge_srtp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GE_SRTP_TCP); } + if (disable_ics_all || disable_ics_hart_ip) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HART_IP_TCP); + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HART_IP_UDP); + } if (disable_ics_all || disable_ics_opcua_binary) { Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY); } @@ -277,6 +282,8 @@ event zeek_init() &priority=-5 { redef LDAP::default_capture_password = T; @endif +redef HTTP::log_client_header_names = T; +redef HTTP::log_server_header_names = T; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; diff --git a/hedgehog-iso/config/package-lists/system.list.chroot b/hedgehog-iso/config/package-lists/system.list.chroot index 383baf1f6..47d6d3f99 100644 --- a/hedgehog-iso/config/package-lists/system.list.chroot +++ b/hedgehog-iso/config/package-lists/system.list.chroot @@ -110,6 +110,7 @@ lm-sensors localepurge lshw lsof +lua5.4 lvm2 lzma mcrypt diff --git a/hedgehog-iso/interface/requirements.txt b/hedgehog-iso/interface/requirements.txt index 4a21774d0..6efc369ca 100644 --- a/hedgehog-iso/interface/requirements.txt +++ b/hedgehog-iso/interface/requirements.txt @@ -2,7 +2,7 @@ certifi==2024.7.4 chardet==5.1.0 click==8.1.3 Flask==2.3.2 -Flask-Cors==4.0.1 +Flask-Cors==5.0.0 gunicorn==22.0.0 idna==3.7 itsdangerous==2.1.2 diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/config.ini b/hedgehog-iso/interface/sensor_ctl/arkime/config.ini index 0c8b01017..f6748c72b 100644 --- a/hedgehog-iso/interface/sensor_ctl/arkime/config.ini +++ b/hedgehog-iso/interface/sensor_ctl/arkime/config.ini @@ -20,6 +20,7 @@ logEveryXPackets=500000 logFileCreation=true logHTTPConnections=false logUnknownProtocols=false +luaFiles= maxESConns=30 maxESRequests=500 maxFileSizeG=4 @@ -35,7 +36,7 @@ parseSMB=true parseSMTP=true passwordSecret=Malcolm pcapDir=/tmp -plugins= +plugins=lua.so pluginsDir=/dummy/plugins reqBodyOnlyUtf8=true rirFile=/dummy/ipv4-address-space.csv diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/live_capture.sh b/hedgehog-iso/interface/sensor_ctl/arkime/live_capture.sh index 27ee6ce4b..118a8f9a5 100755 --- a/hedgehog-iso/interface/sensor_ctl/arkime/live_capture.sh +++ b/hedgehog-iso/interface/sensor_ctl/arkime/live_capture.sh @@ -30,7 +30,6 @@ fi -o geoLite2ASN="${SCRIPT_PATH}"/GeoLite2-ASN.mmdb \ -o rirFile="${SCRIPT_PATH}"/ipv4-address-space.csv \ -o ouiFile="${SCRIPT_PATH}"/oui.txt \ - -o rulesFiles="${SCRIPT_PATH}"/rules.yml \ -o parsersDir="${ARKIME_DIR}"/parsers \ -o pluginsDir="${ARKIME_DIR}"/plugins \ -o ecsEventProvider="${ARKIME_ECS_PROVIDER:-arkime}" \ diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/lua/.gitignore b/hedgehog-iso/interface/sensor_ctl/arkime/lua/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/hedgehog-iso/interface/sensor_ctl/arkime/lua/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/rules.yml b/hedgehog-iso/interface/sensor_ctl/arkime/rules.yml deleted file mode 100644 index e8cd2b32a..000000000 --- a/hedgehog-iso/interface/sensor_ctl/arkime/rules.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -version: 1 -rules: - - name: "Only save first n packets of TLS" - when: "fieldSet" - fields: - protocols: - - tls - ops: - _maxPacketsToSave: 15 - - name: "Only save first n packets of SSH" - when: "fieldSet" - fields: - protocols: - - ssh - ops: - _maxPacketsToSave: 20 - - name: "Dont save SPI sessions with only 1 source packet" - when: "beforeFinalSave" - fields: - packets.src: 1 - packets.dst: 0 - tcpflags.syn: 1 - ops: - _dontSaveSPI: 1 diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/rules/.gitignore b/hedgehog-iso/interface/sensor_ctl/arkime/rules/.gitignore new file mode 100644 index 000000000..a5baada18 --- /dev/null +++ b/hedgehog-iso/interface/sensor_ctl/arkime/rules/.gitignore @@ -0,0 +1,3 @@ +* +!.gitignore + diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/rules/single_session_no_spi.yml b/hedgehog-iso/interface/sensor_ctl/arkime/rules/single_session_no_spi.yml new file mode 100644 index 000000000..fdfb73069 --- /dev/null +++ b/hedgehog-iso/interface/sensor_ctl/arkime/rules/single_session_no_spi.yml @@ -0,0 +1,11 @@ +--- +version: 1 +rules: + - name: "Dont save SPI sessions with only 1 source packet" + when: "beforeFinalSave" + fields: + packets.src: 1 + packets.dst: 0 + tcpflags.syn: 1 + ops: + _dontSaveSPI: 1 diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/rules/ssh_truncate.yml b/hedgehog-iso/interface/sensor_ctl/arkime/rules/ssh_truncate.yml new file mode 100644 index 000000000..4d5b099d9 --- /dev/null +++ b/hedgehog-iso/interface/sensor_ctl/arkime/rules/ssh_truncate.yml @@ -0,0 +1,10 @@ +--- +version: 1 +rules: + - name: "Only save first n packets of SSH" + when: "fieldSet" + fields: + protocols: + - ssh + ops: + _maxPacketsToSave: 20 diff --git a/hedgehog-iso/interface/sensor_ctl/arkime/rules/tls_truncate.yml b/hedgehog-iso/interface/sensor_ctl/arkime/rules/tls_truncate.yml new file mode 100644 index 000000000..0e51a8e3d --- /dev/null +++ b/hedgehog-iso/interface/sensor_ctl/arkime/rules/tls_truncate.yml @@ -0,0 +1,10 @@ +--- +version: 1 +rules: + - name: "Only save first n packets of TLS" + when: "fieldSet" + fields: + protocols: + - tls + ops: + _maxPacketsToSave: 15 diff --git a/hedgehog-iso/interface/sensor_ctl/control_vars.conf b/hedgehog-iso/interface/sensor_ctl/control_vars.conf index dc7e5bef6..4dd4eac96 100644 --- a/hedgehog-iso/interface/sensor_ctl/control_vars.conf +++ b/hedgehog-iso/interface/sensor_ctl/control_vars.conf @@ -121,6 +121,7 @@ export ZEEK_DISABLE_HASH_ALL_FILES= export ZEEK_DISABLE_LOG_PASSWORDS= export ZEEK_DISABLE_SSL_VALIDATE_CERTS= export ZEEK_DISABLE_TRACK_ALL_ASSETS= +export ZEEK_DISABLE_DETECT_ROUTERS=true export ZEEK_DISABLE_SPICY_IPSEC= export ZEEK_DISABLE_SPICY_LDAP= export ZEEK_DISABLE_SPICY_OPENVPN= @@ -137,6 +138,7 @@ export ZEEK_DISABLE_ICS_ENIP= export ZEEK_DISABLE_ICS_ETHERCAT= export ZEEK_DISABLE_ICS_GENISYS=true export ZEEK_DISABLE_ICS_GE_SRTP=true +export ZEEK_DISABLE_ICS_HART_IP= export ZEEK_DISABLE_ICS_OPCUA_BINARY= export ZEEK_DISABLE_ICS_MODBUS= export ZEEK_DISABLE_ICS_PROFINET= diff --git a/hedgehog-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh b/hedgehog-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh index 3d9a62ff4..28436aa0d 100644 --- a/hedgehog-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh +++ b/hedgehog-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh @@ -109,6 +109,20 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r "$SUPERVISOR_PATH"/arkime/config.ini ]]; t sed -r -i "s/(debug)\s*=\s*.*/\1=$ARKIME_DEBUG_LEVEL/" "$ARKIME_CONFIG_FILE" fi + # rules files + ARKIME_RULES_DIR="$SUPERVISOR_PATH"/arkime/rules + if [[ -d "${ARKIME_RULES_DIR}" ]]; then + RULES_FILES="$(find "${ARKIME_RULES_DIR}" -mindepth 1 -maxdepth 1 -type f -size +0c \( -name '*.yml' -o -name '*.yaml' \) | tr '\n' ';' | sed 's/;$//' )" + sed -r -i "s|(rulesFiles)\s*=\s*.*|\1=$RULES_FILES|" "$ARKIME_CONFIG_FILE" + fi + + # lua plugins + ARKIME_LUA_DIR="$SUPERVISOR_PATH"/arkime/lua + if [[ -d "${ARKIME_LUA_DIR}" ]]; then + LUA_FILES="$(find "${ARKIME_LUA_DIR}" -mindepth 1 -maxdepth 1 -type f -size +0c -name '*.lua' | tr '\n' ';' | sed 's/;$//' )" + sed -r -i "s|(luaFiles)\s*=\s*.*|\1=$LUA_FILES|" "$ARKIME_CONFIG_FILE" + fi + # enable ja4+ plugin if it's present JA4_PLUGIN_FILE="/opt/arkime/plugins/ja4plus.$(dpkg --print-architecture).so" if [[ -f "${JA4_PLUGIN_FILE}" ]]; then @@ -125,7 +139,16 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r "$SUPERVISOR_PATH"/arkime/config.ini ]]; t fi # identify node in session metadata for PCAP reachback - PRIMARY_IP=$(ip route get 255.255.255.255 | grep -Po '(?<=src )(\d{1,3}.){4}' | sed "s/ //g") + ROUTE_DEST_IP= + if [[ -n "$OS_HOST" ]]; then + if [[ "$OS_HOST" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + ROUTE_DEST_IP="$OS_HOST" + else + ROUTE_DEST_IP=$(dig +short "$OS_HOST" 2>/dev/null | head -n 1) + fi + fi + [[ -n "$ROUTE_DEST_IP" ]] || ROUTE_DEST_IP=255.255.255.255 + PRIMARY_IP=$(ip route get "$ROUTE_DEST_IP" | grep -Po '(?<=src )(\d{1,3}.){4}' | sed "s/ //g") export ARKIME_NODE_NAME="$(hostname --long)" export ARKIME_NODE_HOST="$PRIMARY_IP" diff --git a/hedgehog-iso/vagrant/Vagrantfile b/hedgehog-iso/vagrant/Vagrantfile index 04cfb86f6..bc1c3cf90 100644 --- a/hedgehog-iso/vagrant/Vagrantfile +++ b/hedgehog-iso/vagrant/Vagrantfile @@ -36,6 +36,16 @@ Vagrant.configure("2") do |config| lv.cpus = 4 end + config.vm.provider "vmware_desktop" do |vd| + vd.memory = "8192" + vd.cpus = 4 + end + + config.vm.provider "vmware_fusion" do |vf| + vf.memory = "8192" + vf.cpus = 4 + end + config.vm.provision "shell", inline: <<-STEP1 dpkg-reconfigure debconf -f noninteractive -p critical export DEBIAN_FRONTEND=noninteractive diff --git a/hedgehog-raspi/build_via_vagrant.sh b/hedgehog-raspi/build_via_vagrant.sh index 396f51d88..643f4378b 100755 --- a/hedgehog-raspi/build_via_vagrant.sh +++ b/hedgehog-raspi/build_via_vagrant.sh @@ -98,6 +98,8 @@ mkdir "$SCRIPT_PATH"/shared YML_IMAGE_VERSION="$(grep -P "^\s+image:.*/malcolm/" "$SCRIPT_PATH"/../docker-compose.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && echo "$YML_IMAGE_VERSION" > "$SCRIPT_PATH"/shared/version.txt [[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]] && echo "$MAXMIND_GEOIP_DB_LICENSE_KEY" > "$SCRIPT_PATH"/shared/maxmind_license.txt +[[ ${#MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL} -gt 1 ]] && echo "$MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL" > "$SCRIPT_PATH"/shared/maxmind_url.txt +[[ ${#ZEEK_DEB_ALTERNATE_DOWNLOAD_URL} -gt 1 ]] && echo "$ZEEK_DEB_ALTERNATE_DOWNLOAD_URL" > "$SCRIPT_PATH"/shared/zeek_url.txt [[ ${#GITHUB_TOKEN} -gt 1 ]] && echo "GITHUB_TOKEN=$GITHUB_TOKEN" >> "$SCRIPT_PATH"/shared/environment.chroot echo "VCS_REVSION=$( git rev-parse --short HEAD 2>/dev/null || echo main )" >> "$SCRIPT_PATH"/shared/environment.chroot trap cleanup_shared_and_docs EXIT diff --git a/hedgehog-raspi/sensor_install.sh b/hedgehog-raspi/sensor_install.sh index a9b9cd749..0310104e6 100644 --- a/hedgehog-raspi/sensor_install.sh +++ b/hedgehog-raspi/sensor_install.sh @@ -34,7 +34,7 @@ SENSOR_DIR='/opt/sensor' ARKIME_VERSION="5.4.0" -BEATS_VER="8.15.0" +BEATS_VER="8.15.2" BEATS_OSS="-oss" # Option to build from sources if desired @@ -97,8 +97,6 @@ build_arkime_src(){ make install -j${build_jobs} - cp -r ./capture/plugins/lua/samples "${arkime_dir}"/lua - cat NOTICE release/CAPTURENOTICE > "${arkime_dir}/NOTICE.txt" rm -f $arkime_dir/etc/*.systemd.service @@ -199,7 +197,7 @@ build_yara_src() { build_zeek() { # install zeek from debs from OpenSUSE mkdir -p /tmp/zeek-debs - /bin/bash /usr/local/bin/zeek-deb-download.sh -o /tmp/zeek-debs + /bin/bash /usr/local/bin/zeek-deb-download.sh -o /tmp/zeek-debs -f "$SHARED_DIR/zeek_url.txt" dpkg -i /tmp/zeek-debs/*.deb } @@ -214,7 +212,7 @@ build_zeek_src() { export PYTHONUNBUFFERED=1 zeek_url=https://github.com/zeek/zeek.git - zeek_version=7.0.0 + zeek_version=7.0.3 zeek_release=1 zeek_dir=/opt/zeek # Zeek's build eats a ton of resources; prevent OOM from the killing build process @@ -371,31 +369,21 @@ install_files() { fi echo "BUILD_ID=\"$(date +\'%Y-%m-%d\')-${IMAGE_VERSION}\"" > "$sensor_ver_file" - echo "VARIANT=\"Hedgehog Linux (Sensor) v${IMAGE_VERSION}\"" >> "$sensor_ver_file" - echo "VARIANT_ID=\"hedgehog-sensor\"" >> "$sensor_ver_file" + echo "VARIANT=\"Hedgehog Linux (Minihog Sensor) v${IMAGE_VERSION}\"" >> "$sensor_ver_file" + echo "VARIANT_ID=\"hedgehog-minihog-sensor\"" >> "$sensor_ver_file" echo "ID_LIKE=\"debian\"" >> "$sensor_ver_file" echo "HOME_URL=\"https://${IMAGE_PUBLISHER}.github.io/Malcolm\"" >> "$sensor_ver_file" echo "DOCUMENTATION_URL=\"https://${IMAGE_PUBLISHER}.github.io/Malcolm/docs/hedgehog.html\"" >> "$sensor_ver_file" echo "SUPPORT_URL=\"https://github.com/${IMAGE_PUBLISHER}\"" >> "$sensor_ver_file" echo "BUG_REPORT_URL=\"https://github.com/${IMAGE_PUBLISHER}/malcolm/issues\"" >> "$sensor_ver_file" - # Setup MaxMind Geo IP info + # grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc. mkdir -p /opt/arkime/etc pushd /opt/arkime/etc >/dev/null 2>&1 - MAXMIND_GEOIP_DB_LICENSE_KEY="" - - if [[ -f "$SHARED_DIR/maxmind_license.txt" ]]; then - MAXMIND_GEOIP_DB_LICENSE_KEY="$(cat "$SHARED_DIR/maxmind_license.txt" | head -n 1)" - if [[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]]; then - for DB in ASN Country City; do - curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" - if [[ -f "GeoLite2-$DB.mmdb.tar.gz" ]]; then - tar xvf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 --no-same-owner - rm -f "GeoLite2-$DB.mmdb.tar.gz" - fi - done - fi - fi + bash "/usr/local/bin/maxmind-mmdb-download.sh" \ + -f "$SHARED_DIR/maxmind_license.txt" \ + -r "$SHARED_DIR/maxmind_url.txt" \ + -o "$(pwd)" curl -s -S -L -o ./ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" curl -s -S -L -o ./oui.txt "https://www.wireshark.org/download/automated/data/manuf" popd >/dev/null 2>&1 diff --git a/hedgehog-raspi/vagrant/Vagrantfile b/hedgehog-raspi/vagrant/Vagrantfile index cb46f2255..897e6a371 100644 --- a/hedgehog-raspi/vagrant/Vagrantfile +++ b/hedgehog-raspi/vagrant/Vagrantfile @@ -26,14 +26,24 @@ Vagrant.configure("2") do |config| config.vbguest.auto_update = false end - config.vm.provider "virtualbox" do |vb| - vb.memory = "8192" - vb.cpus = 4 + config.vm.provider "virtualbox" do |vm| + vm.memory = "8192" + vm.cpus = 4 end - config.vm.provider "libvirt" do |lv| - lv.memory = "8192" - lv.cpus = 4 + config.vm.provider "libvirt" do |vm| + vm.memory = "8192" + vm.cpus = 4 + end + + config.vm.provider "vmware_desktop" do |vm| + vm.memory = "8192" + vm.cpus = 4 + end + + config.vm.provider "vmware_fusion" do |vm| + vm.memory = "8192" + vm.cpus = 4 end config.vm.provision "shell", inline: <<-STEP1 diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml index 680e009db..d216b4aa0 100644 --- a/kubernetes/03-opensearch.yml +++ b/kubernetes/03-opensearch.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: opensearch-container - image: ghcr.io/idaholab/malcolm/opensearch:24.08.0 + image: ghcr.io/idaholab/malcolm/opensearch:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -71,7 +71,7 @@ spec: subPath: "opensearch" initContainers: - name: opensearch-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml index 4652718b8..37f58106a 100644 --- a/kubernetes/04-dashboards.yml +++ b/kubernetes/04-dashboards.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-container - image: ghcr.io/idaholab/malcolm/dashboards:24.08.0 + image: ghcr.io/idaholab/malcolm/dashboards:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml index f13854396..e094081c0 100644 --- a/kubernetes/05-upload.yml +++ b/kubernetes/05-upload.yml @@ -34,7 +34,7 @@ spec: spec: containers: - name: upload-container - image: ghcr.io/idaholab/malcolm/file-upload:24.08.0 + image: ghcr.io/idaholab/malcolm/file-upload:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -73,7 +73,7 @@ spec: subPath: "upload" initContainers: - name: upload-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml index 8525b6121..c947523c8 100644 --- a/kubernetes/06-pcap-monitor.yml +++ b/kubernetes/06-pcap-monitor.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: pcap-monitor-container - image: ghcr.io/idaholab/malcolm/pcap-monitor:24.08.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -70,7 +70,7 @@ spec: name: pcap-monitor-zeek-volume initContainers: - name: pcap-monitor-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml index 69ca02bf0..bf363d3a4 100644 --- a/kubernetes/07-arkime.yml +++ b/kubernetes/07-arkime.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: arkime-container - image: ghcr.io/idaholab/malcolm/arkime:24.08.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -73,13 +73,15 @@ spec: name: arkime-var-local-catrust-volume - mountPath: /var/local/curlrc/secretmap name: arkime-opensearch-curlrc-secret-volume + - mountPath: "/opt/arkime/lua/configmap" + name: arkime-lua-volume - mountPath: "/opt/arkime/rules/configmap" name: arkime-rules-volume - mountPath: "/data/pcap" name: arkime-pcap-volume initContainers: - name: arkime-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -99,6 +101,9 @@ spec: - name: arkime-opensearch-curlrc-secret-volume secret: secretName: opensearch-curlrc + - name: arkime-lua-volume + configMap: + name: arkime-lua - name: arkime-rules-volume configMap: name: arkime-rules diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml index c4cec03dc..860ed225a 100644 --- a/kubernetes/08-api.yml +++ b/kubernetes/08-api.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: api-container - image: ghcr.io/idaholab/malcolm/api:24.08.0 + image: ghcr.io/idaholab/malcolm/api:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml index d755c8b2e..98769d4b3 100644 --- a/kubernetes/09-dashboards-helper.yml +++ b/kubernetes/09-dashboards-helper.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-helper-container - image: ghcr.io/idaholab/malcolm/dashboards-helper:24.08.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml index de874a2ae..7900c7a29 100644 --- a/kubernetes/10-zeek.yml +++ b/kubernetes/10-zeek.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-offline-container - image: ghcr.io/idaholab/malcolm/zeek:24.08.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -62,7 +62,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml index bff7d6315..4af3177ae 100644 --- a/kubernetes/11-suricata.yml +++ b/kubernetes/11-suricata.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-offline-container - image: ghcr.io/idaholab/malcolm/suricata:24.08.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -55,7 +55,7 @@ spec: name: suricata-offline-custom-configs-volume initContainers: - name: suricata-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml index 7dd841c2d..dc2f4b4b5 100644 --- a/kubernetes/12-file-monitor.yml +++ b/kubernetes/12-file-monitor.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: file-monitor-container - image: ghcr.io/idaholab/malcolm/file-monitor:24.08.0 + image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: name: file-monitor-yara-rules-custom-volume initContainers: - name: file-monitor-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml index 85b28f9f5..a9c45be20 100644 --- a/kubernetes/13-filebeat.yml +++ b/kubernetes/13-filebeat.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: filebeat-container - image: ghcr.io/idaholab/malcolm/filebeat-oss:24.08.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "nginx" initContainers: - name: filebeat-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml index fe980e8e8..e1c8823e8 100644 --- a/kubernetes/14-logstash.yml +++ b/kubernetes/14-logstash.yml @@ -49,7 +49,7 @@ spec: # topologyKey: "kubernetes.io/hostname" containers: - name: logstash-container - image: ghcr.io/idaholab/malcolm/logstash-oss:24.08.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -115,7 +115,7 @@ spec: subPath: "logstash" initContainers: - name: logstash-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml index 952a9bd15..4267666bd 100644 --- a/kubernetes/15-netbox-redis.yml +++ b/kubernetes/15-netbox-redis.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-container - image: ghcr.io/idaholab/malcolm/redis:24.08.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: netbox/redis initContainers: - name: netbox-redis-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml index 1e0c54472..8bf968227 100644 --- a/kubernetes/16-netbox-redis-cache.yml +++ b/kubernetes/16-netbox-redis-cache.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-cache-container - image: ghcr.io/idaholab/malcolm/redis:24.08.0 + image: ghcr.io/idaholab/malcolm/redis:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml index c7c65353f..c96d1bb4c 100644 --- a/kubernetes/17-netbox-postgres.yml +++ b/kubernetes/17-netbox-postgres.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-postgres-container - image: ghcr.io/idaholab/malcolm/postgresql:24.08.0 + image: ghcr.io/idaholab/malcolm/postgresql:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -74,7 +74,7 @@ spec: subPath: netbox/postgres initContainers: - name: netbox-postgres-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml index f8ad3dfdf..5d3d59a15 100644 --- a/kubernetes/18-netbox.yml +++ b/kubernetes/18-netbox.yml @@ -36,7 +36,7 @@ spec: spec: containers: - name: netbox-container - image: ghcr.io/idaholab/malcolm/netbox:24.08.0 + image: ghcr.io/idaholab/malcolm/netbox:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -88,7 +88,7 @@ spec: subPath: netbox/media initContainers: - name: netbox-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml index 1ebabcec4..9438eae0c 100644 --- a/kubernetes/19-htadmin.yml +++ b/kubernetes/19-htadmin.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: htadmin-container - image: ghcr.io/idaholab/malcolm/htadmin:24.08.0 + image: ghcr.io/idaholab/malcolm/htadmin:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -63,7 +63,7 @@ spec: subPath: "htadmin" initContainers: - name: htadmin-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml index e23e69de4..44a13f65d 100644 --- a/kubernetes/20-pcap-capture.yml +++ b/kubernetes/20-pcap-capture.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: pcap-capture-container - image: ghcr.io/idaholab/malcolm/pcap-capture:24.08.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -50,7 +50,7 @@ spec: subPath: "upload" initContainers: - name: pcap-capture-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml index 7174ff5b8..4c2d1fd69 100644 --- a/kubernetes/21-zeek-live.yml +++ b/kubernetes/21-zeek-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: zeek-live-container - image: ghcr.io/idaholab/malcolm/zeek:24.08.0 + image: ghcr.io/idaholab/malcolm/zeek:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -61,7 +61,7 @@ spec: subPath: "zeek/intel" initContainers: - name: zeek-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml index ee5512dc1..80d085b12 100644 --- a/kubernetes/22-suricata-live.yml +++ b/kubernetes/22-suricata-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: suricata-live-container - image: ghcr.io/idaholab/malcolm/suricata:24.08.0 + image: ghcr.io/idaholab/malcolm/suricata:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -56,7 +56,7 @@ spec: name: suricata-live-custom-configs-volume initContainers: - name: suricata-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/23-arkime-live.yml b/kubernetes/23-arkime-live.yml index 57c22ba87..39f5deb30 100644 --- a/kubernetes/23-arkime-live.yml +++ b/kubernetes/23-arkime-live.yml @@ -16,7 +16,7 @@ spec: spec: containers: - name: arkime-live-container - image: ghcr.io/idaholab/malcolm/arkime:24.08.0 + image: ghcr.io/idaholab/malcolm/arkime:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -56,13 +56,15 @@ spec: name: arkime-live-var-local-catrust-volume - mountPath: /var/local/curlrc/secretmap name: arkime-live-opensearch-curlrc-secret-volume + - mountPath: "/opt/arkime/lua/configmap" + name: arkime-live-lua-volume - mountPath: "/opt/arkime/rules/configmap" name: arkime-live-rules-volume - mountPath: "/data/pcap" name: arkime-live-pcap-volume initContainers: - name: arkime-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -82,6 +84,9 @@ spec: - name: arkime-live-opensearch-curlrc-secret-volume secret: secretName: opensearch-curlrc + - name: arkime-live-lua-volume + configMap: + name: arkime-lua - name: arkime-live-rules-volume configMap: name: arkime-rules diff --git a/kubernetes/24-freq.yml b/kubernetes/24-freq.yml index ee8175e2a..87bd1ff95 100644 --- a/kubernetes/24-freq.yml +++ b/kubernetes/24-freq.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: freq-container - image: ghcr.io/idaholab/malcolm/freq:24.08.0 + image: ghcr.io/idaholab/malcolm/freq:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml index 1fb13cfff..9608d5163 100644 --- a/kubernetes/98-nginx-proxy.yml +++ b/kubernetes/98-nginx-proxy.yml @@ -39,7 +39,7 @@ spec: spec: containers: - name: nginx-proxy-container - image: ghcr.io/idaholab/malcolm/nginx-proxy:24.08.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0 imagePullPolicy: Always stdin: false tty: true @@ -99,7 +99,7 @@ spec: subPath: "nginx" initContainers: - name: nginx-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:24.08.0 + image: ghcr.io/idaholab/malcolm/dirinit:24.10.0 imagePullPolicy: Always stdin: false tty: true diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml index 6f7e94d18..0c3235d98 100644 --- a/logstash/maps/zeek_log_ecs_categories.yaml +++ b/logstash/maps/zeek_log_ecs_categories.yaml @@ -33,7 +33,14 @@ "enip": ["ot", "network"] "files": ["file"] "ftp": ["file", "network"] +"ge_srtp": ["ot", "network"] +"genisys": ["ot", "network"] "gquic": ["network"] +"hart_ip_common_commands": ["ot", "network"] +"hart_ip_direct_pdu_command": ["ot", "network"] +"hart_ip": ["ot", "network"] +"hart_ip_session_record": ["ot", "network"] +"hart_ip_universal_commands": ["ot", "network"] "http": ["web", "network"] "intel": ["intrusion_detection", "network"] "ipsec": ["network"] @@ -42,6 +49,7 @@ "known_certs": ["file"] "known_hosts": ["network"] "known_modbus": ["ot", "network"] +"known_routers": ["network"] "known_services": ["network"] "ldap": ["authentication", "iam", "network"] "login": ["authentication", "network"] @@ -82,7 +90,6 @@ "ssl": ["network"] "stun": ["network"] "stun_nat": ["network"] -"syslog": ["network"] "synchrophasor": ["ot", "network"] "synchrophasor_cfg": ["ot", "network"] "synchrophasor_cfg_detail": ["ot", "network"] @@ -90,6 +97,7 @@ "synchrophasor_data": ["ot", "network"] "synchrophasor_data_detail": ["ot", "network"] "synchrophasor_hdr": ["ot", "network"] +"syslog": ["network"] "tds": ["database", "network"] "tds_rpc": ["database", "network"] "tds_sql_batch": ["database", "network"] diff --git a/logstash/pipelines/enrichment/21_netbox.conf b/logstash/pipelines/enrichment/21_netbox.conf index ae2113eac..a42ec3009 100644 --- a/logstash/pipelines/enrichment/21_netbox.conf +++ b/logstash/pipelines/enrichment/21_netbox.conf @@ -12,8 +12,7 @@ filter { ruby { id => "ruby_determine_netbox_suitability" - # @logtypes = {"suricata"=>["alert"], "zeek"=>["conn", "known_hosts", "known_services", "notice", "signatures", "software", "weird"]} - init => "logtypesStr = ENV['LOGSTASH_NETBOX_ENRICHMENT_DATASETS'] || 'suricata.alert,zeek.conn,zeek.dhcp,zeek.dns,zeek.known_hosts,zeek.known_services,zeek.ntlm,zeek.notice,zeek.signatures,zeek.software,zeek.weird' ; logtypesArr = logtypesStr.gsub(/\s+/, '').split(','); @logtypes = logtypesArr.group_by { |logtype| logtype.split('.').first }.transform_values { |values| values.map { |v| v.split('.')[1] } }" + init => "logtypesStr = ENV['LOGSTASH_NETBOX_ENRICHMENT_DATASETS'] || 'suricata.alert,zeek.conn,zeek.dhcp,zeek.dns,zeek.known_hosts,zeek.known_routers,zeek.known_services,zeek.ntlm,zeek.notice,zeek.signatures,zeek.software,zeek.weird' ; logtypesArr = logtypesStr.gsub(/\s+/, '').split(','); @logtypes = logtypesArr.group_by { |logtype| logtype.split('.').first }.transform_values { |values| values.map { |v| v.split('.')[1] } }" code => " provider = event.get('[event][provider]').to_s dataset = event.get('[event][dataset]').to_s diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index 99075202d..83daff13b 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -526,7 +526,7 @@ filter { id => "dissect_zeek_cip" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" } } if ("_dissectfailure" in [tags]) { @@ -537,7 +537,7 @@ filter { } ruby { id => "ruby_zip_zeek_cip" - init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" + init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)" } } @@ -561,7 +561,7 @@ filter { id => "dissect_zeek_cip_identity" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" } } if ("_dissectfailure" in [tags]) { @@ -572,7 +572,7 @@ filter { } ruby { id => "ruby_zip_zeek_cip_identity" - init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]" + init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]" code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)" } } @@ -595,7 +595,7 @@ filter { id => "dissect_zeek_cip_io" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" } } if ("_dissectfailure" in [tags]) { @@ -606,7 +606,7 @@ filter { } ruby { id => "ruby_zip_zeek_cip_io" - init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" + init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)" } } @@ -919,7 +919,7 @@ filter { id => "dissect_zeek_enip" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" } } if ("_dissectfailure" in [tags]) { @@ -930,7 +930,7 @@ filter { } ruby { id => "ruby_zip_zeek_enip" - init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" + init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)" } } @@ -1509,6 +1509,216 @@ filter { } } + } else if ([log_source] == "hart_ip_common_commands") { + ############################################################################################################################# + # hart_ip_common_commands.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_common_commands" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_common_commands" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_common_commands" + init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_common_commands" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + # The other fields are basically just placeholders we don't want to store the raw data for. + mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto" + remove_field => [ "[zeek_cols][proto]", + "[zeek][hart_ip][token_passing_pdu_contents_data_data]", + "[zeek][hart_ip][message_packet_bytes]", + "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] } + + + } else if ([log_source] == "hart_ip_direct_pdu_command") { + ############################################################################################################################# + # hart_ip_direct_pdu_command.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_direct_pdu_command" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_direct_pdu_command" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_direct_pdu_command" + init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip") { + ############################################################################################################################# + # hart_ip.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip" + init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip_session_record") { + ############################################################################################################################# + # hart_ip_session_record.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_session_record" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_session_record" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_session_record" + init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_session_record" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip_universal_commands") { + ############################################################################################################################# + # hart_ip_universal_commands.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_universal_commands" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_universal_commands" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_universal_commands" + init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_universal_commands" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + } else if ([log_source] == "http") { ############################################################################################################################# # http.log @@ -1525,7 +1735,7 @@ filter { id => "dissect_zeek_http_with_all_fields" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" } } if ("_dissectfailure" in [tags]) { @@ -1536,18 +1746,20 @@ filter { } ruby { id => "ruby_zip_zeek_http" - init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" + init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)" } } mutate { id => "mutate_split_zeek_http_commas" - split => { "[zeek_cols][orig_fuids]" => "," + split => { "[zeek_cols][client_header_names]" => "," "[zeek_cols][orig_filenames]" => "," + "[zeek_cols][orig_fuids]" => "," "[zeek_cols][orig_mime_types]" => "," - "[zeek_cols][resp_fuids]" => "," + "[zeek_cols][proxied]" => "," "[zeek_cols][resp_filenames]" => "," + "[zeek_cols][resp_fuids]" => "," "[zeek_cols][resp_mime_types]" => "," - "[zeek_cols][proxied]" => "," + "[zeek_cols][server_header_names]" => "," "[zeek_cols][tags]" => "," } } } @@ -1917,6 +2129,32 @@ filter { mutate { id => "mutate_add_tag_ics_known_modbus_log" add_tag => [ "ics" ] } + } else if ([log_source] == "known_routers") { + ############################################################################################################################# + # known_routers.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_known_routers" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_routers" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_routers" + init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]" + code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)" + } + } + } + } else if ([log_source] == "known_services") { ############################################################################################################################# # known_services.log diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 6a9d7e3e8..182adb633 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -315,11 +315,28 @@ filter { remove_field => [ "[zeek][bsap_serial_rdb][variable_value]", "[zeek][bsap_serial_rdb][data_len]" ] } + } else if ([log_source] == "cip_io") { + ############################################################################################################################# + # cip_io.log specific logic + + if ([zeek][cip_io][packet_correlation_id]) { + mutate { + id => "mutate_rename_cip_io_packet_correlation_id" + rename => { "[zeek][cip_io][packet_correlation_id]" => "[zeek][cip][packet_correlation_id]" } + } + } } else if ([log_source] == "cip_identity") { ############################################################################################################################# # cip_identity.log specific logic + if ([zeek][cip_identity][packet_correlation_id]) { + mutate { + id => "mutate_rename_cip_identity_packet_correlation_id" + rename => { "[zeek][cip_identity][packet_correlation_id]" => "[zeek][cip][packet_correlation_id]" } + } + } + if ([zeek][cip_identity][socket_address]) { # if this is a zeek_cip_identity record with socket_address, ASN/GeoIP it as well @@ -516,6 +533,17 @@ filter { # TODO: domain stuff (dns.question.registered_domain, dns.question.subdomain, dns.question.top_level_domain) # perhaps use something like https://github.com/plutonbacon/logstash-filter-publicsuffix + } else if ([log_source] == "enip") { + ############################################################################################################################# + # enip.log specific logic + + if ([zeek][enip][packet_correlation_id]) { + mutate { + id => "mutate_rename_enip_packet_correlation_id" + rename => { "[zeek][enip][packet_correlation_id]" => "[zeek][cip][packet_correlation_id]" } + } + } + } else if ([log_source] == "files") { ############################################################################################################################# # files.log specific logic @@ -1451,6 +1479,40 @@ filter { } } + } else if ([log_source] =~ /^hart_ip/) { + ############################################################################################################################# + # hart IP logs specific logic + + # There is a lot of linking between various different field types to tie logs together, + # see https://github.com/cisagov/icsnpp-hart-ip/tree/main/scripts. + # We want to rename these fields as much as possible in order to have them cofilterable. + + mutate { + id => "mutate_rename_hart_ip_linkage_fields" + rename => { "[zeek][hart_ip_common_commands][command_number_link_id]" => "[zeek][hart_ip][command_number_link_id]" } + rename => { "[zeek][hart_ip_direct_pdu_command][command_number_link_id]" => "[zeek][hart_ip][command_number_link_id]" } + rename => { "[zeek][hart_ip_direct_pdu_command][direct_pdu_command_link_id]" => "[zeek][hart_ip][direct_pdu_command_link_id]" } + rename => { "[zeek][hart_ip_session_record][session_log_record_link_id]" => "[zeek][hart_ip][session_log_record_link_id]" } + rename => { "[zeek][hart_ip_universal_commands][command_number_link_id]" => "[zeek][hart_ip][command_number_link_id]" } + } + + # drop float fields that have 'nan' as their value + ruby { + id => "ruby_hartip_drop_nan" + # this is a hard-coded list of the float fields, I don't think we can get them dynamically + init => "@result_hash = {} ; ['[zeek][hart_ip_common_commands][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]','[zeek][hart_ip_common_commands][enter_exit_fixed_current_mode_pv_fixed_current_level]','[zeek][hart_ip_common_commands][read_analog_channel_and_percent_of_range_response_analog_channel_level]','[zeek][hart_ip_common_commands][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]','[zeek][hart_ip_common_commands][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]','[zeek][hart_ip_common_commands][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]','[zeek][hart_ip_common_commands][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]','[zeek][hart_ip_common_commands][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]','[zeek][hart_ip_common_commands][read_analog_channel_information_response_analog_channel_damping_value]','[zeek][hart_ip_common_commands][read_analog_channel_information_response_analog_channel_lower_range_value]','[zeek][hart_ip_common_commands][read_analog_channel_information_response_analog_channel_upper_range_value]','[zeek][hart_ip_common_commands][read_analog_channels_response_analog_channel_level_slot0]','[zeek][hart_ip_common_commands][read_analog_channels_response_analog_channel_level_slot1]','[zeek][hart_ip_common_commands][read_analog_channels_response_analog_channel_level_slot2]','[zeek][hart_ip_common_commands][read_analog_channels_response_analog_channel_level_slot3]','[zeek][hart_ip_common_commands][read_device_variable_information_response_device_variable_damping_value]','[zeek][hart_ip_common_commands][read_device_variable_information_response_device_variable_lower_transducer_limit]','[zeek][hart_ip_common_commands][read_device_variable_information_response_device_variable_minimum_span]','[zeek][hart_ip_common_commands][read_device_variable_information_response_device_variable_upper_transducer_limit]','[zeek][hart_ip_common_commands][read_device_variable_trim_points_response_lower_or_single_trim_point]','[zeek][hart_ip_common_commands][read_device_variable_trim_points_response_upper_trim_point]','[zeek][hart_ip_common_commands][read_device_variables_response_slot0_device_variable]','[zeek][hart_ip_common_commands][read_device_variables_response_slot1_device_variable]','[zeek][hart_ip_common_commands][read_device_variables_response_slot2_device_variable]','[zeek][hart_ip_common_commands][read_device_variables_response_slot3_device_variable]','[zeek][hart_ip_common_commands][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]','[zeek][hart_ip_common_commands][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]','[zeek][hart_ip_common_commands][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]','[zeek][hart_ip_common_commands][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]','[zeek][hart_ip_common_commands][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]','[zeek][hart_ip_common_commands][trim_analog_channel_gain_analog_channel_level]','[zeek][hart_ip_common_commands][trim_analog_channel_zero_analog_channel_level]','[zeek][hart_ip_common_commands][trim_loop_current_gain_measured_pv_loop_current_level]','[zeek][hart_ip_common_commands][trim_loop_current_zero_measured_pv_loop_current_level]','[zeek][hart_ip_common_commands][write_analog_channel_additional_damping_value_analog_channel_damping_value]','[zeek][hart_ip_common_commands][write_analog_channel_range_values_analog_channel_lower_range_value]','[zeek][hart_ip_common_commands][write_analog_channel_range_values_analog_channel_upper_range_value]','[zeek][hart_ip_common_commands][write_device_variable_damping_value_device_variable_damping_value]','[zeek][hart_ip_common_commands][write_device_variable_device_variable_value]','[zeek][hart_ip_common_commands][write_device_variable_trim_point_trim_point_value]','[zeek][hart_ip_common_commands][write_primary_variable_damping_value_pv_damping_value]','[zeek][hart_ip_common_commands][write_primary_variable_range_values_p_v_lower_range_value]','[zeek][hart_ip_common_commands][write_primary_variable_range_values_pv_upper_range_value]','[zeek][hart_ip_universal_commands][read_device_information_response_p_v_damping_value]','[zeek][hart_ip_universal_commands][read_device_information_response_p_v_lower_range_value]','[zeek][hart_ip_universal_commands][read_device_information_response_p_v_upper_range_value]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot0_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot1_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot2_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot3_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot4_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot5_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot6_device_variable]','[zeek][hart_ip_universal_commands][read_device_variable_response_slot7_device_variable]','[zeek][hart_ip_universal_commands][read_dynamic_variable_response_primary_variable]','[zeek][hart_ip_universal_commands][read_dynamic_variable_response_primary_variable_loop_current]','[zeek][hart_ip_universal_commands][read_dynamic_variable_response_quaternary_variable]','[zeek][hart_ip_universal_commands][read_dynamic_variable_response_secondary_variable]','[zeek][hart_ip_universal_commands][read_dynamic_variable_response_tertiary_variable]','[zeek][hart_ip_universal_commands][read_loop_current_response_primary_variable_loop_current]','[zeek][hart_ip_universal_commands][read_loop_current_response_primary_variable_percent_range]','[zeek][hart_ip_universal_commands][read_primary_variable_response_primary_variable]','[zeek][hart_ip_universal_commands][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]','[zeek][hart_ip_universal_commands][read_primary_variable_transducer_information_response_p_v_minimum_span]','[zeek][hart_ip_universal_commands][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]'].each do |string| key = string.match(/\[([^\[\]]+)\]\[([^\[\]]+)\]/)[2] ; @result_hash[key] ||= [] ; @result_hash[key] << string end" + code => " + dataset = event.get('[log_source]').to_s + if @result_hash.key?(dataset) then + @result_hash[dataset].each do |field| + if (event.get(field).to_s.downcase == 'nan') then + event.remove(field) + end + end + end + " + } + } else if ([log_source] =~ /^opcua_binary/) { ############################################################################################################################# # opcua-binary-*.log specific logic diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf index e3a7b212d..9774603f8 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/13_zeek_normalize.conf @@ -71,10 +71,17 @@ filter { # collect protocol version under the parent network.protocol_version array if ([zeek][gquic][version]) { mutate { id => "mutate_merge_normalize_zeek_gquic_version" - merge => { "[network][protocol_version]" => "[zeek][gquic][version]" } } } + merge => { "[network][protocol_version]" => "[zeek][gquic][version]" } } } if ([zeek][http][version]) { mutate { id => "mutate_merge_normalize_zeek_http_version" - merge => { "[network][protocol_version]" => "[zeek][http][version]" } } } + merge => { "[network][protocol_version]" => "[zeek][http][version]" } } } + + if ([zeek][hart_ip][header_version]) { mutate { id => "mutate_merge_normalize_zeek_hart_ip_version" + merge => { "[network][protocol_version]" => "[zeek][hart_ip][header_version]" } } } + + if ([zeek][hart_ip_universal_commands][read_unique_identifier_response_hart_protocol_major_revision]) { + mutate { id => "mutate_merge_normalize_zeek_hart_ip_universal_commands_read_unique_identifier_response_hart_protocol_major_revision" + merge => { "[network][protocol_version]" => "[zeek][hart_ip_universal_commands][read_unique_identifier_response_hart_protocol_major_revision]" } } } if ([zeek][ipsec]) { ruby { @@ -305,6 +312,26 @@ filter { } } + if ([zeek][hart_ip]) { + ruby { + # action = zeek.hart_ip.header_message_type_message_type:zeek.hart_ip.header_message_id + id => "ruby_zeek_hart_ip_generate_action" + code => " + action = [event.get('[zeek][hart_ip][header_message_type_message_type]'), + event.get('[zeek][hart_ip][header_message_id]')&.gsub(/\s+\([^\)]*\)\z/, '').to_s].reject{ |e| e.nil? || e.empty? }.join(':') + if !action.nil? and (action.length > 0) then + actions = Array.new unless (actions = event.get('[event][action]')) + actions.append(action) + event.set('[event][action]', actions) + end" + } + } + + if ([zeek][hart_ip_direct_pdu_command][direct_pdu_command_command_number]) { + mutate { id => "mutate_merge_normalize_zeek_hart_ip_direct_pdu_command_direct_pdu_command_command_number" + merge => { "[event][action]" => "[zeek][hart_ip_direct_pdu_command][direct_pdu_command_command_number]" } } + } + if ([zeek][http]) { if ([zeek][http][method]) { mutate { id => "mutate_merge_normalize_zeek_http_method" @@ -813,6 +840,13 @@ filter { } } + if ([zeek][hart_ip][header_status_code]) { mutate { id => "mutate_merge_normalize_zeek_hart_ip_header_status_code_result" + merge => { "[event][result]" => "[zeek][hart_ip][header_status_code]" } } } + if ([zeek][hart_ip_direct_pdu_command][direct_pdu_contents_response_response_code]) { + mutate { id => "mutate_merge_normalize_zeek_hart_ip_direct_pdu_command_direct_pdu_contents_response_response_code" + merge => { "[event][result]" => "[zeek][hart_ip_direct_pdu_command][direct_pdu_contents_response_response_code]" } } + } + if ([zeek][http][status_code]) { # normalized version of http reply code (status_msg is too unpredictable) translate { @@ -1264,6 +1298,20 @@ filter { merge => { "[event][id]" => "[zeek][fuid]" } } } + # add hart-ip linkages to event.ID as well + if ([zeek][hart_ip][command_number_link_id]) { + mutate { id => "mutate_add_field_ecs_id_hart_ip_command_number_link_id" + merge => { "[event][id]" => "[zeek][hart_ip][command_number_link_id]" } } + } + if ([zeek][hart_ip][direct_pdu_command_link_id]) { + mutate { id => "mutate_add_field_ecs_id_hart_ip_direct_pdu_command_link_id" + merge => { "[event][id]" => "[zeek][hart_ip][direct_pdu_command_link_id]" } } + } + if ([zeek][hart_ip][session_log_record_link_id]) { + mutate { id => "mutate_add_field_ecs_id_hart_ip_session_log_record_link_id" + merge => { "[event][id]" => "[zeek][hart_ip][session_log_record_link_id]" } } + } + # File/MIME types ################################################################################################### # ECS -> various -> file.mime_type # collect all file/MIME types under the parent [file][mime_type] array @@ -1475,6 +1523,14 @@ filter { merge => { "[related][ip]" => "[zeek][ftp][data_channel][orig_h]" } } } if ([zeek][ftp][data_channel][resp_h]) { mutate { id => "mutate_merge_field_related_ip_zeek_ftp_data_channel_resp_h" merge => { "[related][ip]" => "[zeek][ftp][data_channel][resp_h]" } } } + if ([zeek][hart_ip_session_record][session_log_record_client_i_pv4_address]) { + mutate { id => "mutate_merge_field_related_ip_zeek_hart_ip_session_record_session_log_record_client_i_pv4_address" + merge => { "[related][ip]" => "[zeek][hart_ip_session_record][session_log_record_client_i_pv4_address]" } } + } + if ([zeek][hart_ip_session_record][session_log_record_client_i_pv6_address]) { + mutate { id => "mutate_merge_field_related_ip_zeek_hart_ip_session_record_session_log_record_client_i_pv6_address" + merge => { "[related][ip]" => "[zeek][hart_ip_session_record][session_log_record_client_i_pv6_address]" } } + } if ([zeek][notice][dst]) { mutate { id => "mutate_merge_field_related_ip_zeek_notice_dst" merge => { "[related][ip]" => "[zeek][notice][dst]" } } } if ([zeek][notice][src]) { mutate { id => "mutate_merge_field_related_ip_zeek_notice_src" diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/14_zeek_convert.conf index 3103b0d62..7fc747619 100644 --- a/logstash/pipelines/zeek/14_zeek_convert.conf +++ b/logstash/pipelines/zeek/14_zeek_convert.conf @@ -412,4 +412,56 @@ filter { } } + # these hart IP date/time fields are not actually Zeek values yet, so track https://github.com/cisagov/icsnpp-hart-ip/issues/15 + # and adjust this appropriately once that is fixed + + if ([zeek][hart_ip][read_audit_log_power_up_time]) { + if ([zeek][hart_ip][read_audit_log_power_up_time] == "0") { + mutate { id => "mutate_remove_field_zeek_hart_ip_read_audit_log_power_up_time" + remove_field => [ "[zeek][hart_ip][read_audit_log_power_up_time]" ] } + } else { + date { + id => "date_zeek_hart_ip_read_audit_log_power_up_time" + match => [ "[zeek][hart_ip][read_audit_log_power_up_time]", "UNIX" ] + target => "[zeek][hart_ip][read_audit_log_power_up_time]" + } + } + } + if ([zeek][hart_ip][read_audit_log_last_security_change]) { + if ([zeek][hart_ip][read_audit_log_last_security_change] == "0") { + mutate { id => "mutate_remove_field_zeek_hart_ip_read_audit_log_last_security_change" + remove_field => [ "[zeek][hart_ip][read_audit_log_last_security_change]" ] } + } else { + date { + id => "date_zeek_hart_ip_read_audit_log_last_security_change" + match => [ "[zeek][hart_ip][read_audit_log_last_security_change]", "UNIX" ] + target => "[zeek][hart_ip][read_audit_log_last_security_change]" + } + } + } + if ([zeek][hart_ip_session_record][session_log_record_connect_time]) { + if ([zeek][hart_ip_session_record][session_log_record_connect_time] == "0") { + mutate { id => "mutate_remove_field_zeek_hart_ip_session_record_session_log_record_connect_time" + remove_field => [ "[zeek][hart_ip_session_record][session_log_record_connect_time]" ] } + } else { + date { + id => "date_zeek_hart_ip_session_record_session_log_record_connect_time" + match => [ "[zeek][hart_ip_session_record][session_log_record_connect_time]", "UNIX" ] + target => "[zeek][hart_ip_session_record][session_log_record_connect_time]" + } + } + } + if ([zeek][hart_ip_session_record][session_log_record_disconnect_time]) { + if ([zeek][hart_ip_session_record][session_log_record_disconnect_time] == "0") { + mutate { id => "mutate_remove_field_zeek_hart_ip_session_record_session_log_record_disconnect_time" + remove_field => [ "[zeek][hart_ip_session_record][session_log_record_disconnect_time]" ] } + } else { + date { + id => "date_zeek_hart_ip_session_record_session_log_record_disconnect_time" + match => [ "[zeek][hart_ip_session_record][session_log_record_disconnect_time]", "UNIX" ] + target => "[zeek][hart_ip_session_record][session_log_record_disconnect_time]" + } + } + } + } \ No newline at end of file diff --git a/logstash/ruby/format_index_string.rb b/logstash/ruby/format_index_string.rb index eb66b3593..40456d702 100644 --- a/logstash/ruby/format_index_string.rb +++ b/logstash/ruby/format_index_string.rb @@ -58,7 +58,22 @@ def filter(event) end suffix_resolved = @suffix - if parts = @suffix.scan(/(%{([^}]+)})/) then + # first handle field substitution in {{ }} + if parts = suffix_resolved.scan(/({{([^}]+)}})/) then + if parts.kind_of?(Array) then + parts.each do |pair| + if pair.kind_of?(Array) and (pair.length > 0) then + bracketed_field_name = pair[1].gsub(/\s+/, '').split('.').map { |part| "[#{part}]" }.join + suffix_resolved = + suffix_resolved.sub(pair[0], + event.get("#{bracketed_field_name}").to_s.downcase.gsub(/[^a-z0-9_\-]/, '').gsub(/^[\-_]+/, '')) + end + end + end + end + + # now handle timestamp substitution in %{} + if parts = suffix_resolved.scan(/(%{([^}]+)})/) then if parts.kind_of?(Array) then parts.each do |pair| if pair.kind_of?(Array) and (pair.length > 0) then diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index 5a9c93db3..c22263548 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -94,6 +94,7 @@ if [ -d "$WORKDIR" ]; then # grab things from the Malcolm parent directory into /etc/skel so the user's got it set up in their home/Malcolm dir pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 MALCOLM_DEST_DIR="$WORKDIR/work/$IMAGE_NAME-Live-Build/config/includes.chroot/etc/skel/Malcolm" + mkdir -p "$MALCOLM_DEST_DIR/arkime/lua/" mkdir -p "$MALCOLM_DEST_DIR/arkime/rules/" mkdir -p "$MALCOLM_DEST_DIR/config/" mkdir -p "$MALCOLM_DEST_DIR/filebeat/certs/" diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot index 9c0131952..55f54c4a6 100755 --- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -88,6 +88,7 @@ net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.ip_forward=1 +net.ipv4.tcp_retries2=5 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 diff --git a/malcolm-iso/vagrant/Vagrantfile b/malcolm-iso/vagrant/Vagrantfile index ecc7852a2..8057a54f5 100644 --- a/malcolm-iso/vagrant/Vagrantfile +++ b/malcolm-iso/vagrant/Vagrantfile @@ -36,6 +36,16 @@ Vagrant.configure("2") do |config| lv.cpus = 4 end + config.vm.provider "vmware_desktop" do |vd| + vd.memory = "8192" + vd.cpus = 4 + end + + config.vm.provider "vmware_fusion" do |vf| + vf.memory = "8192" + vf.cpus = 4 + end + config.vm.provision "shell", inline: <<-STEP1 dpkg-reconfigure debconf -f noninteractive -p critical export DEBIAN_FRONTEND=noninteractive diff --git a/scripts/build.sh b/scripts/build.sh index 909d3cab6..050128dbc 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -15,13 +15,14 @@ if ! (type "$REALPATH" && type "$DIRNAME" && type "$GREP") > /dev/null; then exit 1 fi +MALCOLM_CONTAINER_RUNTIME="${MALCOLM_CONTAINER_RUNTIME:-docker}" DOCKER_COMPOSE_BIN=() -if docker compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=(docker compose) - DOCKER_BIN=docker -elif docker-compose version >/dev/null 2>&1; then - DOCKER_COMPOSE_BIN=(docker-compose) - DOCKER_BIN=docker +if $MALCOLM_CONTAINER_RUNTIME compose version >/dev/null 2>&1; then + DOCKER_COMPOSE_BIN=($MALCOLM_CONTAINER_RUNTIME compose) + DOCKER_BIN=$MALCOLM_CONTAINER_RUNTIME +elif ${MALCOLM_CONTAINER_RUNTIME}-compose version >/dev/null 2>&1; then + DOCKER_COMPOSE_BIN=(${$MALCOLM_CONTAINER_RUNTIME}-compose) + DOCKER_BIN=$MALCOLM_CONTAINER_RUNTIME elif $GREP -q Microsoft /proc/version; then if docker.exe compose version >/dev/null 2>&1; then DOCKER_COMPOSE_BIN=(docker.exe compose) @@ -121,9 +122,9 @@ fi # build the image(s) DOCKER_COMPOSE_COMMAND="${DOCKER_COMPOSE_BIN[@]} --profile malcolm -f "$CONFIG_FILE"" if [[ $CONFIRMATION =~ ^[Yy] ]]; then - $DOCKER_COMPOSE_COMMAND --progress=plain build --force-rm --no-cache --build-arg TARGETPLATFORM="$TARGET_PLATFORM" --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@" + $DOCKER_COMPOSE_COMMAND --progress=plain build --force-rm --no-cache --build-arg TARGETPLATFORM="$TARGET_PLATFORM" --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL="${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg ZEEK_DEB_ALTERNATE_DOWNLOAD_URL="${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@" else - $DOCKER_COMPOSE_COMMAND --progress=plain build --build-arg TARGETPLATFORM="$TARGET_PLATFORM" --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@" + $DOCKER_COMPOSE_COMMAND --progress=plain build --build-arg TARGETPLATFORM="$TARGET_PLATFORM" --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL="${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg ZEEK_DEB_ALTERNATE_DOWNLOAD_URL="${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@" fi # we're going to do some validation that some things got pulled/built correctly diff --git a/scripts/control.py b/scripts/control.py index f6127f0b8..e18d6395e 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -32,6 +32,7 @@ AskForString, BoundPath, ChooseOne, + CONTAINER_RUNTIME_KEY, DetermineYamlFileFormat, DisplayMessage, DisplayProgramBox, @@ -117,7 +118,7 @@ def __exit__(self, *args): args = None dockerBin = None -# dockerComposeBin might be e.g., ('docker', 'compose') or 'docker-compose', +# dockerComposeBin might be e.g., ('docker', 'compose'), ('podman', 'compose'), or 'docker-compose', etc. # it will be flattened in run_process dockerComposeBin = None dockerComposeYaml = None @@ -213,9 +214,10 @@ def keystore_op(service, dropPriv=False, *keystore_args, **run_process_kwargs): # if we're using docker-uid-gid-setup.sh to drop privileges as we spin up a container dockerUidGuidSetup = "/usr/local/bin/docker-uid-gid-setup.sh" - # docker-compose use local temporary path + # compose use local temporary path osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath # open up the docker-compose file and "grep" for the line where the keystore file # is bind-mounted into the service container (once and only once). the bind @@ -300,6 +302,8 @@ def keystore_op(service, dropPriv=False, *keystore_args, **run_process_kwargs): 'run', # remove the container when complete '--rm', + # if using podman, use --userns keep-id + ['--userns', 'keep-id'] if dockerBin.startswith('podman') else '', # if using stdin, indicate the container is "interactive", else noop '-i' if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) else '', # if dropPriv, dockerUidGuidSetup will take care of dropping privileges for the correct UID/GID @@ -419,7 +423,8 @@ def status(): if orchMode is OrchestrationFramework.DOCKER_COMPOSE: # docker-compose use local temporary path osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath cmd = [dockerComposeBin, '--profile', args.composeProfile, '-f', args.composeFile, 'ps'] if args.service is not None: @@ -489,7 +494,8 @@ def netboxBackup(backupFileName=None): if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and (args.composeProfile == PROFILE_MALCOLM): # docker-compose use local temporary path osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath dockerCmd = [ dockerComposeBin, @@ -579,7 +585,8 @@ def netboxRestore(backupFileName=None): if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and (args.composeProfile == PROFILE_MALCOLM): # docker-compose use local temporary path osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath dockerCmdBase = [ dockerComposeBin, @@ -729,7 +736,8 @@ def logs(): osEnv = os.environ.copy() # use local temporary path - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath if orchMode is OrchestrationFramework.DOCKER_COMPOSE: # increase COMPOSE_HTTP_TIMEOUT to be ridiculously large so docker-compose never times out the TTY doing debug output @@ -841,7 +849,8 @@ def stop(wipe=False): if orchMode is OrchestrationFramework.DOCKER_COMPOSE: # docker-compose use local temporary path osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath if args.service is not None: # stopping a single (or multiple services) @@ -1103,10 +1112,19 @@ def start(): osEnv = os.environ.copy() osEnv['COMPOSE_HTTP_TIMEOUT'] = '100000000' # docker-compose use local temporary path - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath # start docker - cmd = [dockerComposeBin, '--profile', args.composeProfile, '-f', args.composeFile, 'up', '--detach'] + cmd = [ + dockerComposeBin, + '--profile', + args.composeProfile, + '-f', + args.composeFile, + 'up', + '--detach', + ] if args.service is not None: cmd.append(['--no-deps', args.service]) @@ -2088,6 +2106,26 @@ def main(): default=None, help='docker-compose profile to enable', ) + parser.add_argument( + '-r', + '--runtime', + required=False, + dest='runtimeBin', + metavar='', + type=str, + default=os.getenv('MALCOLM_CONTAINER_RUNTIME', ''), + help='Container runtime binary (e.g., docker, podman)', + ) + parser.add_argument( + '--no-tmpdir-override', + required=False, + dest='noTmpDirOverride', + type=str2bool, + nargs='?', + const=True, + default=str2bool(os.getenv('MALCOLM_NO_TMPDIR_OVERRIDE', default='False')), + help="Don't override TMPDIR for compose commands", + ) operationsGroup = parser.add_argument_group('Runtime Control') operationsGroup.add_argument( @@ -2373,11 +2411,32 @@ def main(): # docker-compose use local temporary path osEnv = os.environ.copy() - osEnv['TMPDIR'] = MalcolmTmpPath + if not args.noTmpDirOverride: + osEnv['TMPDIR'] = MalcolmTmpPath if orchMode is OrchestrationFramework.DOCKER_COMPOSE: + # identify runtime engine + runtimeBinSrc = '' + if args.runtimeBin: + dockerBin = args.runtimeBin + runtimeBinSrc = 'specified' + else: + processEnvFile = os.path.join(args.configDir, 'process.env') + try: + if os.path.isfile(processEnvFile): + dockerBin = dotenvImported.get_key(processEnvFile, CONTAINER_RUNTIME_KEY) + runtimeBinSrc = os.path.basename(processEnvFile) + else: + runtimeBinSrc = 'process.env not found' + except Exception as e: + runtimeBinSrc = f'exception ({e})' + if not dockerBin: + dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and which('docker.exe')) else 'docker' + runtimeBinSrc = 'default' + if args.debug: + eprint(f"Container runtime ({runtimeBinSrc}): {dockerBin}") + # make sure docker and docker compose are available - dockerBin = 'docker.exe' if ((pyPlatform == PLATFORM_WINDOWS) and which('docker.exe')) else 'docker' err, out = run_process([dockerBin, 'info'], debug=args.debug) if err != 0: raise Exception(f'{ScriptName} requires docker, please run install.py') diff --git a/scripts/demo/Vagrantfile b/scripts/demo/Vagrantfile index e80b63314..d90236f7d 100644 --- a/scripts/demo/Vagrantfile +++ b/scripts/demo/Vagrantfile @@ -43,6 +43,19 @@ Vagrant.configure("2") do |config| libvirt.storage :file, :size => '150G' end + + config.vm.provider "vmware_desktop" do |vd| + vd.cpus = 8 + vd.memory = 24576 + config.vm.disk :disk, size: "150G" + end + + config.vm.provider "vmware_fusion" do |vf| + vf.cpus = 8 + vf.memory = 24576 + config.vm.disk :disk, size: "150G" + end + config.vm.provision "shell", privileged: true, inline: <<-STEP0 yum install -y btrfs-progs DISK=$(lsblk -o NAME,FSTYPE -dsn | awk '$2 == "" {print $1}' | grep -P "^[a-z]+$" | tail -n 1) diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh index 04212765e..248121e30 100755 --- a/scripts/github_image_helper.sh +++ b/scripts/github_image_helper.sh @@ -16,6 +16,7 @@ if ! (type "$REALPATH" && type "$DIRNAME" && type "$GREP" && type git) > /dev/nu fi SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))" IMAGE_ARCH_SUFFIX="$(uname -m | sed 's/^x86_64$//' | sed 's/^arm64$/-arm64/' | sed 's/^aarch64$/-arm64/')" +MALCOLM_CONTAINER_RUNTIME="${MALCOLM_CONTAINER_RUNTIME:-docker}" set -uo pipefail shopt -s nocasematch @@ -106,15 +107,15 @@ function _PullAndTagGithubWorkflowBuild() { OWNER="$(_gitowner)" IMAGE=$1 - docker pull $QUIET_PULL_FLAG ghcr.io/"$OWNER"/"$IMAGE":"${BRANCH}${IMAGE_ARCH_SUFFIX}" && \ - docker tag ghcr.io/"$OWNER"/"$IMAGE":"${BRANCH}${IMAGE_ARCH_SUFFIX}" ghcr.io/idaholab/"$IMAGE":"${VERSION}${IMAGE_ARCH_SUFFIX}" + $MALCOLM_CONTAINER_RUNTIME pull $QUIET_PULL_FLAG ghcr.io/"$OWNER"/"$IMAGE":"${BRANCH}${IMAGE_ARCH_SUFFIX}" && \ + $MALCOLM_CONTAINER_RUNTIME tag ghcr.io/"$OWNER"/"$IMAGE":"${BRANCH}${IMAGE_ARCH_SUFFIX}" ghcr.io/idaholab/"$IMAGE":"${VERSION}${IMAGE_ARCH_SUFFIX}" } function PullAndTagGithubWorkflowImages() { BRANCH="$(_gitbranch)" VERSION="$(_malcolmversion)" OWNER="$(_gitowner)" - echo "Pulling images from ghcr.io/$OWNER ($BRANCH) and tagging as ${VERSION}${IMAGE_ARCH_SUFFIX}..." + echo "Pulling images with $MALCOLM_CONTAINER_RUNTIME from ghcr.io/$OWNER ($BRANCH) and tagging as ${VERSION}${IMAGE_ARCH_SUFFIX}..." for IMG in $($GREP image: "$(_gittoplevel)"/docker-compose.yml | _cols 2 | cut -d: -f1 | sort -u | sed "s/.*\/\(malcolm\)/\1/"); do _PullAndTagGithubWorkflowBuild "$IMG" done @@ -125,7 +126,7 @@ function PullAndTagGithubWorkflowISOImages() { BRANCH="$(_gitbranch)" VERSION="$(_malcolmversion)" OWNER="$(_gitowner)" - echo "Pulling ISO wrapper images from ghcr.io/$OWNER ($BRANCH) and tagging as $VERSION ..." + echo "Pulling ISO wrapper images with $MALCOLM_CONTAINER_RUNTIME from ghcr.io/$OWNER ($BRANCH) and tagging as $VERSION ..." for IMG in malcolm/{malcolm,hedgehog}; do _PullAndTagGithubWorkflowBuild "$IMG" done @@ -145,12 +146,12 @@ function _ExtractISOFromGithubWorkflowBuild() { DEST_DIR="${2:-"$(pwd)"}" ISO_NAME="${3:-"$TOOL-$VERSION"}" - docker run --rm -d --name "$TOOL"-iso-srv -p 127.0.0.1:8000:8000/tcp -e QEMU_START=false -e NOVNC_START=false \ + $MALCOLM_CONTAINER_RUNTIME run --rm -d --name "$TOOL"-iso-srv -p 127.0.0.1:8000:8000/tcp -e QEMU_START=false -e NOVNC_START=false \ ghcr.io/"$OWNER"/malcolm/"$TOOL":"$BRANCH" && \ sleep 10 && \ curl -sSL -o "$DEST_DIR"/"$ISO_NAME".iso http://localhost:8000/live.iso && \ curl -sSL -o "$DEST_DIR"/"$ISO_NAME"-build.log http://localhost:8000/"$TOOL"-"$VERSION"-build.log - docker stop "$TOOL"-iso-srv + $MALCOLM_CONTAINER_RUNTIME stop "$TOOL"-iso-srv } function ExtractISOsFromGithubWorkflowBuilds() { @@ -173,7 +174,7 @@ function ExtractAndLoadImagesFromGithubWorkflowBuildISO() { if [[ -e filesystem.squashfs ]]; then unsquashfs filesystem.squashfs -f malcolm_images.tar.xz if [[ -e squashfs-root/malcolm_images.tar.xz ]]; then - docker load -i squashfs-root/malcolm_images.tar.xz + $MALCOLM_CONTAINER_RUNTIME load -i squashfs-root/malcolm_images.tar.xz else echo "Failed to images tarball" 2>&1 fi diff --git a/scripts/install.py b/scripts/install.py index dd012b1f9..eb0a714e0 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -30,14 +30,18 @@ except ImportError: getpwuid = None from collections import defaultdict, namedtuple +from enum import IntEnum from malcolm_common import ( AskForString, BoundPathReplacer, ChooseMultiple, ChooseOne, + CONTAINER_RUNTIME_KEY, DetermineYamlFileFormat, DialogInit, + DialogBackException, + DialogCanceledException, DisplayMessage, DOCKER_COMPOSE_INSTALL_URLS, DOCKER_INSTALL_URLS, @@ -100,6 +104,8 @@ MAC_BREW_DOCKER_COMPOSE_PACKAGE = 'docker-compose' MAC_BREW_DOCKER_SETTINGS = '/Users/{}/Library/Group Containers/group.com.docker/settings.json' +BACK_LABEL = 'Go Back' + LOGSTASH_JAVA_OPTS_DEFAULT = '-server -Xmx2500m -Xms2500m -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' OPENSEARCH_JAVA_OPTS_DEFAULT = '-server -Xmx10g -Xms10g -Xss256k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true' @@ -122,6 +128,35 @@ str2percent = lambda val: max(min(100, int(remove_suffix(val, '%'))), 0) if val else 0 +class ConfigOptions(IntEnum): + Preconfig = 0 + UidGuid = 1 + NodeName = 2 + RunProfile = 3 + DatabaseMode = 4 + LogstashRemote = 5 + ContainerResources = 6 + RestartMode = 7 + RequireHTTPS = 8 + DockerNetworking = 9 + AuthMethod = 10 + StorageLocations = 11 + ILMISM = 12 + StorageManagement = 13 + AutoArkime = 14 + AutoSuricata = 15 + SuricataRuleUpdate = 16 + AutoZeek = 17 + ICS = 18 + Enrichment = 19 + OpenPorts = 20 + FileCarving = 21 + NetBox = 22 + Capture = 23 + DarkMode = 24 + PostConfig = 25 + + ################################################################################################### # get interactive user response to Y/N question def InstallerYesOrNo( @@ -132,6 +167,7 @@ def InstallerYesOrNo( uiMode=UserInterfaceMode.InteractionInput | UserInterfaceMode.InteractionDialog, yesLabel='Yes', noLabel='No', + extraLabel=None, ): global args defBehavior = defaultBehavior @@ -145,6 +181,7 @@ def InstallerYesOrNo( uiMode=uiMode, yesLabel=yesLabel, noLabel=noLabel, + extraLabel=extraLabel, ) @@ -156,6 +193,7 @@ def InstallerAskForString( forceInteraction=False, defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt | UserInputDefaultsBehavior.DefaultsAccept, uiMode=UserInterfaceMode.InteractionInput | UserInterfaceMode.InteractionDialog, + extraLabel=None, ): global args defBehavior = defaultBehavior @@ -167,6 +205,7 @@ def InstallerAskForString( default=default, defaultBehavior=defBehavior, uiMode=uiMode, + extraLabel=extraLabel, ) @@ -178,6 +217,7 @@ def InstallerChooseOne( forceInteraction=False, defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt | UserInputDefaultsBehavior.DefaultsAccept, uiMode=UserInterfaceMode.InteractionInput | UserInterfaceMode.InteractionDialog, + extraLabel=None, ): global args defBehavior = defaultBehavior @@ -189,6 +229,7 @@ def InstallerChooseOne( choices=choices, defaultBehavior=defBehavior, uiMode=uiMode, + extraLabel=extraLabel, ) @@ -200,6 +241,7 @@ def InstallerChooseMultiple( forceInteraction=False, defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt | UserInputDefaultsBehavior.DefaultsAccept, uiMode=UserInterfaceMode.InteractionInput | UserInterfaceMode.InteractionDialog, + extraLabel=None, ): global args defBehavior = defaultBehavior @@ -211,6 +253,7 @@ def InstallerChooseMultiple( choices=choices, defaultBehavior=defBehavior, uiMode=uiMode, + extraLabel=extraLabel, ) @@ -221,6 +264,7 @@ def InstallerDisplayMessage( forceInteraction=False, defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt | UserInputDefaultsBehavior.DefaultsAccept, uiMode=UserInterfaceMode.InteractionInput | UserInterfaceMode.InteractionDialog, + extraLabel=None, ): global args defBehavior = defaultBehavior @@ -231,6 +275,7 @@ def InstallerDisplayMessage( message, defaultBehavior=defBehavior, uiMode=uiMode, + extraLabel=extraLabel, ) @@ -345,6 +390,8 @@ def install_required_packages(self): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ def install_docker_images(self, docker_image_file, malcolm_install_path): + global args + result = False composeFile = os.path.join(malcolm_install_path, 'docker-compose.yml') @@ -353,19 +400,19 @@ def install_docker_images(self, docker_image_file, malcolm_install_path): docker_image_file and os.path.isfile(docker_image_file) and InstallerYesOrNo( - f'Load Malcolm Docker images from {docker_image_file}?', default=True, forceInteraction=True + f'Load Malcolm images from {docker_image_file}?', default=True, forceInteraction=True ) ): - ecode, out = self.run_process(['docker', 'load', '-q', '-i', docker_image_file], privileged=True) + ecode, out = self.run_process([args.runtimeBin, 'load', '-q', '-i', docker_image_file], privileged=True) if ecode == 0: result = True else: - eprint(f"Loading Malcolm Docker images failed: {out}") + eprint(f"Loading Malcolm images failed: {out}") elif ( os.path.isfile(composeFile) and self.dockerComposeCmd - and InstallerYesOrNo(f'Pull Malcolm Docker images?', default=False, forceInteraction=False) + and InstallerYesOrNo(f'Pull Malcolm images?', default=False, forceInteraction=False) ): for priv in (False, True): ecode, out = self.run_process( @@ -385,7 +432,7 @@ def install_docker_images(self, docker_image_file, malcolm_install_path): if ecode == 0: result = True else: - eprint(f"Pulling Malcolm Docker images failed: {out}") + eprint(f"Pulling Malcolm images failed: {out}") return result @@ -497,31 +544,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if (not args.configDir) or (not os.path.isdir(args.configDir)): raise Exception("Could not determine configuration directory containing Malcolm's .env files") - # figure out what UID/GID to run non-root processes under docker as - puid, pgid = DetermineUid(self.scriptUser, self.platform, malcolm_install_path) - - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid UID/GID') - while ( - (not puid.isdigit()) - or (not pgid.isdigit()) - or ( - not InstallerYesOrNo( - f'Malcolm processes will run as UID {puid} and GID {pgid}. Is this OK?', default=True - ) - ) - ) and loopBreaker.increment(): - puid = InstallerAskForString( - 'Enter user ID (UID) for running non-root Malcolm processes', default=defaultUid - ) - pgid = InstallerAskForString( - 'Enter group ID (GID) for running non-root Malcolm processes', default=defaultGid - ) - - pcapNodeName = InstallerAskForString( - f'Enter the node name to associate with network traffic metadata', - default=args.pcapNodeName, - ) - if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # guestimate how much memory we should use based on total system memory @@ -597,1010 +619,1329 @@ def tweak_malcolm_runtime(self, malcolm_install_path): dashboardsUrl = 'http://dashboards:5601/dashboards' logstashHost = 'logstash:5044' indexSnapshotCompressed = False - malcolmProfile = ( - PROFILE_MALCOLM - if InstallerYesOrNo( - 'Run with Malcolm (all containers) or Hedgehog (capture only) profile?', - default=args.malcolmProfile, - yesLabel='Malcolm', - noLabel='Hedgehog', - ) - else PROFILE_HEDGEHOG - ) - - if (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Should Malcolm use and maintain its own OpenSearch instance?', - default=DATABASE_MODE_ENUMS[args.opensearchPrimaryMode] == DatabaseMode.OpenSearchLocal, - ): - opensearchPrimaryMode = DatabaseMode.OpenSearchLocal + behindReverseProxy = False + dockerNetworkExternalName = "" - else: - databaseModeChoice = '' - allowedDatabaseModes = { - DATABASE_MODE_LABELS[DatabaseMode.OpenSearchLocal]: [DatabaseMode.OpenSearchLocal, 'local OpenSearch'], - DATABASE_MODE_LABELS[DatabaseMode.OpenSearchRemote]: [ - DatabaseMode.OpenSearchRemote, - 'remote OpenSearch', - ], - DATABASE_MODE_LABELS[DatabaseMode.ElasticsearchRemote]: [ - DatabaseMode.ElasticsearchRemote, - 'remote Elasticsearch', - ], - } - if malcolmProfile != PROFILE_MALCOLM: - del allowedDatabaseModes[DATABASE_MODE_LABELS[DatabaseMode.OpenSearchLocal]] - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid primary document store mode') - while databaseModeChoice not in list(allowedDatabaseModes.keys()) and loopBreaker.increment(): - databaseModeChoice = InstallerChooseOne( - 'Select primary Malcolm document store', - choices=[ - (x, allowedDatabaseModes[x][1], x == args.opensearchPrimaryMode) - for x in list(allowedDatabaseModes.keys()) - ], - ) - opensearchPrimaryMode = allowedDatabaseModes[databaseModeChoice][0] - opensearchPrimaryLabel = allowedDatabaseModes[databaseModeChoice][1] - - if opensearchPrimaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote): - loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid {opensearchPrimaryLabel} URL') - opensearchPrimaryUrl = '' - while (len(opensearchPrimaryUrl) <= 1) and loopBreaker.increment(): - opensearchPrimaryUrl = InstallerAskForString( - f'Enter primary {opensearchPrimaryLabel} connection URL (e.g., https://192.168.1.123:9200)', - default=args.opensearchPrimaryUrl, - ) - opensearchPrimarySslVerify = opensearchPrimaryUrl.lower().startswith('https') and InstallerYesOrNo( - f'Require SSL certificate validation for communication with {opensearchPrimaryLabel} instance?', - default=args.opensearchPrimarySslVerify, - ) - else: - indexSnapshotCompressed = InstallerYesOrNo( - f'Compress {opensearchPrimaryLabel} index snapshots?', - default=args.indexSnapshotCompressed, - ) + prevStep = None + currentStep = ConfigOptions.Preconfig + while True: + prevStep = currentStep + currentStep = ConfigOptions(int(currentStep) + 1) + try: + ################################################################################### + if currentStep == ConfigOptions.Preconfig: + pass - if opensearchPrimaryMode == DatabaseMode.ElasticsearchRemote: - loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid Kibana connection URL') - dashboardsUrl = '' - while (len(dashboardsUrl) <= 1) and loopBreaker.increment(): - dashboardsUrl = InstallerAskForString( - f'Enter Kibana connection URL (e.g., https://192.168.1.123:5601)', - default=args.dashboardsUrl, - ) - if malcolmProfile != PROFILE_MALCOLM: - loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid Logstash host and port') - logstashHost = '' - while (len(logstashHost) <= 1) and loopBreaker.increment(): - logstashHost = InstallerAskForString( - f'Enter Logstash host and port (e.g., 192.168.1.123:5044)', - default=args.logstashHost, - ) + ################################################################################### + elif currentStep == ConfigOptions.UidGuid: + # figure out what UID/GID to run non-root processes under docker as + puid, pgid = DetermineUid(self.scriptUser, self.platform, malcolm_install_path) + defaultUid, defaultGid = puid, pgid - if (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Forward Logstash logs to a secondary remote document store?', - default=( - DATABASE_MODE_ENUMS[args.opensearchSecondaryMode] - in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote) - ), - ): - databaseModeChoice = '' - allowedDatabaseModes = { - DATABASE_MODE_LABELS[DatabaseMode.OpenSearchRemote]: [ - DatabaseMode.OpenSearchRemote, - 'remote OpenSearch', - ], - DATABASE_MODE_LABELS[DatabaseMode.ElasticsearchRemote]: [ - DatabaseMode.ElasticsearchRemote, - 'remote Elasticsearch', - ], - } - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid secondary document store mode') - while databaseModeChoice not in list(allowedDatabaseModes.keys()) and loopBreaker.increment(): - databaseModeChoice = InstallerChooseOne( - 'Select secondary Malcolm document store', - choices=[ - (x, allowedDatabaseModes[x][1], x == args.opensearchSecondaryMode) - for x in list(allowedDatabaseModes.keys()) - ], - ) - opensearchSecondaryMode = allowedDatabaseModes[databaseModeChoice][0] - opensearchSecondaryLabel = allowedDatabaseModes[databaseModeChoice][1] - - if opensearchSecondaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote): - loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid {opensearchSecondaryLabel} URL') - opensearchSecondaryUrl = '' - while (len(opensearchSecondaryUrl) <= 1) and loopBreaker.increment(): - opensearchSecondaryUrl = InstallerAskForString( - f'Enter secondary {opensearchSecondaryLabel} connection URL (e.g., https://192.168.1.123:9200)', - default=args.opensearchSecondaryUrl, - ) - opensearchSecondarySslVerify = opensearchSecondaryUrl.lower().startswith('https') and InstallerYesOrNo( - f'Require SSL certificate validation for communication with secondary {opensearchSecondaryLabel} instance?', - default=args.opensearchSecondarySslVerify, - ) + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid UID/GID') + while ( + (not puid.isdigit()) + or (not pgid.isdigit()) + or ( + not InstallerYesOrNo( + f'Malcolm processes will run as UID {puid} and GID {pgid}. Is this OK?', + default=True, + ) + ) + ) and loopBreaker.increment(): + puid = InstallerAskForString( + 'Enter user ID (UID) for running non-root Malcolm processes', default=defaultUid + ) + pgid = InstallerAskForString( + 'Enter group ID (GID) for running non-root Malcolm processes', default=defaultGid + ) - if (opensearchPrimaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote)) or ( - opensearchSecondaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote) - ): - InstallerDisplayMessage( - f'You must run auth_setup after {ScriptName} to store data store connection credentials.', - ) + ################################################################################### + elif currentStep == ConfigOptions.NodeName: + pcapNodeName = InstallerAskForString( + f'Enter the node name to associate with network traffic metadata', + default=args.pcapNodeName, + extraLabel=BACK_LABEL, + ) - if malcolmProfile == PROFILE_MALCOLM: - loopBreaker = CountUntilException( - MaxAskForValueCount, - f'Invalid {"OpenSearch/" if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal else ""}Logstash memory setting(s)', - ) - while ( - not InstallerYesOrNo( - ( - f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?' - if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal - else f'Setting {lsMemory} for Logstash. Is this OK?' - ), - default=True, - ) - and loopBreaker.increment() - ): - if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal: - osMemory = InstallerAskForString('Enter memory for OpenSearch (e.g., 16g, 9500m, etc.)') - lsMemory = InstallerAskForString('Enter memory for Logstash (e.g., 4g, 2500m, etc.)') - - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Logstash worker setting(s)') - while ( - (not str(lsWorkers).isdigit()) - or ( - not InstallerYesOrNo( - f'Setting {lsWorkers} workers for Logstash pipelines. Is this OK?', default=True + ################################################################################### + elif currentStep == ConfigOptions.RunProfile: + malcolmProfile = ( + PROFILE_MALCOLM + if InstallerYesOrNo( + 'Run with Malcolm (all containers) or Hedgehog (capture only) profile?', + default=args.malcolmProfile, + yesLabel='Malcolm', + noLabel='Hedgehog', + extraLabel=BACK_LABEL, + ) + else PROFILE_HEDGEHOG ) - ) - ) and loopBreaker.increment(): - lsWorkers = InstallerAskForString('Enter number of Logstash workers (e.g., 4, 8, etc.)') - restartMode = None - allowedRestartModes = ('no', 'on-failure', 'always', 'unless-stopped') - if (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( - 'Restart Malcolm upon system or Docker daemon restart?', default=args.malcolmAutoRestart - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid restart mode') - while restartMode not in allowedRestartModes and loopBreaker.increment(): - restartMode = InstallerChooseOne( - 'Select Malcolm restart behavior', - choices=[(x, '', x == 'unless-stopped') for x in allowedRestartModes], - ) - else: - restartMode = 'no' + ################################################################################### + elif currentStep == ConfigOptions.DatabaseMode: + if (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Should Malcolm use and maintain its own OpenSearch instance?', + default=DATABASE_MODE_ENUMS[args.opensearchPrimaryMode] == DatabaseMode.OpenSearchLocal, + extraLabel=BACK_LABEL, + ): + opensearchPrimaryMode = DatabaseMode.OpenSearchLocal - if malcolmProfile == PROFILE_MALCOLM: - nginxSSL = InstallerYesOrNo('Require encrypted HTTPS connections?', default=args.nginxSSL) - if (not nginxSSL) and (not args.acceptDefaultsNonInteractive): - nginxSSL = not InstallerYesOrNo( - 'Unencrypted connections are NOT recommended. Are you sure?', default=False - ) - else: - nginxSSL = True + else: + databaseModeChoice = '' + allowedDatabaseModes = { + DATABASE_MODE_LABELS[DatabaseMode.OpenSearchLocal]: [ + DatabaseMode.OpenSearchLocal, + 'local OpenSearch', + ], + DATABASE_MODE_LABELS[DatabaseMode.OpenSearchRemote]: [ + DatabaseMode.OpenSearchRemote, + 'remote OpenSearch', + ], + DATABASE_MODE_LABELS[DatabaseMode.ElasticsearchRemote]: [ + DatabaseMode.ElasticsearchRemote, + 'remote Elasticsearch', + ], + } + if malcolmProfile != PROFILE_MALCOLM: + del allowedDatabaseModes[DATABASE_MODE_LABELS[DatabaseMode.OpenSearchLocal]] + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid primary document store mode') + while databaseModeChoice not in list(allowedDatabaseModes.keys()) and loopBreaker.increment(): + databaseModeChoice = InstallerChooseOne( + 'Select primary Malcolm document store', + choices=[ + (x, allowedDatabaseModes[x][1], x == args.opensearchPrimaryMode) + for x in list(allowedDatabaseModes.keys()) + ], + extraLabel=BACK_LABEL, + ) + opensearchPrimaryMode = allowedDatabaseModes[databaseModeChoice][0] + opensearchPrimaryLabel = allowedDatabaseModes[databaseModeChoice][1] + + if opensearchPrimaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote): + loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid {opensearchPrimaryLabel} URL') + opensearchPrimaryUrl = '' + while (len(opensearchPrimaryUrl) <= 1) and loopBreaker.increment(): + opensearchPrimaryUrl = InstallerAskForString( + f'Enter primary {opensearchPrimaryLabel} connection URL (e.g., https://192.168.1.123:9200)', + default=args.opensearchPrimaryUrl, + extraLabel=BACK_LABEL, + ) + opensearchPrimarySslVerify = opensearchPrimaryUrl.lower().startswith( + 'https' + ) and InstallerYesOrNo( + f'Require SSL certificate validation for communication with {opensearchPrimaryLabel} instance?', + default=args.opensearchPrimarySslVerify, + extraLabel=BACK_LABEL, + ) + else: + indexSnapshotCompressed = InstallerYesOrNo( + f'Compress {opensearchPrimaryLabel} index snapshots?', + default=args.indexSnapshotCompressed, + extraLabel=BACK_LABEL, + ) - behindReverseProxy = False - dockerNetworkExternalName = "" - traefikLabels = False - traefikHost = "" - traefikOpenSearchHost = "" - traefikEntrypoint = "" - traefikResolver = "" - - behindReverseProxy = (self.orchMode is OrchestrationFramework.KUBERNETES) or ( - (malcolmProfile == PROFILE_MALCOLM) - and InstallerYesOrNo( - 'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?', - default=args.behindReverseProxy or (not nginxSSL), - ) - ) + if opensearchPrimaryMode == DatabaseMode.ElasticsearchRemote: + loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid Kibana connection URL') + dashboardsUrl = '' + while (len(dashboardsUrl) <= 1) and loopBreaker.increment(): + dashboardsUrl = InstallerAskForString( + f'Enter Kibana connection URL (e.g., https://192.168.1.123:5601)', + default=args.dashboardsUrl, + extraLabel=BACK_LABEL, + ) - if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: - if behindReverseProxy: - traefikLabels = InstallerYesOrNo('Configure labels for Traefik?', default=bool(args.traefikHost)) - if traefikLabels: - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik request domain') - while (len(traefikHost) <= 1) and loopBreaker.increment(): - traefikHost = InstallerAskForString( - 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)', - default=args.traefikHost, + ################################################################################### + elif currentStep == ConfigOptions.LogstashRemote: + if malcolmProfile != PROFILE_MALCOLM: + loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid Logstash host and port') + logstashHost = '' + while (len(logstashHost) <= 1) and loopBreaker.increment(): + logstashHost = InstallerAskForString( + f'Enter Logstash host and port (e.g., 192.168.1.123:5044)', + default=args.logstashHost, + extraLabel=BACK_LABEL, + ) + + if (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Forward Logstash logs to a secondary remote document store?', + default=( + DATABASE_MODE_ENUMS[args.opensearchSecondaryMode] + in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote) + ), + extraLabel=BACK_LABEL, + ): + databaseModeChoice = '' + allowedDatabaseModes = { + DATABASE_MODE_LABELS[DatabaseMode.OpenSearchRemote]: [ + DatabaseMode.OpenSearchRemote, + 'remote OpenSearch', + ], + DATABASE_MODE_LABELS[DatabaseMode.ElasticsearchRemote]: [ + DatabaseMode.ElasticsearchRemote, + 'remote Elasticsearch', + ], + } + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid secondary document store mode') + while databaseModeChoice not in list(allowedDatabaseModes.keys()) and loopBreaker.increment(): + databaseModeChoice = InstallerChooseOne( + 'Select secondary Malcolm document store', + choices=[ + (x, allowedDatabaseModes[x][1], x == args.opensearchSecondaryMode) + for x in list(allowedDatabaseModes.keys()) + ], + extraLabel=BACK_LABEL, + ) + opensearchSecondaryMode = allowedDatabaseModes[databaseModeChoice][0] + opensearchSecondaryLabel = allowedDatabaseModes[databaseModeChoice][1] + + if opensearchSecondaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote): + loopBreaker = CountUntilException( + MaxAskForValueCount, f'Invalid {opensearchSecondaryLabel} URL' + ) + opensearchSecondaryUrl = '' + while (len(opensearchSecondaryUrl) <= 1) and loopBreaker.increment(): + opensearchSecondaryUrl = InstallerAskForString( + f'Enter secondary {opensearchSecondaryLabel} connection URL (e.g., https://192.168.1.123:9200)', + default=args.opensearchSecondaryUrl, + extraLabel=BACK_LABEL, + ) + opensearchSecondarySslVerify = opensearchSecondaryUrl.lower().startswith( + 'https' + ) and InstallerYesOrNo( + f'Require SSL certificate validation for communication with secondary {opensearchSecondaryLabel} instance?', + default=args.opensearchSecondarySslVerify, + extraLabel=BACK_LABEL, ) - if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal: + + if (opensearchPrimaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote)) or ( + opensearchSecondaryMode in (DatabaseMode.OpenSearchRemote, DatabaseMode.ElasticsearchRemote) + ): + InstallerDisplayMessage( + f'You must run auth_setup after {ScriptName} to store data store connection credentials.', + ) + + ################################################################################### + elif currentStep == ConfigOptions.ContainerResources: + if malcolmProfile == PROFILE_MALCOLM: loopBreaker = CountUntilException( - MaxAskForValueCount, 'Invalid Traefik OpenSearch request domain' + MaxAskForValueCount, + f'Invalid {"OpenSearch/" if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal else ""}Logstash memory setting(s)', ) while ( - (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost) + not InstallerYesOrNo( + ( + f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?' + if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal + else f'Setting {lsMemory} for Logstash. Is this OK?' + ), + default=True, + extraLabel=BACK_LABEL, + ) + and loopBreaker.increment() + ): + if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal: + osMemory = InstallerAskForString( + 'Enter memory for OpenSearch (e.g., 16g, 9500m, etc.)', + extraLabel=BACK_LABEL, + ) + lsMemory = InstallerAskForString( + 'Enter memory for Logstash (e.g., 4g, 2500m, etc.)', + extraLabel=BACK_LABEL, + ) + + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Logstash worker setting(s)') + while ( + (not str(lsWorkers).isdigit()) + or ( + not InstallerYesOrNo( + f'Setting {lsWorkers} workers for Logstash pipelines. Is this OK?', + default=True, + extraLabel=BACK_LABEL, + ) + ) ) and loopBreaker.increment(): - traefikOpenSearchHost = InstallerAskForString( - f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})', - default=args.traefikOpenSearchHost, + lsWorkers = InstallerAskForString( + 'Enter number of Logstash workers (e.g., 4, 8, etc.)', + extraLabel=BACK_LABEL, ) - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik router entrypoint') - while (len(traefikEntrypoint) <= 1) and loopBreaker.increment(): - traefikEntrypoint = InstallerAskForString( - 'Enter Traefik router entrypoint (e.g., websecure)', - default=args.traefikEntrypoint, - ) - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik router resolver') - while (len(traefikResolver) <= 1) and loopBreaker.increment(): - traefikResolver = InstallerAskForString( - 'Enter Traefik router resolver (e.g., myresolver)', - default=args.traefikResolver, - ) - dockerNetworkExternalName = InstallerAskForString( - 'Specify external Docker network name (or leave blank for default networking)', - default=args.dockerNetworkName, - ) + ################################################################################### + elif currentStep == ConfigOptions.RestartMode: + restartMode = None + allowedRestartModes = ('no', 'on-failure', 'always', 'unless-stopped') + if (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) and InstallerYesOrNo( + 'Restart Malcolm upon system or container daemon restart?', + default=args.malcolmAutoRestart, + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid restart mode') + while restartMode not in allowedRestartModes and loopBreaker.increment(): + restartMode = InstallerChooseOne( + 'Select Malcolm restart behavior', + choices=[(x, '', x == 'unless-stopped') for x in allowedRestartModes], + extraLabel=BACK_LABEL, + ) + else: + restartMode = 'no' + + ################################################################################### + elif currentStep == ConfigOptions.RequireHTTPS: + if malcolmProfile == PROFILE_MALCOLM: + nginxSSL = InstallerYesOrNo( + 'Require encrypted HTTPS connections?', + default=args.nginxSSL, + extraLabel=BACK_LABEL, + ) + if (not nginxSSL) and (not args.acceptDefaultsNonInteractive): + nginxSSL = not InstallerYesOrNo( + 'Unencrypted connections are NOT recommended. Are you sure?', + default=False, + extraLabel=BACK_LABEL, + ) + else: + nginxSSL = True - allowedAuthModes = { - 'Basic': 'true', - 'Lightweight Directory Access Protocol (LDAP)': 'false', - 'None': 'no_authentication', - } - authMode = None if (malcolmProfile == PROFILE_MALCOLM) else 'Basic' - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid authentication method') - while authMode not in list(allowedAuthModes.keys()) and loopBreaker.increment(): - authMode = InstallerChooseOne( - 'Select authentication method', - choices=[ - (x, '', x == ('Lightweight Directory Access Protocol (LDAP)' if args.authModeLDAP else 'Basic')) - for x in list(allowedAuthModes.keys()) - ], - ) + ################################################################################### + elif currentStep == ConfigOptions.DockerNetworking: + behindReverseProxy = (self.orchMode is OrchestrationFramework.KUBERNETES) or ( + (malcolmProfile == PROFILE_MALCOLM) + and InstallerYesOrNo( + 'Will Malcolm be running behind another reverse proxy (Traefik, Caddy, etc.)?', + default=args.behindReverseProxy or (not nginxSSL), + extraLabel=BACK_LABEL, + ) + ) - ldapStartTLS = False - ldapServerTypeDefault = args.ldapServerType if args.ldapServerType else 'winldap' - ldapServerType = ldapServerTypeDefault - if 'ldap' in authMode.lower(): - allowedLdapModes = ('winldap', 'openldap') - ldapServerType = args.ldapServerType if args.ldapServerType else None - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid LDAP server compatibility type') - while ldapServerType not in allowedLdapModes and loopBreaker.increment(): - ldapServerType = InstallerChooseOne( - 'Select LDAP server compatibility type', - choices=[(x, '', x == ldapServerTypeDefault) for x in allowedLdapModes], - ) - ldapStartTLS = InstallerYesOrNo( - 'Use StartTLS (rather than LDAPS) for LDAP connection security?', default=args.ldapStartTLS - ) - try: - with open( - os.path.join(os.path.realpath(os.path.join(ScriptPath, "..")), ".ldap_config_defaults"), "w" - ) as ldapDefaultsFile: - print(f"LDAP_SERVER_TYPE='{ldapServerType}'", file=ldapDefaultsFile) - print( - f"LDAP_PROTO='{'ldap://' if ldapStartTLS else 'ldaps://'}'", - file=ldapDefaultsFile, + traefikLabels = False + traefikHost = "" + traefikOpenSearchHost = "" + traefikEntrypoint = "" + traefikResolver = "" + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if behindReverseProxy: + traefikLabels = InstallerYesOrNo( + 'Configure labels for Traefik?', + default=bool(args.traefikHost), + extraLabel=BACK_LABEL, + ) + if traefikLabels: + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Traefik request domain') + while (len(traefikHost) <= 1) and loopBreaker.increment(): + traefikHost = InstallerAskForString( + 'Enter request domain (host header value) for Malcolm interface Traefik router (e.g., malcolm.example.org)', + default=args.traefikHost, + extraLabel=BACK_LABEL, + ) + if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal: + loopBreaker = CountUntilException( + MaxAskForValueCount, 'Invalid Traefik OpenSearch request domain' + ) + while ( + (len(traefikOpenSearchHost) <= 1) or (traefikOpenSearchHost == traefikHost) + ) and loopBreaker.increment(): + traefikOpenSearchHost = InstallerAskForString( + f'Enter request domain (host header value) for OpenSearch Traefik router (e.g., opensearch.{traefikHost})', + default=args.traefikOpenSearchHost, + extraLabel=BACK_LABEL, + ) + loopBreaker = CountUntilException( + MaxAskForValueCount, 'Invalid Traefik router entrypoint' + ) + while (len(traefikEntrypoint) <= 1) and loopBreaker.increment(): + traefikEntrypoint = InstallerAskForString( + 'Enter Traefik router entrypoint (e.g., websecure)', + default=args.traefikEntrypoint, + extraLabel=BACK_LABEL, + ) + loopBreaker = CountUntilException( + MaxAskForValueCount, 'Invalid Traefik router resolver' + ) + while (len(traefikResolver) <= 1) and loopBreaker.increment(): + traefikResolver = InstallerAskForString( + 'Enter Traefik router resolver (e.g., myresolver)', + default=args.traefikResolver, + extraLabel=BACK_LABEL, + ) + + dockerNetworkExternalName = InstallerAskForString( + 'Specify external container network name (or leave blank for default networking)', + default=args.containerNetworkName, + extraLabel=BACK_LABEL, ) - print(f"LDAP_PORT='{3268 if ldapStartTLS else 3269}'", file=ldapDefaultsFile) - except Exception: - pass - # directories for data volume mounts (PCAP storage, Zeek log storage, OpenSearch indexes, etc.) + ################################################################################### + elif currentStep == ConfigOptions.AuthMethod: + allowedAuthModes = { + 'Basic': 'true', + 'Lightweight Directory Access Protocol (LDAP)': 'false', + 'None': 'no_authentication', + } + authMode = None if (malcolmProfile == PROFILE_MALCOLM) else 'Basic' + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid authentication method') + while authMode not in list(allowedAuthModes.keys()) and loopBreaker.increment(): + authMode = InstallerChooseOne( + 'Select authentication method', + choices=[ + ( + x, + '', + x + == ( + 'Lightweight Directory Access Protocol (LDAP)' if args.authModeLDAP else 'Basic' + ), + ) + for x in list(allowedAuthModes.keys()) + ], + extraLabel=BACK_LABEL, + ) - # if the file .os-disk-config-defaults was created by the environment (os-disk-config.py) - # we'll use those as defaults, otherwise base things underneath the malcolm_install_path - diskFormatInfo = {} - try: - diskFormatInfoFile = os.path.join( - os.path.realpath(os.path.join(ScriptPath, "..")), ".os-disk-config-defaults" - ) - if os.path.isfile(diskFormatInfoFile): - with open(diskFormatInfoFile) as f: - diskFormatInfo = LoadFileIfJson(f) - except Exception: - pass - diskFormatInfo = {k: v for k, v in diskFormatInfo.items() if os.path.isdir(v)} - - if MALCOLM_DB_DIR in diskFormatInfo: - for subDir in ['opensearch', 'opensearch-backup']: - pathlib.Path(os.path.join(diskFormatInfo[MALCOLM_DB_DIR], subDir)).mkdir(parents=False, exist_ok=True) - if MALCOLM_LOGS_DIR in diskFormatInfo: - for subDir in ['zeek-logs', 'suricata-logs']: - pathlib.Path(os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], subDir)).mkdir(parents=False, exist_ok=True) - - if args.indexDir: - indexDirDefault = args.indexDir - indexDir = indexDirDefault - else: - indexDir = './opensearch' - if (MALCOLM_DB_DIR in diskFormatInfo) and os.path.isdir( - os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexDir) - ): - indexDirDefault = os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexDir) - indexDir = indexDirDefault - else: - indexDirDefault = os.path.join(malcolm_install_path, indexDir) - indexDirFull = os.path.realpath(indexDirDefault) + ldapStartTLS = False + ldapServerTypeDefault = args.ldapServerType if args.ldapServerType else 'winldap' + ldapServerType = ldapServerTypeDefault + if 'ldap' in authMode.lower(): + allowedLdapModes = ('winldap', 'openldap') + ldapServerType = args.ldapServerType if args.ldapServerType else None + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid LDAP server compatibility type') + while ldapServerType not in allowedLdapModes and loopBreaker.increment(): + ldapServerType = InstallerChooseOne( + 'Select LDAP server compatibility type', + choices=[(x, '', x == ldapServerTypeDefault) for x in allowedLdapModes], + extraLabel=BACK_LABEL, + ) + ldapStartTLS = InstallerYesOrNo( + 'Use StartTLS (rather than LDAPS) for LDAP connection security?', + default=args.ldapStartTLS, + extraLabel=BACK_LABEL, + ) + try: + with open( + os.path.join(os.path.realpath(os.path.join(ScriptPath, "..")), ".ldap_config_defaults"), + "w", + ) as ldapDefaultsFile: + print(f"LDAP_SERVER_TYPE='{ldapServerType}'", file=ldapDefaultsFile) + print( + f"LDAP_PROTO='{'ldap://' if ldapStartTLS else 'ldaps://'}'", + file=ldapDefaultsFile, + ) + print(f"LDAP_PORT='{3268 if ldapStartTLS else 3269}'", file=ldapDefaultsFile) + except Exception: + pass - indexSnapshotCompressed = False - if args.indexSnapshotDir: - indexSnapshotDirDefault = args.indexSnapshotDir - indexSnapshotDir = indexSnapshotDirDefault - else: - indexSnapshotDir = './opensearch-backup' - if (MALCOLM_DB_DIR in diskFormatInfo) and os.path.isdir( - os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexSnapshotDir) - ): - indexSnapshotDirDefault = os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexSnapshotDir) - indexSnapshotDir = indexSnapshotDirDefault - else: - indexSnapshotDirDefault = os.path.join(malcolm_install_path, indexSnapshotDir) - indexSnapshotDirFull = os.path.realpath(indexSnapshotDirDefault) + ################################################################################### + elif currentStep == ConfigOptions.StorageLocations: + # directories for data volume mounts (PCAP storage, Zeek log storage, OpenSearch indexes, etc.) - if args.pcapDir: - pcapDirDefault = args.pcapDir - pcapDir = pcapDirDefault - else: - if MALCOLM_PCAP_DIR in diskFormatInfo: - pcapDirDefault = diskFormatInfo[MALCOLM_PCAP_DIR] - pcapDir = pcapDirDefault - else: - pcapDir = './pcap' - pcapDirDefault = os.path.join(malcolm_install_path, pcapDir) - pcapDirFull = os.path.realpath(pcapDirDefault) + # if the file .os-disk-config-defaults was created by the environment (os-disk-config.py) + # we'll use those as defaults, otherwise base things underneath the malcolm_install_path + diskFormatInfo = {} + try: + diskFormatInfoFile = os.path.join( + os.path.realpath(os.path.join(ScriptPath, "..")), ".os-disk-config-defaults" + ) + if os.path.isfile(diskFormatInfoFile): + with open(diskFormatInfoFile) as f: + diskFormatInfo = LoadFileIfJson(f) + except Exception: + pass + diskFormatInfo = {k: v for k, v in diskFormatInfo.items() if os.path.isdir(v)} - if args.suricataLogDir: - suricataLogDirDefault = args.suricataLogDir - suricataLogDir = suricataLogDirDefault - else: - suricataLogDir = './suricata-logs' - if (MALCOLM_LOGS_DIR in diskFormatInfo) and os.path.isdir( - os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], suricataLogDir) - ): - suricataLogDirDefault = os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], suricataLogDir) - suricataLogDir = suricataLogDirDefault - else: - suricataLogDirDefault = os.path.join(malcolm_install_path, suricataLogDir) - suricataLogDirFull = os.path.realpath(suricataLogDirDefault) + if MALCOLM_DB_DIR in diskFormatInfo: + for subDir in ['opensearch', 'opensearch-backup']: + pathlib.Path(os.path.join(diskFormatInfo[MALCOLM_DB_DIR], subDir)).mkdir( + parents=False, exist_ok=True + ) + if MALCOLM_LOGS_DIR in diskFormatInfo: + for subDir in ['zeek-logs', 'suricata-logs']: + pathlib.Path(os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], subDir)).mkdir( + parents=False, exist_ok=True + ) - if args.zeekLogDir: - zeekLogDirDefault = args.zeekLogDir - zeekLogDir = zeekLogDirDefault - else: - zeekLogDir = './zeek-logs' - if (MALCOLM_LOGS_DIR in diskFormatInfo) and os.path.isdir( - os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], zeekLogDir) - ): - zeekLogDirDefault = os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], zeekLogDir) - zeekLogDir = zeekLogDirDefault - else: - zeekLogDirDefault = os.path.join(malcolm_install_path, zeekLogDir) - zeekLogDirFull = os.path.realpath(zeekLogDirDefault) + if args.indexDir: + indexDirDefault = args.indexDir + indexDir = indexDirDefault + else: + indexDir = './opensearch' + if (MALCOLM_DB_DIR in diskFormatInfo) and os.path.isdir( + os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexDir) + ): + indexDirDefault = os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexDir) + indexDir = indexDirDefault + else: + indexDirDefault = os.path.join(malcolm_install_path, indexDir) + indexDirFull = os.path.realpath(indexDirDefault) - if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: - if diskFormatInfo or not InstallerYesOrNo( - f'Store {"PCAP, log and index" if (malcolmProfile == PROFILE_MALCOLM) else "PCAP and log"} files in {malcolm_install_path}?', - default=not args.acceptDefaultsNonInteractive, - ): - # PCAP directory - if not InstallerYesOrNo( - 'Store PCAP files in {}?'.format(pcapDirDefault), - default=not bool(args.pcapDir), - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP directory') - while loopBreaker.increment(): - pcapDir = InstallerAskForString('Enter PCAP directory', default=pcapDirDefault) - if (len(pcapDir) > 1) and os.path.isdir(pcapDir): - pcapDirFull = os.path.realpath(pcapDir) - pcapDir = ( - f"./{os.path.relpath(pcapDirDefault, malcolm_install_path)}" - if same_file_or_dir(pcapDirDefault, pcapDirFull) - else pcapDirFull - ) - break + indexSnapshotCompressed = False + if args.indexSnapshotDir: + indexSnapshotDirDefault = args.indexSnapshotDir + indexSnapshotDir = indexSnapshotDirDefault + else: + indexSnapshotDir = './opensearch-backup' + if (MALCOLM_DB_DIR in diskFormatInfo) and os.path.isdir( + os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexSnapshotDir) + ): + indexSnapshotDirDefault = os.path.join(diskFormatInfo[MALCOLM_DB_DIR], indexSnapshotDir) + indexSnapshotDir = indexSnapshotDirDefault + else: + indexSnapshotDirDefault = os.path.join(malcolm_install_path, indexSnapshotDir) + indexSnapshotDirFull = os.path.realpath(indexSnapshotDirDefault) - # Zeek log directory - if not InstallerYesOrNo( - 'Store Zeek logs in {}?'.format(zeekLogDirDefault), - default=not bool(args.zeekLogDir), - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Zeek directory') - while loopBreaker.increment(): - zeekLogDir = InstallerAskForString('Enter Zeek log directory', default=zeekLogDirDefault) - if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir): - zeekLogDirFull = os.path.realpath(zeekLogDir) - zeekLogDir = ( - f"./{os.path.relpath(zeekLogDirDefault, malcolm_install_path)}" - if same_file_or_dir(zeekLogDirDefault, zeekLogDirFull) - else zeekLogDirFull - ) - break + if args.pcapDir: + pcapDirDefault = args.pcapDir + pcapDir = pcapDirDefault + else: + if MALCOLM_PCAP_DIR in diskFormatInfo: + pcapDirDefault = diskFormatInfo[MALCOLM_PCAP_DIR] + pcapDir = pcapDirDefault + else: + pcapDir = './pcap' + pcapDirDefault = os.path.join(malcolm_install_path, pcapDir) + pcapDirFull = os.path.realpath(pcapDirDefault) - # Suricata log directory - if not InstallerYesOrNo( - 'Store Suricata logs in {}?'.format(suricataLogDirDefault), - default=not bool(args.suricataLogDir), - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Suricata directory') - while loopBreaker.increment(): - suricataLogDir = InstallerAskForString( - 'Enter Suricata log directory', default=suricataLogDirDefault - ) - if (len(suricataLogDir) > 1) and os.path.isdir(suricataLogDir): - suricataLogDirFull = os.path.realpath(suricataLogDir) - suricataLogDir = ( - f"./{os.path.relpath(suricataLogDirDefault, malcolm_install_path)}" - if same_file_or_dir(suricataLogDirDefault, suricataLogDirFull) - else suricataLogDirFull - ) - break + if args.suricataLogDir: + suricataLogDirDefault = args.suricataLogDir + suricataLogDir = suricataLogDirDefault + else: + suricataLogDir = './suricata-logs' + if (MALCOLM_LOGS_DIR in diskFormatInfo) and os.path.isdir( + os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], suricataLogDir) + ): + suricataLogDirDefault = os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], suricataLogDir) + suricataLogDir = suricataLogDirDefault + else: + suricataLogDirDefault = os.path.join(malcolm_install_path, suricataLogDir) + suricataLogDirFull = os.path.realpath(suricataLogDirDefault) - if (malcolmProfile == PROFILE_MALCOLM) and (opensearchPrimaryMode == DatabaseMode.OpenSearchLocal): - # opensearch index directory - if not InstallerYesOrNo( - 'Store OpenSearch indices in {}?'.format(indexDirDefault), - default=not bool(args.indexDir), - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch index directory') + if args.zeekLogDir: + zeekLogDirDefault = args.zeekLogDir + zeekLogDir = zeekLogDirDefault + else: + zeekLogDir = './zeek-logs' + if (MALCOLM_LOGS_DIR in diskFormatInfo) and os.path.isdir( + os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], zeekLogDir) + ): + zeekLogDirDefault = os.path.join(diskFormatInfo[MALCOLM_LOGS_DIR], zeekLogDir) + zeekLogDir = zeekLogDirDefault + else: + zeekLogDirDefault = os.path.join(malcolm_install_path, zeekLogDir) + zeekLogDirFull = os.path.realpath(zeekLogDirDefault) + + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if diskFormatInfo or not InstallerYesOrNo( + f'Store {"PCAP, log and index" if (malcolmProfile == PROFILE_MALCOLM) else "PCAP and log"} files in {malcolm_install_path}?', + default=not args.acceptDefaultsNonInteractive, + extraLabel=BACK_LABEL, + ): + # PCAP directory + if not InstallerYesOrNo( + 'Store PCAP files in {}?'.format(pcapDirDefault), + default=not bool(args.pcapDir), + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP directory') + while loopBreaker.increment(): + pcapDir = InstallerAskForString( + 'Enter PCAP directory', + default=pcapDirDefault, + extraLabel=BACK_LABEL, + ) + if (len(pcapDir) > 1) and os.path.isdir(pcapDir): + pcapDirFull = os.path.realpath(pcapDir) + pcapDir = ( + f"./{os.path.relpath(pcapDirDefault, malcolm_install_path)}" + if same_file_or_dir(pcapDirDefault, pcapDirFull) + else pcapDirFull + ) + break + + # Zeek log directory + if not InstallerYesOrNo( + 'Store Zeek logs in {}?'.format(zeekLogDirDefault), + default=not bool(args.zeekLogDir), + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Zeek directory') + while loopBreaker.increment(): + zeekLogDir = InstallerAskForString( + 'Enter Zeek log directory', + default=zeekLogDirDefault, + extraLabel=BACK_LABEL, + ) + if (len(zeekLogDir) > 1) and os.path.isdir(zeekLogDir): + zeekLogDirFull = os.path.realpath(zeekLogDir) + zeekLogDir = ( + f"./{os.path.relpath(zeekLogDirDefault, malcolm_install_path)}" + if same_file_or_dir(zeekLogDirDefault, zeekLogDirFull) + else zeekLogDirFull + ) + break + + # Suricata log directory + if not InstallerYesOrNo( + 'Store Suricata logs in {}?'.format(suricataLogDirDefault), + default=not bool(args.suricataLogDir), + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid Suricata directory') + while loopBreaker.increment(): + suricataLogDir = InstallerAskForString( + 'Enter Suricata log directory', + default=suricataLogDirDefault, + extraLabel=BACK_LABEL, + ) + if (len(suricataLogDir) > 1) and os.path.isdir(suricataLogDir): + suricataLogDirFull = os.path.realpath(suricataLogDir) + suricataLogDir = ( + f"./{os.path.relpath(suricataLogDirDefault, malcolm_install_path)}" + if same_file_or_dir(suricataLogDirDefault, suricataLogDirFull) + else suricataLogDirFull + ) + break + + if (malcolmProfile == PROFILE_MALCOLM) and ( + opensearchPrimaryMode == DatabaseMode.OpenSearchLocal + ): + # opensearch index directory + if not InstallerYesOrNo( + 'Store OpenSearch indices in {}?'.format(indexDirDefault), + default=not bool(args.indexDir), + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException( + MaxAskForValueCount, 'Invalid OpenSearch index directory' + ) + while loopBreaker.increment(): + indexDir = InstallerAskForString( + 'Enter OpenSearch index directory', + default=indexDirDefault, + extraLabel=BACK_LABEL, + ) + if (len(indexDir) > 1) and os.path.isdir(indexDir): + indexDirFull = os.path.realpath(indexDir) + indexDir = ( + f"./{os.path.relpath(indexDirDefault, malcolm_install_path)}" + if same_file_or_dir(indexDirDefault, indexDirFull) + else indexDirFull + ) + break + + # opensearch snapshot repository directory and compression + if not InstallerYesOrNo( + 'Store OpenSearch index snapshots in {}?'.format(indexSnapshotDirDefault), + default=not bool(args.indexSnapshotDir), + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException( + MaxAskForValueCount, 'Invalid OpenSearch snapshots directory' + ) + while loopBreaker.increment(): + indexSnapshotDir = InstallerAskForString( + 'Enter OpenSearch index snapshot directory', + default=indexSnapshotDirDefault, + extraLabel=BACK_LABEL, + ) + if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir): + indexSnapshotDirFull = os.path.realpath(indexSnapshotDir) + indexSnapshotDir = ( + f"./{os.path.relpath(indexSnapshotDirDefault, malcolm_install_path)}" + if same_file_or_dir(indexSnapshotDirDefault, indexSnapshotDirFull) + else indexSnapshotDirFull + ) + break + + # make sure paths specified (and their necessary children) exist + for pathToCreate in ( + malcolm_install_path, + indexDirFull, + indexSnapshotDirFull, + os.path.join(pcapDirFull, 'arkime-live'), + os.path.join(pcapDirFull, 'processed'), + os.path.join(pcapDirFull, os.path.join('upload', os.path.join('tmp', 'spool'))), + os.path.join(pcapDirFull, os.path.join('upload', 'variants')), + os.path.join(suricataLogDirFull, 'live'), + os.path.join(zeekLogDirFull, 'current'), + os.path.join(zeekLogDirFull, 'live'), + os.path.join(zeekLogDirFull, 'upload'), + os.path.join(zeekLogDirFull, os.path.join('extract_files', 'preserved')), + os.path.join(zeekLogDirFull, os.path.join('extract_files', 'quarantine')), + ): + try: + if args.debug: + eprint(f"Creating {pathToCreate}") + pathlib.Path(pathToCreate).mkdir(parents=True, exist_ok=True) + if ( + ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) + and (self.scriptUser == "root") + and (getpwuid(os.stat(pathToCreate).st_uid).pw_name == self.scriptUser) + ): + if args.debug: + eprint(f"Setting permissions of {pathToCreate} to {puid}:{pgid}") + # change ownership of newly-created directory to match puid/pgid + os.chown(pathToCreate, int(puid), int(pgid)) + except Exception as e: + eprint(f"Creating {pathToCreate} failed: {e}") + + ################################################################################### + elif currentStep == ConfigOptions.ILMISM: + indexManagementPolicy = False + indexManagementHotWarm = False + indexManagementOptimizationTimePeriod = '30d' + indexManagementSpiDataRetention = '90d' + indexManagementReplicas = 0 + indexManagementHistoryInWeeks = 13 + indexManagementOptimizeSessionSegments = 1 + + loopBreaker = CountUntilException( + MaxAskForValueCount, + f'Invalid ILM/ISM setting(s)', + ) + indexManagementPolicy = InstallerYesOrNo( + f'Enable index management policies (ILM/ISM) in Arkime?', + default=args.indexManagementPolicy, + extraLabel=BACK_LABEL, + ) + if indexManagementPolicy: while loopBreaker.increment(): - indexDir = InstallerAskForString( - 'Enter OpenSearch index directory', default=indexDirDefault + # Set 'hot' for 'node.attr.molochtype' on new indices, warm on non sessions indices + indexManagementHotWarm = InstallerYesOrNo( + f'Should Arkime use a hot/warm design in which non-session data is stored in a warm index?', + default=args.indexManagementHotWarm, + extraLabel=BACK_LABEL, ) - if (len(indexDir) > 1) and os.path.isdir(indexDir): - indexDirFull = os.path.realpath(indexDir) - indexDir = ( - f"./{os.path.relpath(indexDirDefault, malcolm_install_path)}" - if same_file_or_dir(indexDirDefault, indexDirFull) - else indexDirFull - ) + if indexManagementHotWarm: + if opensearchPrimaryMode == DatabaseMode.ElasticsearchRemote: + InstallerDisplayMessage( + f'You must configure "hot" and "warm" nodes types in the remote Elasticsearch instance (https://arkime.com/faq#ilm)' + ) + else: + InstallerDisplayMessage( + f'You must configure "hot" and "warm" nodes types in the OpenSearch instance' + ) + # Time in hours/days before (moving Arkime indexes to warm) and force merge (number followed by h or d), default 30d + indexManagementOptimizationTimePeriod = InstallerAskForString( + "How long should Arkime keep an index in the hot node? (e.g. 25h, 5d, etc.)", + default=args.indexManagementOptimizationTimePeriod, + extraLabel=BACK_LABEL, + ) + # Time in hours/days before deleting Arkime indexes (number followed by h or d), default 90d + indexManagementSpiDataRetention = InstallerAskForString( + "How long should Arkime retain SPI data before deleting it? (e.g. 25h, 90d, etc.)", + default=str(args.indexManagementSpiDataRetention), + extraLabel=BACK_LABEL, + ) + # Number of segments to optimize sessions to in the ILM policy, default 1 + indexManagementOptimizeSessionSegments = InstallerAskForString( + "How many segments should Arkime use to optimize?", + default=str(args.indexManagementOptimizeSessionSegments), + extraLabel=BACK_LABEL, + ) + # Number of replicas for older sessions indices in the ILM policy, default 0 + indexManagementReplicas = InstallerAskForString( + "How many replicas should Arkime maintain for older session indices?", + default=str(args.indexManagementReplicas), + extraLabel=BACK_LABEL, + ) + # Number of weeks of history to keep, default 13 + indexManagementHistoryInWeeks = InstallerAskForString( + "How many weeks of history should Arkime keep?", + default=str(args.indexManagementHistoryInWeeks), + extraLabel=BACK_LABEL, + ) + if ( + (re.match(r"\d+(h|d)", indexManagementOptimizationTimePeriod)) + and (re.match(r"\d+(h|d)", indexManagementSpiDataRetention)) + and str(indexManagementOptimizeSessionSegments).isdigit() + and str(indexManagementReplicas).isdigit() + and str(indexManagementHistoryInWeeks).isdigit() + ): break - # opensearch snapshot repository directory and compression - if not InstallerYesOrNo( - 'Store OpenSearch index snapshots in {}?'.format(indexSnapshotDirDefault), - default=not bool(args.indexSnapshotDir), - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid OpenSearch snapshots directory') - while loopBreaker.increment(): - indexSnapshotDir = InstallerAskForString( - 'Enter OpenSearch index snapshot directory', default=indexSnapshotDirDefault - ) - if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir): - indexSnapshotDirFull = os.path.realpath(indexSnapshotDir) - indexSnapshotDir = ( - f"./{os.path.relpath(indexSnapshotDirDefault, malcolm_install_path)}" - if same_file_or_dir(indexSnapshotDirDefault, indexSnapshotDirFull) - else indexSnapshotDirFull + ################################################################################### + elif currentStep == ConfigOptions.StorageManagement: + # storage management (deleting oldest indices and/or PCAP files) + indexPruneSizeLimit = '0' + indexPruneNameSort = False + arkimeManagePCAP = False + arkimeFreeSpaceG = '10%' + extractedFileMaxSizeThreshold = '1TB' + extractedFileMaxPercentThreshold = 0 + + diskUsageManagementPrompt = InstallerYesOrNo( + ( + 'Should Malcolm delete the oldest database indices and capture artifacts based on available storage?' + if (malcolmProfile == PROFILE_MALCOLM) + else 'Should Malcolm delete the oldest capture artifacts based on available storage?' + ), + default=args.arkimeManagePCAP + or bool(args.indexPruneSizeLimit) + or bool(args.extractedFileMaxSizeThreshold) + or (args.extractedFileMaxPercentThreshold > 0), + extraLabel=BACK_LABEL, + ) + if diskUsageManagementPrompt: + + # delete oldest indexes based on index pattern size + if (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Delete the oldest indices when the database exceeds a certain size?', + default=bool(args.indexPruneSizeLimit), + extraLabel=BACK_LABEL, + ): + indexPruneSizeLimit = '' + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid index threshold') + while ( + (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) + and (indexPruneSizeLimit != '0') + and loopBreaker.increment() + ): + indexPruneSizeLimit = InstallerAskForString( + 'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)', + default=args.indexPruneSizeLimit, + extraLabel=BACK_LABEL, ) - break + indexPruneNameSort = InstallerYesOrNo( + 'Determine oldest indices by name (instead of creation time)?', + default=False, + extraLabel=BACK_LABEL, + ) - # make sure paths specified (and their necessary children) exist - for pathToCreate in ( - malcolm_install_path, - indexDirFull, - indexSnapshotDirFull, - os.path.join(pcapDirFull, 'arkime-live'), - os.path.join(pcapDirFull, 'processed'), - os.path.join(pcapDirFull, os.path.join('upload', os.path.join('tmp', 'spool'))), - os.path.join(pcapDirFull, os.path.join('upload', 'variants')), - os.path.join(suricataLogDirFull, 'live'), - os.path.join(zeekLogDirFull, 'current'), - os.path.join(zeekLogDirFull, 'live'), - os.path.join(zeekLogDirFull, 'upload'), - os.path.join(zeekLogDirFull, os.path.join('extract_files', 'preserved')), - os.path.join(zeekLogDirFull, os.path.join('extract_files', 'quarantine')), - ): - try: - if args.debug: - eprint(f"Creating {pathToCreate}") - pathlib.Path(pathToCreate).mkdir(parents=True, exist_ok=True) - if ( - ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) - and (self.scriptUser == "root") - and (getpwuid(os.stat(pathToCreate).st_uid).pw_name == self.scriptUser) - ): - if args.debug: - eprint(f"Setting permissions of {pathToCreate} to {puid}:{pgid}") - # change ownership of newly-created directory to match puid/pgid - os.chown(pathToCreate, int(puid), int(pgid)) - except Exception as e: - eprint(f"Creating {pathToCreate} failed: {e}") - - # storage management (deleting oldest indices and/or PCAP files) - indexPruneSizeLimit = '0' - indexPruneNameSort = False - arkimeManagePCAP = False - arkimeFreeSpaceG = '10%' - extractedFileMaxSizeThreshold = '1TB' - extractedFileMaxPercentThreshold = 0 - indexManagementPolicy = False - indexManagementHotWarm = False - indexManagementOptimizationTimePeriod = '30d' - indexManagementSpiDataRetention = '90d' - indexManagementReplicas = 0 - indexManagementHistoryInWeeks = 13 - indexManagementOptimizeSessionSegments = 1 - - loopBreaker = CountUntilException( - MaxAskForValueCount, - f'Invalid ILM/ISM setting(s)', - ) - indexManagementPolicy = InstallerYesOrNo( - f'Enable index management policies (ILM/ISM) in Arkime?', default=args.indexManagementPolicy - ) - if indexManagementPolicy: - while loopBreaker.increment(): - # Set 'hot' for 'node.attr.molochtype' on new indices, warm on non sessions indices - indexManagementHotWarm = InstallerYesOrNo( - f'Should Arkime use a hot/warm design in which non-session data is stored in a warm index?', - default=args.indexManagementHotWarm, - ) - if indexManagementHotWarm: - if opensearchPrimaryMode == DatabaseMode.ElasticsearchRemote: - InstallerDisplayMessage( - f'You must configure "hot" and "warm" nodes types in the remote Elasticsearch instance (https://arkime.com/faq#ilm)' - ) - else: - InstallerDisplayMessage( - f'You must configure "hot" and "warm" nodes types in the OpenSearch instance' + # let Arkime delete old PCAP files based on available storage + arkimeManagePCAP = ( + (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) + or (malcolmProfile != PROFILE_MALCOLM) + or InstallerYesOrNo( + 'Should Arkime delete uploaded PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', + default=args.arkimeManagePCAP, + extraLabel=BACK_LABEL, + ) ) - # Time in hours/days before (moving Arkime indexes to warm) and force merge (number followed by h or d), default 30d - indexManagementOptimizationTimePeriod = InstallerAskForString( - "How long should Arkime keep an index in the hot node? (e.g. 25h, 5d, etc.)", - default=args.indexManagementOptimizationTimePeriod, - ) - # Time in hours/days before deleting Arkime indexes (number followed by h or d), default 90d - indexManagementSpiDataRetention = InstallerAskForString( - "How long should Arkime retain SPI data before deleting it? (e.g. 25h, 90d, etc.)", - default=str(args.indexManagementSpiDataRetention), - ) - # Number of segments to optimize sessions to in the ILM policy, default 1 - indexManagementOptimizeSessionSegments = InstallerAskForString( - "How many segments should Arkime use to optimize?", - default=str(args.indexManagementOptimizeSessionSegments), - ) - # Number of replicas for older sessions indices in the ILM policy, default 0 - indexManagementReplicas = InstallerAskForString( - "How many replicas should Arkime maintain for older session indices?", - default=str(args.indexManagementReplicas), - ) - # Number of weeks of history to keep, default 13 - indexManagementHistoryInWeeks = InstallerAskForString( - "How many weeks of history should Arkime keep?", default=str(args.indexManagementHistoryInWeeks) - ) - if ( - (re.match(r"\d+(h|d)", indexManagementOptimizationTimePeriod)) - and (re.match(r"\d+(h|d)", indexManagementSpiDataRetention)) - and str(indexManagementOptimizeSessionSegments).isdigit() - and str(indexManagementReplicas).isdigit() - and str(indexManagementHistoryInWeeks).isdigit() - ): - break + if arkimeManagePCAP: + arkimeFreeSpaceGTmp = '' + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP deletion threshold') + while ( + not re.match(r'^\d+%?$', arkimeFreeSpaceGTmp, flags=re.IGNORECASE) + ) and loopBreaker.increment(): + arkimeFreeSpaceGTmp = InstallerAskForString( + 'Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)', + default=args.arkimeFreeSpaceG, + extraLabel=BACK_LABEL, + ) + if arkimeFreeSpaceGTmp: + arkimeFreeSpaceG = arkimeFreeSpaceGTmp + ################################################################################### + elif currentStep == ConfigOptions.AutoArkime: + autoArkime = InstallerYesOrNo( + 'Automatically analyze all PCAP files with Arkime?', + default=args.autoArkime, + extraLabel=BACK_LABEL, + ) + ################################################################################### + elif currentStep == ConfigOptions.AutoSuricata: + autoSuricata = InstallerYesOrNo( + 'Automatically analyze all PCAP files with Suricata?', + default=args.autoSuricata, + extraLabel=BACK_LABEL, + ) + ################################################################################### + elif currentStep == ConfigOptions.SuricataRuleUpdate: + suricataRuleUpdate = autoSuricata and InstallerYesOrNo( + 'Download updated Suricata signatures periodically?', + default=args.suricataRuleUpdate, + extraLabel=BACK_LABEL, + ) + ################################################################################### + elif currentStep == ConfigOptions.AutoZeek: + autoZeek = InstallerYesOrNo( + 'Automatically analyze all PCAP files with Zeek?', + default=args.autoZeek, + extraLabel=BACK_LABEL, + ) + ################################################################################### + elif currentStep == ConfigOptions.ICS: + malcolmIcs = InstallerYesOrNo( + 'Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?', + default=args.malcolmIcs, + extraLabel=BACK_LABEL, + ) - diskUsageManagementPrompt = InstallerYesOrNo( - ( - 'Should Malcolm delete the oldest database indices and capture artifacts based on available storage?' - if ((opensearchPrimaryMode == DatabaseMode.OpenSearchLocal) and (malcolmProfile == PROFILE_MALCOLM)) - else 'Should Malcolm delete the oldest capture artifacts based on available storage?' - ), - default=args.arkimeManagePCAP - or bool(args.indexPruneSizeLimit) - or bool(args.extractedFileMaxSizeThreshold) - or (args.extractedFileMaxPercentThreshold > 0), - ) - if diskUsageManagementPrompt: + zeekICSBestGuess = ( + autoZeek + and malcolmIcs + and InstallerYesOrNo( + 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', + default=args.zeekICSBestGuess, + extraLabel=BACK_LABEL, + ) + ) - # delete oldest indexes based on index pattern size - if ( - (malcolmProfile == PROFILE_MALCOLM) - and (opensearchPrimaryMode == DatabaseMode.OpenSearchLocal) - and InstallerYesOrNo( - 'Delete the oldest indices when the database exceeds a certain size?', - default=bool(args.indexPruneSizeLimit), - ) - ): - indexPruneSizeLimit = '' - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid index threshold') - while ( - (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) - and (indexPruneSizeLimit != '0') - and loopBreaker.increment() - ): - indexPruneSizeLimit = InstallerAskForString( - 'Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)', default=args.indexPruneSizeLimit + ################################################################################### + elif currentStep == ConfigOptions.Enrichment: + reverseDns = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', + default=args.reverseDns, + extraLabel=BACK_LABEL, + ) + autoOui = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Perform hardware vendor OUI lookups for MAC addresses?', + default=args.autoOui, + extraLabel=BACK_LABEL, + ) + autoFreq = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Perform string randomness scoring on some fields?', + default=args.autoFreq, + extraLabel=BACK_LABEL, ) - indexPruneNameSort = InstallerYesOrNo( - 'Determine oldest indices by name (instead of creation time)?', default=False - ) - # let Arkime delete old PCAP files based on available storage - arkimeManagePCAP = ( - (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) - or (malcolmProfile != PROFILE_MALCOLM) - or InstallerYesOrNo( - 'Should Arkime delete uploaded PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', - default=args.arkimeManagePCAP, - ) - ) - if arkimeManagePCAP: - arkimeFreeSpaceGTmp = '' - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid PCAP deletion threshold') - while (not re.match(r'^\d+%?$', arkimeFreeSpaceGTmp, flags=re.IGNORECASE)) and loopBreaker.increment(): - arkimeFreeSpaceGTmp = InstallerAskForString( - 'Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)', - default=args.arkimeFreeSpaceG, + ################################################################################### + elif currentStep == ConfigOptions.OpenPorts: + openPortsSelection = ( + 'c' + if (args.exposeLogstash or args.exposeOpenSearch or args.exposeFilebeatTcp or args.exposeSFTP) + else 'unset' ) - if arkimeFreeSpaceGTmp: - arkimeFreeSpaceG = arkimeFreeSpaceGTmp + if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: + if malcolmProfile == PROFILE_MALCOLM: + openPortsOptions = ('no', 'yes', 'customize') + loopBreaker = CountUntilException(MaxAskForValueCount) + while ( + openPortsSelection not in [x[0] for x in openPortsOptions] and loopBreaker.increment() + ): + openPortsSelection = InstallerChooseOne( + 'Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?', + choices=[(x, '', x == openPortsOptions[0]) for x in openPortsOptions], + extraLabel=BACK_LABEL, + )[0] + if openPortsSelection == 'n': + opensearchOpen = False + logstashOpen = False + filebeatTcpOpen = False + elif openPortsSelection == 'y': + opensearchOpen = opensearchPrimaryMode == DatabaseMode.OpenSearchLocal + logstashOpen = True + filebeatTcpOpen = True + else: + openPortsSelection = 'c' + opensearchOpen = ( + opensearchPrimaryMode == DatabaseMode.OpenSearchLocal + ) and InstallerYesOrNo( + 'Expose OpenSearch port to external hosts?', + default=args.exposeOpenSearch, + extraLabel=BACK_LABEL, + ) + logstashOpen = InstallerYesOrNo( + 'Expose Logstash port to external hosts?', + default=args.exposeLogstash, + extraLabel=BACK_LABEL, + ) + filebeatTcpOpen = InstallerYesOrNo( + 'Expose Filebeat TCP port to external hosts?', + default=args.exposeFilebeatTcp, + extraLabel=BACK_LABEL, + ) + else: + opensearchOpen = False + openPortsSelection = 'n' + logstashOpen = False + filebeatTcpOpen = False - autoArkime = InstallerYesOrNo('Automatically analyze all PCAP files with Arkime?', default=args.autoArkime) - autoSuricata = InstallerYesOrNo( - 'Automatically analyze all PCAP files with Suricata?', default=args.autoSuricata - ) - suricataRuleUpdate = autoSuricata and InstallerYesOrNo( - 'Download updated Suricata signatures periodically?', default=args.suricataRuleUpdate - ) - autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=args.autoZeek) + else: + opensearchOpen = opensearchPrimaryMode == DatabaseMode.OpenSearchLocal + openPortsSelection = 'y' + logstashOpen = True + filebeatTcpOpen = True + + filebeatTcpFormat = 'json' + filebeatTcpSourceField = 'message' + filebeatTcpTargetField = 'miscbeat' + filebeatTcpDropField = filebeatTcpSourceField + filebeatTcpTag = '_malcolm_beats' + if ( + filebeatTcpOpen + and (openPortsSelection == 'c') + and not InstallerYesOrNo( + 'Use default field values for Filebeat TCP listener?', + default=True, + extraLabel=BACK_LABEL, + ) + ): + allowedFilebeatTcpFormats = ('json', 'raw') + filebeatTcpFormat = 'unset' + loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid log format') + while filebeatTcpFormat not in allowedFilebeatTcpFormats and loopBreaker.increment(): + filebeatTcpFormat = InstallerChooseOne( + 'Select log format for messages sent to Filebeat TCP listener', + choices=[(x, '', x == allowedFilebeatTcpFormats[0]) for x in allowedFilebeatTcpFormats], + extraLabel=BACK_LABEL, + ) + if filebeatTcpFormat == 'json': + filebeatTcpSourceField = InstallerAskForString( + 'Source field to parse for messages sent to Filebeat TCP listener', + default=filebeatTcpSourceField, + extraLabel=BACK_LABEL, + ) + filebeatTcpTargetField = InstallerAskForString( + 'Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener', + default=filebeatTcpTargetField, + extraLabel=BACK_LABEL, + ) + filebeatTcpDropField = InstallerAskForString( + 'Field to drop from events sent to Filebeat TCP listener', + default=filebeatTcpSourceField, + extraLabel=BACK_LABEL, + ) + filebeatTcpTag = InstallerAskForString( + 'Tag to apply to messages sent to Filebeat TCP listener', + default=filebeatTcpTag, + extraLabel=BACK_LABEL, + ) - malcolmIcs = InstallerYesOrNo( - 'Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?', - default=args.malcolmIcs, - ) + sftpOpen = ( + (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) + and (malcolmProfile == PROFILE_MALCOLM) + and (openPortsSelection == 'c') + and InstallerYesOrNo( + 'Expose SFTP server (for PCAP upload) to external hosts?', + default=args.exposeSFTP, + extraLabel=BACK_LABEL, + ) + ) - zeekICSBestGuess = ( - autoZeek - and malcolmIcs - and InstallerYesOrNo( - 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', - default=args.zeekICSBestGuess, - ) - ) + ################################################################################### + elif currentStep == ConfigOptions.FileCarving: + # input file extraction parameters + allowedFileCarveModes = { + 'none': 'No file extraction', + 'known': 'Extract recognized MIME types', + 'mapped': 'Extract MIME types for which file extensions are known', + 'all': 'Extract all files', + 'interesting': 'Extract MIME types of common attack vectors', + 'notcommtxt': 'Extract all except common plain text files', + } + allowedFilePreserveModes = ('quarantined', 'all', 'none') + + fileCarveMode = None + fileCarveModeDefault = args.fileCarveMode.lower() if args.fileCarveMode else None + filePreserveMode = None + filePreserveModeDefault = args.filePreserveMode.lower() if args.filePreserveMode else None + vtotApiKey = '0' + yaraScan = False + capaScan = False + clamAvScan = False + fileScanRuleUpdate = False + fileCarveHttpServer = False + fileCarveHttpServerZip = False + fileCarveHttpServeEncryptKey = '' + + if InstallerYesOrNo('Enable file extraction with Zeek?', default=bool(fileCarveModeDefault)): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file extraction behavior') + while fileCarveMode not in allowedFileCarveModes.keys() and loopBreaker.increment(): + fileCarveMode = InstallerChooseOne( + 'Select file extraction behavior', + choices=[ + ( + x, + allowedFileCarveModes[x], + x == fileCarveModeDefault if fileCarveModeDefault else 'none', + ) + for x in allowedFileCarveModes.keys() + ], + extraLabel=BACK_LABEL, + ) + if fileCarveMode and (fileCarveMode != 'none'): + + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file preservation behavior') + while filePreserveMode not in allowedFilePreserveModes and loopBreaker.increment(): + filePreserveMode = InstallerChooseOne( + 'Select file preservation behavior', + choices=[ + ( + x, + '', + ( + x == filePreserveModeDefault + if filePreserveModeDefault + else allowedFilePreserveModes[0] + ), + ) + for x in allowedFilePreserveModes + ], + extraLabel=BACK_LABEL, + ) - reverseDns = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Perform reverse DNS lookup locally for source and destination IP addresses in logs?', - default=args.reverseDns, - ) - autoOui = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Perform hardware vendor OUI lookups for MAC addresses?', default=args.autoOui - ) - autoFreq = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Perform string randomness scoring on some fields?', default=args.autoFreq - ) + if diskUsageManagementPrompt: + loopBreaker = CountUntilException( + MaxAskForValueCount, 'Invalid Zeek extracted file prune threshold' + ) + extractedFilePruneThresholdTemp = '' + while ( + not re.match( + r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', + extractedFilePruneThresholdTemp, + flags=re.IGNORECASE, + ) + ) and loopBreaker.increment(): + extractedFilePruneThresholdTemp = InstallerAskForString( + 'Enter maximum allowed space for Zeek-extracted files (e.g., 250GB) or file system fill threshold (e.g., 90%)', + default=( + args.extractedFileMaxPercentThreshold + if args.extractedFileMaxPercentThreshold + else args.extractedFileMaxSizeThreshold + ), + extraLabel=BACK_LABEL, + ) + if extractedFilePruneThresholdTemp: + if '%' in extractedFilePruneThresholdTemp: + extractedFileMaxPercentThreshold = str2percent(extractedFilePruneThresholdTemp) + extractedFileMaxSizeThreshold = '0' + else: + extractedFileMaxPercentThreshold = 0 + extractedFileMaxSizeThreshold = extractedFilePruneThresholdTemp + + fileCarveHttpServer = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Expose web interface for downloading preserved files?', + default=args.fileCarveHttpServer, + extraLabel=BACK_LABEL, + ) + if fileCarveHttpServer: + fileCarveHttpServerZip = InstallerYesOrNo( + 'ZIP downloaded preserved files?', + default=args.fileCarveHttpServerZip, + extraLabel=BACK_LABEL, + ) + fileCarveHttpServeEncryptKey = InstallerAskForString( + ( + 'Enter ZIP archive password for downloaded preserved files (or leave blank for unprotected)' + if fileCarveHttpServerZip + else 'Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted)' + ), + default=args.fileCarveHttpServeEncryptKey, + extraLabel=BACK_LABEL, + ) + if fileCarveMode is not None: + if InstallerYesOrNo( + 'Scan extracted files with ClamAV?', + default=args.clamAvScan, + extraLabel=BACK_LABEL, + ): + clamAvScan = True + if InstallerYesOrNo( + 'Scan extracted files with Yara?', + default=args.yaraScan, + extraLabel=BACK_LABEL, + ): + yaraScan = True + if InstallerYesOrNo( + 'Scan extracted PE files with Capa?', + default=args.capaScan, + extraLabel=BACK_LABEL, + ): + capaScan = True + if InstallerYesOrNo( + 'Lookup extracted file hashes with VirusTotal?', + default=(len(args.vtotApiKey) > 1), + extraLabel=BACK_LABEL, + ): + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid VirusTotal API key') + while (len(vtotApiKey) <= 1) and loopBreaker.increment(): + vtotApiKey = InstallerAskForString( + 'Enter VirusTotal API key', + default=args.vtotApiKey, + extraLabel=BACK_LABEL, + ) + fileScanRuleUpdate = InstallerYesOrNo( + 'Download updated file scanner signatures periodically?', + default=args.fileScanRuleUpdate, + extraLabel=BACK_LABEL, + ) - openPortsSelection = ( - 'c' - if (args.exposeLogstash or args.exposeOpenSearch or args.exposeFilebeatTcp or args.exposeSFTP) - else 'unset' - ) - if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: - if malcolmProfile == PROFILE_MALCOLM: - openPortsOptions = ('no', 'yes', 'customize') - loopBreaker = CountUntilException(MaxAskForValueCount) - while openPortsSelection not in [x[0] for x in openPortsOptions] and loopBreaker.increment(): - openPortsSelection = InstallerChooseOne( - 'Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?', - choices=[(x, '', x == openPortsOptions[0]) for x in openPortsOptions], - )[0] - if openPortsSelection == 'n': - opensearchOpen = False - logstashOpen = False - filebeatTcpOpen = False - elif openPortsSelection == 'y': - opensearchOpen = opensearchPrimaryMode == DatabaseMode.OpenSearchLocal - logstashOpen = True - filebeatTcpOpen = True - else: - openPortsSelection = 'c' - opensearchOpen = (opensearchPrimaryMode == DatabaseMode.OpenSearchLocal) and InstallerYesOrNo( - 'Expose OpenSearch port to external hosts?', default=args.exposeOpenSearch + if fileCarveMode not in allowedFileCarveModes.keys(): + fileCarveMode = 'none' + if filePreserveMode not in allowedFilePreserveModes: + filePreserveMode = allowedFilePreserveModes[0] + if (vtotApiKey is None) or (len(vtotApiKey) <= 1): + vtotApiKey = '0' + + ################################################################################### + elif currentStep == ConfigOptions.NetBox: + # NetBox + netboxEnabled = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( + 'Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool?', + default=args.netboxEnabled, + extraLabel=BACK_LABEL, ) - logstashOpen = InstallerYesOrNo( - 'Expose Logstash port to external hosts?', default=args.exposeLogstash + netboxLogstashEnrich = netboxEnabled and InstallerYesOrNo( + 'Should Malcolm enrich network traffic using NetBox?', + default=args.netboxLogstashEnrich, + extraLabel=BACK_LABEL, ) - filebeatTcpOpen = InstallerYesOrNo( - 'Expose Filebeat TCP port to external hosts?', default=args.exposeFilebeatTcp + netboxAutoPopulate = netboxEnabled and InstallerYesOrNo( + 'Should Malcolm automatically populate NetBox inventory based on observed network traffic?', + default=args.netboxAutoPopulate, + extraLabel=BACK_LABEL, ) - else: - opensearchOpen = False - openPortsSelection = 'n' - logstashOpen = False - filebeatTcpOpen = False - - else: - opensearchOpen = opensearchPrimaryMode == DatabaseMode.OpenSearchLocal - openPortsSelection = 'y' - logstashOpen = True - filebeatTcpOpen = True - - filebeatTcpFormat = 'json' - filebeatTcpSourceField = 'message' - filebeatTcpTargetField = 'miscbeat' - filebeatTcpDropField = filebeatTcpSourceField - filebeatTcpTag = '_malcolm_beats' - if ( - filebeatTcpOpen - and (openPortsSelection == 'c') - and not InstallerYesOrNo('Use default field values for Filebeat TCP listener?', default=True) - ): - allowedFilebeatTcpFormats = ('json', 'raw') - filebeatTcpFormat = 'unset' - loopBreaker = CountUntilException(MaxAskForValueCount, f'Invalid log format') - while filebeatTcpFormat not in allowedFilebeatTcpFormats and loopBreaker.increment(): - filebeatTcpFormat = InstallerChooseOne( - 'Select log format for messages sent to Filebeat TCP listener', - choices=[(x, '', x == allowedFilebeatTcpFormats[0]) for x in allowedFilebeatTcpFormats], - ) - if filebeatTcpFormat == 'json': - filebeatTcpSourceField = InstallerAskForString( - 'Source field to parse for messages sent to Filebeat TCP listener', - default=filebeatTcpSourceField, - ) - filebeatTcpTargetField = InstallerAskForString( - 'Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener', - default=filebeatTcpTargetField, - ) - filebeatTcpDropField = InstallerAskForString( - 'Field to drop from events sent to Filebeat TCP listener', - default=filebeatTcpSourceField, - ) - filebeatTcpTag = InstallerAskForString( - 'Tag to apply to messages sent to Filebeat TCP listener', - default=filebeatTcpTag, - ) - - sftpOpen = ( - (self.orchMode is OrchestrationFramework.DOCKER_COMPOSE) - and (malcolmProfile == PROFILE_MALCOLM) - and (openPortsSelection == 'c') - and InstallerYesOrNo('Expose SFTP server (for PCAP upload) to external hosts?', default=args.exposeSFTP) - ) - - # input file extraction parameters - allowedFileCarveModes = { - 'none': 'No file extraction', - 'known': 'Extract recognized MIME types', - 'mapped': 'Extract MIME types for which file extensions are known', - 'all': 'Extract all files', - 'interesting': 'Extract MIME types of common attack vectors', - 'notcommtxt': 'Extract all except common plain text files', - } - allowedFilePreserveModes = ('quarantined', 'all', 'none') - - fileCarveMode = None - fileCarveModeDefault = args.fileCarveMode.lower() if args.fileCarveMode else None - filePreserveMode = None - filePreserveModeDefault = args.filePreserveMode.lower() if args.filePreserveMode else None - vtotApiKey = '0' - yaraScan = False - capaScan = False - clamAvScan = False - fileScanRuleUpdate = False - fileCarveHttpServer = False - fileCarveHttpServerZip = False - fileCarveHttpServeEncryptKey = '' - - if InstallerYesOrNo('Enable file extraction with Zeek?', default=bool(fileCarveModeDefault)): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file extraction behavior') - while fileCarveMode not in allowedFileCarveModes.keys() and loopBreaker.increment(): - fileCarveMode = InstallerChooseOne( - 'Select file extraction behavior', - choices=[ - ( - x, - allowedFileCarveModes[x], - x == fileCarveModeDefault if fileCarveModeDefault else 'none', + netboxLogstashAutoSubnets = netboxLogstashEnrich and InstallerYesOrNo( + 'Should Malcolm automatically create missing NetBox subnet prefixes based on observed network traffic?', + default=args.netboxLogstashAutoSubnets, + extraLabel=BACK_LABEL, + ) + netboxSiteName = ( + InstallerAskForString( + 'Specify default NetBox site name', + default=args.netboxSiteName, + extraLabel=BACK_LABEL, ) - for x in allowedFileCarveModes.keys() - ], - ) - if fileCarveMode and (fileCarveMode != 'none'): - - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid file preservation behavior') - while filePreserveMode not in allowedFilePreserveModes and loopBreaker.increment(): - filePreserveMode = InstallerChooseOne( - 'Select file preservation behavior', - choices=[ - ( - x, - '', - ( - x == filePreserveModeDefault - if filePreserveModeDefault - else allowedFilePreserveModes[0] - ), - ) - for x in allowedFilePreserveModes - ], + if netboxEnabled + else '' ) - - if diskUsageManagementPrompt: - loopBreaker = CountUntilException( - MaxAskForValueCount, 'Invalid Zeek extracted file prune threshold' + if len(netboxSiteName) == 0: + netboxSiteName = 'Malcolm' + + ################################################################################### + elif currentStep == ConfigOptions.Capture: + # input packet capture parameters + pcapNetSniff = False + pcapTcpDump = False + liveArkime = False + liveArkimeNodeHost = '' + liveZeek = False + liveSuricata = False + pcapIface = 'lo' + tweakIface = False + pcapFilter = '' + captureSelection = ( + 'c' + if ( + args.pcapNetSniff + or args.pcapTcpDump + or args.liveZeek + or args.liveSuricata + or (malcolmProfile == PROFILE_HEDGEHOG) + ) + else 'unset' ) - extractedFilePruneThresholdTemp = '' - while ( - not re.match( - r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', extractedFilePruneThresholdTemp, flags=re.IGNORECASE + + captureOptions = ('no', 'yes', 'customize') + loopBreaker = CountUntilException(MaxAskForValueCount) + while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment(): + captureSelection = InstallerChooseOne( + 'Should Malcolm capture live network traffic?', + choices=[(x, '', x == captureOptions[0]) for x in captureOptions], + extraLabel=BACK_LABEL, + )[0] + if captureSelection == 'y': + liveArkime = (malcolmProfile == PROFILE_HEDGEHOG) or ( + opensearchPrimaryMode != DatabaseMode.OpenSearchLocal ) - ) and loopBreaker.increment(): - extractedFilePruneThresholdTemp = InstallerAskForString( - 'Enter maximum allowed space for Zeek-extracted files (e.g., 250GB) or file system fill threshold (e.g., 90%)', - default=( - args.extractedFileMaxPercentThreshold - if args.extractedFileMaxPercentThreshold - else args.extractedFileMaxSizeThreshold - ), + pcapNetSniff = not liveArkime + liveSuricata = True + liveZeek = True + tweakIface = True + elif captureSelection == 'c': + if InstallerYesOrNo( + 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', + default=args.pcapNetSniff + or args.pcapTcpDump + or args.liveArkime + or (malcolmProfile == PROFILE_HEDGEHOG), + extraLabel=BACK_LABEL, + ): + liveArkime = (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) and ( + (malcolmProfile == PROFILE_HEDGEHOG) + or InstallerYesOrNo( + 'Capture packets using Arkime capture?', + default=args.liveArkime, + extraLabel=BACK_LABEL, + ) + ) + pcapNetSniff = (not liveArkime) and InstallerYesOrNo( + 'Capture packets using netsniff-ng?', + default=args.pcapNetSniff, + extraLabel=BACK_LABEL, + ) + pcapTcpDump = ( + (not liveArkime) + and (not pcapNetSniff) + and InstallerYesOrNo( + 'Capture packets using tcpdump?', + default=args.pcapTcpDump, + extraLabel=BACK_LABEL, + ) + ) + liveSuricata = InstallerYesOrNo( + 'Should Malcolm analyze live network traffic with Suricata?', + default=args.liveSuricata, + extraLabel=BACK_LABEL, ) - if extractedFilePruneThresholdTemp: - if '%' in extractedFilePruneThresholdTemp: - extractedFileMaxPercentThreshold = str2percent(extractedFilePruneThresholdTemp) - extractedFileMaxSizeThreshold = '0' - else: - extractedFileMaxPercentThreshold = 0 - extractedFileMaxSizeThreshold = extractedFilePruneThresholdTemp + liveZeek = InstallerYesOrNo( + 'Should Malcolm analyze live network traffic with Zeek?', + default=args.liveZeek, + extraLabel=BACK_LABEL, + ) + if pcapNetSniff or pcapTcpDump or liveArkime or liveZeek or liveSuricata: + pcapFilter = InstallerAskForString( + 'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', + default=args.pcapFilter, + extraLabel=BACK_LABEL, + ) + # Arkime requires disabling NIC offloading: https://arkime.com/faq#arkime_requires_full_packet_captures_error + tweakIface = liveArkime or InstallerYesOrNo( + 'Disable capture interface hardware offloading and adjust ring buffer sizes?', + default=args.tweakIface, + extraLabel=BACK_LABEL, + ) - fileCarveHttpServer = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Expose web interface for downloading preserved files?', default=args.fileCarveHttpServer - ) - if fileCarveHttpServer: - fileCarveHttpServerZip = InstallerYesOrNo( - 'ZIP downloaded preserved files?', default=args.fileCarveHttpServerZip - ) - fileCarveHttpServeEncryptKey = InstallerAskForString( - ( - 'Enter ZIP archive password for downloaded preserved files (or leave blank for unprotected)' - if fileCarveHttpServerZip - else 'Enter AES-256-CBC encryption password for downloaded preserved files (or leave blank for unencrypted)' - ), - default=args.fileCarveHttpServeEncryptKey, - ) - if fileCarveMode is not None: - if InstallerYesOrNo('Scan extracted files with ClamAV?', default=args.clamAvScan): - clamAvScan = True - if InstallerYesOrNo('Scan extracted files with Yara?', default=args.yaraScan): - yaraScan = True - if InstallerYesOrNo('Scan extracted PE files with Capa?', default=args.capaScan): - capaScan = True - if InstallerYesOrNo( - 'Lookup extracted file hashes with VirusTotal?', default=(len(args.vtotApiKey) > 1) - ): - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid VirusTotal API key') - while (len(vtotApiKey) <= 1) and loopBreaker.increment(): - vtotApiKey = InstallerAskForString('Enter VirusTotal API key', default=args.vtotApiKey) - fileScanRuleUpdate = InstallerYesOrNo( - 'Download updated file scanner signatures periodically?', default=args.fileScanRuleUpdate - ) + if pcapNetSniff or pcapTcpDump or liveArkime or liveZeek or liveSuricata: + pcapIface = '' + loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid capture interface(s)') + while (len(pcapIface) <= 0) and loopBreaker.increment(): + pcapIface = InstallerAskForString( + 'Specify capture interface(s) (comma-separated)', + default=args.pcapIface, + extraLabel=BACK_LABEL, + ) - if fileCarveMode not in allowedFileCarveModes.keys(): - fileCarveMode = 'none' - if filePreserveMode not in allowedFilePreserveModes: - filePreserveMode = allowedFilePreserveModes[0] - if (vtotApiKey is None) or (len(vtotApiKey) <= 1): - vtotApiKey = '0' - - # NetBox - netboxEnabled = (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( - 'Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool?', - default=args.netboxEnabled, - ) - netboxLogstashEnrich = netboxEnabled and InstallerYesOrNo( - 'Should Malcolm enrich network traffic using NetBox?', - default=args.netboxLogstashEnrich, - ) - netboxAutoPopulate = netboxEnabled and InstallerYesOrNo( - 'Should Malcolm automatically populate NetBox inventory based on observed network traffic?', - default=args.netboxAutoPopulate, - ) - netboxLogstashAutoSubnets = netboxLogstashEnrich and InstallerYesOrNo( - 'Should Malcolm automatically create missing NetBox subnet prefixes based on observed network traffic?', - default=args.netboxLogstashAutoSubnets, - ) - netboxSiteName = ( - InstallerAskForString( - 'Specify default NetBox site name', - default=args.netboxSiteName, - ) - if netboxEnabled - else '' - ) - if len(netboxSiteName) == 0: - netboxSiteName = 'Malcolm' - - # input packet capture parameters - pcapNetSniff = False - pcapTcpDump = False - liveArkime = False - liveArkimeNodeHost = '' - liveZeek = False - liveSuricata = False - pcapIface = 'lo' - tweakIface = False - pcapFilter = '' - captureSelection = ( - 'c' - if ( - args.pcapNetSniff - or args.pcapTcpDump - or args.liveZeek - or args.liveSuricata - or (malcolmProfile == PROFILE_HEDGEHOG) - ) - else 'unset' - ) + if liveArkime: + liveArkimeNodeHost = InstallerAskForString( + f"Enter this node's hostname or IP to associate with network traffic metadata", + default=args.liveArkimeNodeHost, + extraLabel=BACK_LABEL, + ) - captureOptions = ('no', 'yes', 'customize') - loopBreaker = CountUntilException(MaxAskForValueCount) - while captureSelection not in [x[0] for x in captureOptions] and loopBreaker.increment(): - captureSelection = InstallerChooseOne( - 'Should Malcolm capture live network traffic?', - choices=[(x, '', x == captureOptions[0]) for x in captureOptions], - )[0] - if captureSelection == 'y': - liveArkime = (malcolmProfile == PROFILE_HEDGEHOG) or (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) - pcapNetSniff = not liveArkime - liveSuricata = True - liveZeek = True - tweakIface = True - elif captureSelection == 'c': - if InstallerYesOrNo( - 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', - default=args.pcapNetSniff - or args.pcapTcpDump - or args.liveArkime - or (malcolmProfile == PROFILE_HEDGEHOG), - ): - liveArkime = (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) and ( - (malcolmProfile == PROFILE_HEDGEHOG) - or InstallerYesOrNo('Capture packets using Arkime capture?', default=args.liveArkime) - ) - pcapNetSniff = (not liveArkime) and InstallerYesOrNo( - 'Capture packets using netsniff-ng?', default=args.pcapNetSniff - ) - pcapTcpDump = ( - (not liveArkime) - and (not pcapNetSniff) - and InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump) - ) - liveSuricata = InstallerYesOrNo( - 'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata - ) - liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek) - if pcapNetSniff or pcapTcpDump or liveArkime or liveZeek or liveSuricata: - pcapFilter = InstallerAskForString( - 'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', - default=args.pcapFilter, - ) - # Arkime requires disabling NIC offloading: https://arkime.com/faq#arkime_requires_full_packet_captures_error - tweakIface = liveArkime or InstallerYesOrNo( - 'Disable capture interface hardware offloading and adjust ring buffer sizes?', - default=args.tweakIface, - ) + if ( + (malcolmProfile == PROFILE_HEDGEHOG) + and (not pcapNetSniff) + and (not pcapTcpDump) + and (not liveZeek) + and (not liveSuricata) + and (not liveArkime) + ): + InstallerDisplayMessage( + f'Warning: Running with the {malcolmProfile} profile but no capture methods are enabled.', + ) - if pcapNetSniff or pcapTcpDump or liveArkime or liveZeek or liveSuricata: - pcapIface = '' - loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid capture interface(s)') - while (len(pcapIface) <= 0) and loopBreaker.increment(): - pcapIface = InstallerAskForString( - 'Specify capture interface(s) (comma-separated)', default=args.pcapIface - ) + ################################################################################### + elif currentStep == ConfigOptions.DarkMode: + dashboardsDarkMode = ( + (malcolmProfile == PROFILE_MALCOLM) + and (opensearchPrimaryMode != DatabaseMode.ElasticsearchRemote) + and InstallerYesOrNo( + 'Enable dark mode for OpenSearch Dashboards?', + default=args.dashboardsDarkMode, + extraLabel=BACK_LABEL, + ) + ) - if liveArkime: - liveArkimeNodeHost = InstallerAskForString( - f"Enter this node's hostname or IP to associate with network traffic metadata", - default=args.liveArkimeNodeHost, - ) + ################################################################################### + elif int(currentStep) >= int(ConfigOptions.PostConfig): + break - if ( - (malcolmProfile == PROFILE_HEDGEHOG) - and (not pcapNetSniff) - and (not pcapTcpDump) - and (not liveZeek) - and (not liveSuricata) - and (not liveArkime) - ): - InstallerDisplayMessage( - f'Warning: Running with the {malcolmProfile} profile but no capture methods are enabled.', - ) + except DialogBackException: + if int(currentStep) >= 2: + currentStep = ConfigOptions(int(currentStep) - 2) + else: + currentStep = ConfigOptions.Preconfig - dashboardsDarkMode = ( - (malcolmProfile == PROFILE_MALCOLM) - and (opensearchPrimaryMode != DatabaseMode.ElasticsearchRemote) - and InstallerYesOrNo('Enable dark mode for OpenSearch Dashboards?', default=args.dashboardsDarkMode) - ) + except DialogCanceledException: + raise # modify values in .env files in args.configDir @@ -1941,6 +2282,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'PGID', pgid, ), + # Container runtime engine (e.g., docker, podman) + EnvValue( + os.path.join(args.configDir, 'process.env'), + CONTAINER_RUNTIME_KEY, + 'kubernetes' if (self.orchMode is OrchestrationFramework.KUBERNETES) else args.runtimeBin, + ), # Malcolm run profile (malcolm vs. hedgehog) EnvValue( os.path.join(args.configDir, 'process.env'), @@ -2175,6 +2522,21 @@ def tweak_malcolm_runtime(self, malcolm_install_path): # stuff for all services for service in data['services']: + # podman uses "userns_mode: keep-id" + deep_set( + data, + ['services', service, 'userns_mode'], + 'keep-id' if args.runtimeBin.startswith('podman') else None, + deleteIfNone=True, + ) + + # podman and docker have different logging driver options + deep_set( + data, + ['services', service, 'logging', 'driver'], + 'json-file' if args.runtimeBin.startswith('podman') else 'local', + ) + # whether or not to restart services automatically (on boot, etc.) deep_set( data, @@ -2259,9 +2621,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'upload': (sftpOpen, 8022, 22), }.items(): if service in data['services']: - data['services'][service]['ports'] = [ - f"{'0.0.0.0' if portInfo[0] is True else '127.0.0.1'}:{portInfo[1]}:{portInfo[2]}" - ] + if malcolmProfile == PROFILE_HEDGEHOG: + data['services'][service].pop('ports', None) + else: + data['services'][service]['ports'] = [ + f"{'0.0.0.0' if portInfo[0] is True else '127.0.0.1'}:{portInfo[1]}:{portInfo[2]}" + ] ################################### ################################### @@ -2279,13 +2644,16 @@ def tweak_malcolm_runtime(self, malcolm_install_path): ] # set bind IPs and ports based on whether it should be externally exposed or not - data['services']['nginx-proxy']['ports'] = [ - f"{'0.0.0.0:443' if nginxSSL else '127.0.0.1:80'}:443", - ] - if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal: - data['services']['nginx-proxy']['ports'].append( - f"{'0.0.0.0' if opensearchOpen else '127.0.0.1'}:{'9200' if nginxSSL else '9201'}:9200" - ) + if malcolmProfile == PROFILE_HEDGEHOG: + data['services']['nginx-proxy'].pop('ports', None) + else: + data['services']['nginx-proxy']['ports'] = [ + f"{'0.0.0.0:443' if nginxSSL else '127.0.0.1:80'}:443", + ] + if opensearchPrimaryMode == DatabaseMode.OpenSearchLocal: + data['services']['nginx-proxy']['ports'].append( + f"{'0.0.0.0' if opensearchOpen else '127.0.0.1'}:{'9200' if nginxSSL else '9201'}:9200" + ) # enable/disable/configure traefik labels if applicable for label in ( @@ -2555,18 +2923,21 @@ def __init__(self, orchMode, debug=False, configOnly=False): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ def install_docker(self): + global args global requests_imported result = False if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # first see if docker is already installed and runnable - err, out = self.run_process(['docker', 'info'], privileged=True) + err, out = self.run_process([args.runtimeBin, 'info'], privileged=True) if err == 0: result = True - elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): + elif args.runtimeBin.startswith('docker') and InstallerYesOrNo( + '"docker info" failed, attempt to install Docker?', default=True + ): if InstallerYesOrNo('Attempt to install Docker using official repositories?', default=True): # install required packages for repo-based install if self.distro == PLATFORM_LINUX_UBUNTU: @@ -2717,7 +3088,11 @@ def install_docker(self): else: eprint(f"Downloading https://get.docker.com/ to {tempFileName} failed") - if result and ((self.distro == PLATFORM_LINUX_FEDORA) or (self.distro == PLATFORM_LINUX_CENTOS)): + if ( + result + and args.runtimeBin.startswith('docker') + and ((self.distro == PLATFORM_LINUX_FEDORA) or (self.distro == PLATFORM_LINUX_CENTOS)) + ): # centos/fedora don't automatically start/enable the daemon, so do so now err, out = self.run_process(['systemctl', 'start', 'docker'], privileged=True) if err == 0: @@ -2728,52 +3103,61 @@ def install_docker(self): eprint(f"Starting docker service failed: {out}") # at this point we either have installed docker successfully or we have to give up, as we've tried all we could - err, out = self.run_process(['docker', 'info'], privileged=True, retry=6, retrySleepSec=5) + err, out = self.run_process([args.runtimeBin, 'info'], privileged=True, retry=6, retrySleepSec=5) if result and (err == 0): if self.debug: - eprint('"docker info" succeeded') - - # add non-root user to docker group if required - usersToAdd = [] - if self.scriptUser == 'root': - while InstallerYesOrNo( - f"Add {'a' if len(usersToAdd) == 0 else 'another'} non-root user to the \"docker\" group?" - ): - tmpUser = InstallerAskForString('Enter user account') - if len(tmpUser) > 0: - usersToAdd.append(tmpUser) - else: - usersToAdd.append(self.scriptUser) - - for user in usersToAdd: - err, out = self.run_process(['usermod', '-a', '-G', 'docker', user], privileged=True) - if err == 0: - if self.debug: - eprint(f'Adding {user} to "docker" group succeeded') + eprint(f'"{args.runtimeBin} info" succeeded') + + if args.runtimeBin.startswith('docker'): + # add non-root user to docker group if required + usersToAdd = [] + if self.scriptUser == 'root': + while InstallerYesOrNo( + f"Add {'a' if len(usersToAdd) == 0 else 'another'} non-root user to the \"docker\" group?" + ): + tmpUser = InstallerAskForString('Enter user account') + if len(tmpUser) > 0: + usersToAdd.append(tmpUser) else: - eprint(f'Adding {user} to "docker" group failed') + usersToAdd.append(self.scriptUser) + + for user in usersToAdd: + err, out = self.run_process(['usermod', '-a', '-G', 'docker', user], privileged=True) + if err == 0: + if self.debug: + eprint(f'Adding {user} to "docker" group succeeded') + else: + eprint(f'Adding {user} to "docker" group failed') elif err != 0: result = False - raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.distro]}') + if args.runtimeBin.startswith('docker'): + raise Exception( + f'{ScriptName} requires {args.runtimeBin}, please see {DOCKER_INSTALL_URLS[self.distro]}' + ) + else: + raise Exception( + f"{ScriptName} requires {args.runtimeBin}, please consult your distribution's documentation" + ) return result # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ def install_docker_compose(self): + global args result = False if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # first see if docker compose/docker-compose is already installed and runnable # (try non-root and root) - tmpComposeCmd = ('docker', 'compose') + tmpComposeCmd = (args.runtimeBin, 'compose') for priv in (False, True): err, out = self.run_process([tmpComposeCmd, 'version'], privileged=priv) if err == 0: break if err != 0: - tmpComposeCmd = 'docker-compose' + tmpComposeCmd = f'{args.runtimeBin}-compose' if not which(tmpComposeCmd, debug=self.debug): if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): tmpComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose' @@ -2787,7 +3171,9 @@ def install_docker_compose(self): if err == 0: self.dockerComposeCmd = tmpComposeCmd - elif InstallerYesOrNo('docker compose failed, attempt to install docker compose?', default=True): + elif args.runtimeBin.startswith('docker') and InstallerYesOrNo( + 'docker compose failed, attempt to install docker compose?', default=True + ): if InstallerYesOrNo('Install docker compose directly from docker github?', default=True): # download docker-compose from github and put it in /usr/local/bin @@ -2844,12 +3230,17 @@ def install_docker_compose(self): self.dockerComposeCmd = tmpComposeCmd result = True if self.debug: - eprint('docker compose succeeded') + eprint(f'{args.runtimeBin} compose succeeded') else: - raise Exception( - f'{ScriptName} requires docker compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}' - ) + if args.runtimeBin.startswith('docker'): + raise Exception( + f'{ScriptName} requires {args.runtimeBin} compose, please see {DOCKER_COMPOSE_INSTALL_URLS[self.platform]}' + ) + else: + raise Exception( + f"{ScriptName} requires {args.runtimeBin} compose, please consult your distribution's documentation" + ) return result @@ -2933,6 +3324,13 @@ def tweak_system_files(self): 'vm.dirty_ratio defines the maximum percentage of dirty system memory before committing everything', ['# maximum % of dirty system memory before committing everything', 'vm.dirty_ratio=80'], ), + ConfigLines( + [], + '/etc/sysctl.conf', + 'net.ipv4.tcp_retries2=', + 'net.ipv4.tcp_retries2 defines the maximum number of TCP retransmissions', + ['# maximum number of TCP retransmissions', 'net.ipv4.tcp_retries2=5'], + ), ConfigLines( ['centos', 'core'], '/etc/systemd/system.conf.d/limits.conf', @@ -3002,6 +3400,36 @@ def tweak_system_files(self): privileged=True, ) + # tweak other kernel parameters + + # cgroup accounting in GRUB_CMDLINE_LINUX in /etc/default/grub + if ( + (grubFileName := '/etc/default/grub') + and os.path.isfile(grubFileName) + and (not [line.rstrip('\n') for line in open(grubFileName) if 'cgroup' in line.lower()]) + and InstallerYesOrNo( + f'\ncgroup parameters appear to be missing from {grubFileName}, set them?', + default=True, + ) + ): + err, out = self.run_process( + [ + 'bash', + '-c', + f'sed -i \'s/^GRUB_CMDLINE_LINUX="/&cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem /\' {grubFileName}', + ], + privileged=True, + ) + if err == 0: + if which('update-grub', debug=self.debug): + err, out = self.run_process(['update-grub'], privileged=True) + elif which('update-grub2', debug=self.debug): + err, out = self.run_process(['update-grub2'], privileged=True) + else: + InstallerDisplayMessage( + f"{grubFileName} has been modified, consult your distribution's documentation generate new grub config file" + ) + ################################################################################################### class MacInstaller(Installer): @@ -3076,13 +3504,19 @@ def __init__(self, orchMode, debug=False, configOnly=False): # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ def install_docker(self): + global args result = False if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # first see if docker is already installed/runnable - err, out = self.run_process(['docker', 'info']) + err, out = self.run_process([args.runtimeBin, 'info']) - if (err != 0) and self.useBrew and self.package_is_installed(MAC_BREW_DOCKER_PACKAGE): + if ( + (err != 0) + and self.useBrew + and args.runtimeBin.startswith('docker') + and self.package_is_installed(MAC_BREW_DOCKER_PACKAGE) + ): # if docker is installed via brew, but not running, prompt them to start it eprint(f'{MAC_BREW_DOCKER_PACKAGE} appears to be installed via Homebrew, but "docker info" failed') while True: @@ -3097,7 +3531,9 @@ def install_docker(self): if err == 0: result = True - elif InstallerYesOrNo('"docker info" failed, attempt to install Docker?', default=True): + elif args.runtimeBin.startswith('docker') and InstallerYesOrNo( + '"docker info" failed, attempt to install Docker?', default=True + ): if self.useBrew: # install docker via brew cask (requires user interaction) dockerPackages = [MAC_BREW_DOCKER_PACKAGE, MAC_BREW_DOCKER_COMPOSE_PACKAGE] @@ -3131,95 +3567,105 @@ def install_docker(self): break # at this point we either have installed docker successfully or we have to give up, as we've tried all we could - err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + err, out = self.run_process([args.runtimeBin, 'info'], retry=12, retrySleepSec=5) if err == 0: result = True if self.debug: - eprint('"docker info" succeeded') + eprint(f'"{args.runtimeBin} info" succeeded') elif err != 0: - raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.platform]}') + raise Exception( + f'{ScriptName} requires {args.runtimeBin}, please see {DOCKER_INSTALL_URLS[self.platform]}' + ) elif err != 0: - raise Exception(f'{ScriptName} requires docker, please see {DOCKER_INSTALL_URLS[self.platform]}') - - # tweak CPU/RAM usage for Docker in Mac - settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser) - if ( - result - and os.path.isfile(settingsFile) - and InstallerYesOrNo(f'Configure Docker resource usage in {settingsFile}?', default=True) - ): - # adjust CPU and RAM based on system resources - if self.totalCores >= 16: - newCpus = 12 - elif self.totalCores >= 12: - newCpus = 8 - elif self.totalCores >= 8: - newCpus = 6 - elif self.totalCores >= 4: - newCpus = 4 - else: - newCpus = 2 - - if self.totalMemoryGigs >= 64.0: - newMemoryGiB = 32 - elif self.totalMemoryGigs >= 32.0: - newMemoryGiB = 24 - elif self.totalMemoryGigs >= 24.0: - newMemoryGiB = 16 - elif self.totalMemoryGigs >= 16.0: - newMemoryGiB = 12 - elif self.totalMemoryGigs >= 8.0: - newMemoryGiB = 8 - elif self.totalMemoryGigs >= 4.0: - newMemoryGiB = 4 + if args.runtimeBin.startswith('docker'): + raise Exception( + f'{ScriptName} requires {args.runtimeBin}, please see {DOCKER_INSTALL_URLS[self.platform]}' + ) else: - newMemoryGiB = 2 + raise Exception( + f"{ScriptName} requires {args.runtimeBin}, please consult your platform's documentation" + ) - while not InstallerYesOrNo( - f"Setting {newCpus if newCpus else '(unchanged)'} for CPU cores and {newMemoryGiB if newMemoryGiB else '(unchanged)'} GiB for RAM. Is this OK?", - default=True, + if args.runtimeBin.startswith('docker'): + # tweak CPU/RAM usage for Docker in Mac + settingsFile = MAC_BREW_DOCKER_SETTINGS.format(self.scriptUser) + if ( + result + and os.path.isfile(settingsFile) + and InstallerYesOrNo(f'Configure Docker resource usage in {settingsFile}?', default=True) ): - newCpus = InstallerAskForString('Enter Docker CPU cores (e.g., 4, 8, 16)') - newMemoryGiB = InstallerAskForString('Enter Docker RAM MiB (e.g., 8, 16, etc.)') - - if newCpus or newMemoryGiB: - with open(settingsFile, 'r+') as f: - data = json.load(f) - if newCpus: - data['cpus'] = int(newCpus) - if newMemoryGiB: - data['memoryMiB'] = int(newMemoryGiB) * 1024 - f.seek(0) - json.dump(data, f, indent=2) - f.truncate() - - # at this point we need to essentially update our system memory stats because we're running inside docker - # and don't have the whole banana at our disposal - self.totalMemoryGigs = newMemoryGiB - - eprint("Docker resource settings adjusted, attempting restart...") - - err, out = self.run_process(['osascript', '-e', 'quit app "Docker"']) - if err == 0: - time.sleep(5) - err, out = self.run_process(['open', '-a', 'Docker']) + # adjust CPU and RAM based on system resources + if self.totalCores >= 16: + newCpus = 12 + elif self.totalCores >= 12: + newCpus = 8 + elif self.totalCores >= 8: + newCpus = 6 + elif self.totalCores >= 4: + newCpus = 4 + else: + newCpus = 2 + + if self.totalMemoryGigs >= 64.0: + newMemoryGiB = 32 + elif self.totalMemoryGigs >= 32.0: + newMemoryGiB = 24 + elif self.totalMemoryGigs >= 24.0: + newMemoryGiB = 16 + elif self.totalMemoryGigs >= 16.0: + newMemoryGiB = 12 + elif self.totalMemoryGigs >= 8.0: + newMemoryGiB = 8 + elif self.totalMemoryGigs >= 4.0: + newMemoryGiB = 4 + else: + newMemoryGiB = 2 - if err == 0: - err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + while not InstallerYesOrNo( + f"Setting {newCpus if newCpus else '(unchanged)'} for CPU cores and {newMemoryGiB if newMemoryGiB else '(unchanged)'} GiB for RAM. Is this OK?", + default=True, + ): + newCpus = InstallerAskForString('Enter Docker CPU cores (e.g., 4, 8, 16)') + newMemoryGiB = InstallerAskForString('Enter Docker RAM MiB (e.g., 8, 16, etc.)') + + if newCpus or newMemoryGiB: + with open(settingsFile, 'r+') as f: + data = json.load(f) + if newCpus: + data['cpus'] = int(newCpus) + if newMemoryGiB: + data['memoryMiB'] = int(newMemoryGiB) * 1024 + f.seek(0) + json.dump(data, f, indent=2) + f.truncate() + + # at this point we need to essentially update our system memory stats because we're running inside docker + # and don't have the whole banana at our disposal + self.totalMemoryGigs = newMemoryGiB + + eprint("Docker resource settings adjusted, attempting restart...") + + err, out = self.run_process(['osascript', '-e', 'quit app "Docker"']) if err == 0: - if self.debug: - eprint('"docker info" succeeded') + time.sleep(5) + err, out = self.run_process(['open', '-a', 'Docker']) - else: - eprint(f"Restarting Docker automatically failed: {out}") - while True: - response = InstallerAskForString( - 'Please restart Docker via the system taskbar, then return here and type YES' - ).lower() - if response == 'yes': - break + if err == 0: + err, out = self.run_process(['docker', 'info'], retry=12, retrySleepSec=5) + if err == 0: + if self.debug: + eprint('"docker info" succeeded') + + else: + eprint(f"Restarting Docker automatically failed: {out}") + while True: + response = InstallerAskForString( + 'Please restart Docker via the system taskbar, then return here and type YES' + ).lower() + if response == 'yes': + break return result @@ -3313,10 +3759,19 @@ def main(): metavar='', type=str, default='', - help='Malcolm docker images .tar.gz file for installation', + help='Malcolm container images .tar.gz file for installation', ) runtimeOptionsArgGroup = parser.add_argument_group('Runtime options') + runtimeOptionsArgGroup.add_argument( + '--runtime', + required=False, + dest='runtimeBin', + metavar='', + type=str, + default=os.getenv('MALCOLM_CONTAINER_RUNTIME', ''), + help='Container runtime binary (e.g., docker, podman)', + ) runtimeOptionsArgGroup.add_argument( '--malcolm-profile', dest='malcolmProfile', @@ -3388,7 +3843,7 @@ def main(): help="Use StartTLS (rather than LDAPS) for LDAP connection security", ) - dockerOptionsArgGroup = parser.add_argument_group('Docker options') + dockerOptionsArgGroup = parser.add_argument_group('Container options') dockerOptionsArgGroup.add_argument( '-r', '--restart-malcolm', @@ -3447,13 +3902,13 @@ def main(): help='Traefik router resolver (e.g., myresolver)', ) dockerOptionsArgGroup.add_argument( - '--docker-network-name', - dest='dockerNetworkName', + '--network-name', + dest='containerNetworkName', required=False, metavar='', type=str, default='', - help='External Docker network name (or leave blank for default networking)', + help='External container network name (or leave blank for default networking)', ) opensearchArgGroup = parser.add_argument_group('OpenSearch options') @@ -3694,7 +4149,7 @@ def main(): metavar='', type=str2percent, default=0, - help=f'Delete zeek-extracted files when the file system exceeds this percentage full (e.g., 90%, etc.)', + help=f'Delete zeek-extracted files when the file system exceeds this percentage full (e.g., 90٪, etc.)', ) storageArgGroup.add_argument( '--delete-index-threshold', @@ -4157,6 +4612,17 @@ def main(): raise Exception(f'{ScriptName} is not yet supported on {installerPlatform}') # installer = WindowsInstaller(orchMode, debug=args.debug, configOnly=args.configOnly) + if orchMode == OrchestrationFramework.DOCKER_COMPOSE: + runtimeOptions = ('docker', 'podman') + loopBreaker = CountUntilException(MaxAskForValueCount) + while (args.runtimeBin not in runtimeOptions) and loopBreaker.increment(): + args.runtimeBin = InstallerChooseOne( + 'Select container runtime engine', + choices=[(x, '', x == runtimeOptions[0]) for x in runtimeOptions], + ) + if args.debug: + eprint(f"Container engine: {args.runtimeBin}") + if (not args.configOnly) and hasattr(installer, 'install_required_packages'): installer.install_required_packages() @@ -4202,7 +4668,7 @@ def main(): eprint("Only doing configuration, not installation") else: eprint(f"Malcolm install file: {malcolmFile}") - eprint(f"Docker images file: {imageFile}") + eprint(f"Malcolm images file: {imageFile}") if not args.configOnly: if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker'): diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index bd4634b96..5180211d8 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -61,6 +61,7 @@ if mkdir "$DESTDIR"; then # ensure that if we "grabbed a lock", we release it (works for clean exit, SIGTERM, and SIGINT/Ctrl-C) trap "cleanup" EXIT + mkdir $VERBOSE -p "$DESTDIR/arkime/lua/" mkdir $VERBOSE -p "$DESTDIR/arkime/rules/" mkdir $VERBOSE -p "$DESTDIR/filebeat/certs/" mkdir $VERBOSE -p "$DESTDIR/htadmin/" @@ -147,14 +148,14 @@ if mkdir "$DESTDIR"; then unset CONFIRMATION echo "" - read -p "Do you need to package docker images also [y/N]? " CONFIRMATION + read -p "Do you need to package container images also [y/N]? " CONFIRMATION CONFIRMATION=${CONFIRMATION:-N} if [[ $CONFIRMATION =~ ^[Yy]$ ]]; then echo "This might take a few minutes..." DESTNAMEIMAGES="$RUN_PATH/$(basename $DESTDIR)_images.tar.xz" IMAGES=( $(grep image: $DESTDIR/docker-compose.yml | awk '{print $2}' | sort -u) ) docker save "${IMAGES[@]}" | xz -1 > "$DESTNAMEIMAGES" - echo "Packaged Malcolm docker images to \"$DESTNAMEIMAGES\"" + echo "Packaged Malcolm container images to \"$DESTNAMEIMAGES\"" echo "" fi echo "" diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index fdf001cfc..eb9d734ef 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -15,18 +15,16 @@ import malcolm_utils from malcolm_utils import ( - decapitalize, deep_get, eprint, EscapeAnsi, LoadStrIfJson, remove_suffix, run_process, - str2bool, ) from collections import defaultdict, namedtuple -from enum import Flag, IntFlag, auto +from enum import IntEnum, Flag, IntFlag, auto try: from pwd import getpwuid @@ -54,6 +52,7 @@ PROFILE_KEY = 'MALCOLM_PROFILE' PROFILE_MALCOLM = 'malcolm' PROFILE_HEDGEHOG = 'hedgehog' +CONTAINER_RUNTIME_KEY = 'MALCOLM_CONTAINER_RUNTIME' ################################################################################################### PLATFORM_WINDOWS = "Windows" @@ -102,6 +101,20 @@ class UserInterfaceMode(IntFlag): InteractionInput = auto() +class DialogBackException(Exception): + pass + + +class DialogCanceledException(Exception): + pass + + +class BoolOrExtra(IntEnum): + FALSE = 0 + TRUE = 1 + EXTRA = 2 + + BoundPath = namedtuple( "BoundPath", ["service", "target", "files", "relative_dirs", "clean_empty_dirs"], @@ -226,6 +239,23 @@ def ClearScreen(): pass +################################################################################################### +def str2boolorextra(v): + if isinstance(v, bool): + return BoolOrExtra.TRUE if v else BoolOrExtra.FALSE + elif isinstance(v, str): + if v.lower() in ("yes", "true", "t", "y", "1"): + return BoolOrExtra.TRUE + elif v.lower() in ("no", "false", "f", "n", "0"): + return BoolOrExtra.FALSE + elif v.lower() in ("b", "back", "p", "previous", "e", "extra"): + return BoolOrExtra.EXTRA + else: + raise ValueError("BoolOrExtra value expected") + else: + raise ValueError("BoolOrExtra value expected") + + ################################################################################################### # get interactive user response to Y/N question def YesOrNo( @@ -236,9 +266,11 @@ def YesOrNo( clearScreen=False, yesLabel='Yes', noLabel='No', + extraLabel=None, ): global Dialog global MainDialog + result = None if (default is not None) and ( (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept) @@ -247,20 +279,31 @@ def YesOrNo( reply = "" elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): - defaultYes = (default is not None) and str2bool(default) + defaultYes = (default is not None) and str2boolorextra(default) + # by default the "extra" button is between "Yes" and "No" which looks janky, IMO. + # so we're going to switch things around a bit. + yesLabelTmp = yesLabel.capitalize() if defaultYes else noLabel.capitalize() + noLabelTmp = noLabel.capitalize() if defaultYes else yesLabel.capitalize() + replyMap = {} + if hasExtraLabel := (extraLabel is not None): + replyMap[Dialog.EXTRA] = Dialog.CANCEL + replyMap[Dialog.CANCEL] = Dialog.EXTRA reply = MainDialog.yesno( - question, - yes_label=yesLabel.capitalize() if defaultYes else noLabel.capitalize(), - no_label=decapitalize(noLabel) if defaultYes else decapitalize(yesLabel), + str(question), + yes_label=str(yesLabelTmp), + no_label=str(extraLabel) if hasExtraLabel else str(noLabelTmp), + extra_button=hasExtraLabel, + extra_label=str(noLabelTmp) if hasExtraLabel else str(extraLabel), ) + reply = replyMap.get(reply, reply) if defaultYes: - reply = 'y' if (reply == Dialog.OK) else 'n' + reply = 'y' if (reply == Dialog.OK) else ('e' if (reply == Dialog.EXTRA) else 'n') else: - reply = 'n' if (reply == Dialog.OK) else 'y' + reply = 'n' if (reply == Dialog.OK) else ('e' if (reply == Dialog.EXTRA) else 'y') elif uiMode & UserInterfaceMode.InteractionInput: if (default is not None) and defaultBehavior & UserInputDefaultsBehavior.DefaultsPrompt: - if str2bool(default): + if str2boolorextra(default): questionStr = f"\n{question} (Y{'' if yesLabel == 'Yes' else ' (' + yesLabel + ')'} / n{'' if noLabel == 'No' else ' (' + noLabel + ')'}): " else: questionStr = f"\n{question} (y{'' if yesLabel == 'Yes' else ' (' + yesLabel + ')'} / N{'' if noLabel == 'No' else ' (' + noLabel + ')'}): " @@ -271,7 +314,7 @@ def YesOrNo( reply = str(input(questionStr)).lower().strip() if len(reply) > 0: try: - str2bool(reply) + str2boolorextra(reply) break except ValueError: pass @@ -282,22 +325,30 @@ def YesOrNo( raise RuntimeError("No user interfaces available") if (len(reply) == 0) and (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept): - reply = "y" if (default is not None) and str2bool(default) else "n" + reply = "y" if (default is not None) and str2boolorextra(default) else "n" if clearScreen is True: ClearScreen() try: - return str2bool(reply) + result = str2boolorextra(reply) except ValueError: - return YesOrNo( + result = YesOrNo( question, default=default, uiMode=uiMode, defaultBehavior=defaultBehavior - UserInputDefaultsBehavior.DefaultsAccept, clearScreen=clearScreen, + yesLabel=yesLabel, + noLabel=noLabel, + extraLabel=extraLabel, ) + if result == BoolOrExtra.EXTRA: + raise DialogBackException(question) + + return bool(result) + ################################################################################################### # get interactive user response @@ -307,6 +358,7 @@ def AskForString( defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt, uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput, clearScreen=False, + extraLabel=None, ): global Dialog global MainDialog @@ -319,15 +371,19 @@ def AskForString( elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): code, reply = MainDialog.inputbox( - question, + str(question), init=( default if (default is not None) and (defaultBehavior & UserInputDefaultsBehavior.DefaultsPrompt) else "" ), + extra_button=(extraLabel is not None), + extra_label=str(extraLabel), ) if (code == Dialog.CANCEL) or (code == Dialog.ESC): - raise RuntimeError("Operation cancelled") + raise DialogCanceledException(question) + elif code == Dialog.EXTRA: + raise DialogBackException(question) else: reply = reply.strip() @@ -357,6 +413,7 @@ def AskForPassword( defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt, uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput, clearScreen=False, + extraLabel=None, ): global Dialog global MainDialog @@ -368,9 +425,16 @@ def AskForPassword( reply = default elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): - code, reply = MainDialog.passwordbox(prompt, insecure=True) + code, reply = MainDialog.passwordbox( + str(prompt), + insecure=True, + extra_button=(extraLabel is not None), + extra_label=str(extraLabel), + ) if (code == Dialog.CANCEL) or (code == Dialog.ESC): - raise RuntimeError("Operation cancelled") + raise DialogCanceledException(prompt) + elif code == Dialog.EXTRA: + raise DialogBackException(prompt) elif uiMode & UserInterfaceMode.InteractionInput: reply = getpass.getpass(prompt=f"{prompt}: ") @@ -396,6 +460,7 @@ def ChooseOne( defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt, uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput, clearScreen=False, + extraLabel=None, ): global Dialog global MainDialog @@ -410,11 +475,15 @@ def ChooseOne( elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): code, reply = MainDialog.radiolist( - prompt, + str(prompt), choices=validChoices, + extra_button=(extraLabel is not None), + extra_label=str(extraLabel), ) if code == Dialog.CANCEL or code == Dialog.ESC: - raise RuntimeError("Operation cancelled") + raise DialogCanceledException(prompt) + elif code == Dialog.EXTRA: + raise DialogBackException(prompt) elif uiMode & UserInterfaceMode.InteractionInput: index = 0 @@ -460,6 +529,7 @@ def ChooseMultiple( defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt, uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput, clearScreen=False, + extraLabel=None, ): global Dialog global MainDialog @@ -474,11 +544,15 @@ def ChooseMultiple( elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): code, reply = MainDialog.checklist( - prompt, + str(prompt), choices=validChoices, + extra_button=(extraLabel is not None), + extra_label=str(extraLabel), ) if code == Dialog.CANCEL or code == Dialog.ESC: - raise RuntimeError("Operation cancelled") + raise DialogCanceledException(prompt) + elif code == Dialog.EXTRA: + raise DialogBackException(prompt) elif uiMode & UserInterfaceMode.InteractionInput: allowedChars = set(string.digits + ',' + ' ') @@ -529,6 +603,7 @@ def DisplayMessage( defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt, uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput, clearScreen=False, + extraLabel=None, ): global Dialog global MainDialog @@ -542,10 +617,14 @@ def DisplayMessage( elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None): code = MainDialog.msgbox( - message, + str(message), + extra_button=(extraLabel is not None), + extra_label=str(extraLabel), ) if (code == Dialog.CANCEL) or (code == Dialog.ESC): - raise RuntimeError("Operation cancelled") + raise DialogCanceledException(message) + elif code == Dialog.EXTRA: + raise DialogBackException(message) else: reply = True @@ -567,6 +646,7 @@ def DisplayProgramBox( fileDescriptor=None, text=None, clearScreen=False, + extraLabel=None, ): global Dialog global MainDialog @@ -581,9 +661,13 @@ def DisplayProgramBox( text=text, width=78, height=20, + extra_button=(extraLabel is not None), + extra_label=str(extraLabel), ) if (code == Dialog.CANCEL) or (code == Dialog.ESC): - raise RuntimeError("Operation cancelled") + raise DialogCanceledException() + elif code == Dialog.EXTRA: + raise DialogBackException() else: reply = True diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py index 7f8223a7a..30a510915 100644 --- a/scripts/malcolm_kubernetes.py +++ b/scripts/malcolm_kubernetes.py @@ -113,6 +113,12 @@ 'path': os.path.join(MalcolmPath, os.path.join('logstash', 'logstash.keystore')), }, ], + 'arkime-lua': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('arkime', 'lua')), + }, + ], 'arkime-rules': [ { 'secret': False, diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example index e93f8e4c9..ea5f709a6 100644 --- a/scripts/third-party-environments/aws/ami/packer_vars.json.example +++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example @@ -3,7 +3,7 @@ "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "instance_type": "t2.micro", "instance_arch": "x86_64", - "malcolm_tag": "v24.08.0", + "malcolm_tag": "v24.10.0", "malcolm_repo": "cisagov/Malcolm", "malcolm_uid": "1000", "ssh_username": "ec2-user", diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh index 69b25a230..082eb7c20 100755 --- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh +++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh @@ -32,7 +32,7 @@ fi # -u UID (user UID, e.g., 1000) VERBOSE_FLAG= MALCOLM_REPO=${MALCOLM_REPO:-cisagov/Malcolm} -MALCOLM_TAG=${MALCOLM_TAG:-v24.08.0} +MALCOLM_TAG=${MALCOLM_TAG:-v24.10.0} [[ -z "$MALCOLM_UID" ]] && ( [[ $EUID -eq 0 ]] && MALCOLM_UID=1000 || MALCOLM_UID="$(id -u)" ) while getopts 'vr:t:u:' OPTION; do case "$OPTION" in diff --git a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml index c47744ccf..ae0265c44 100644 --- a/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml +++ b/scripts/third-party-environments/virter/malcolm-setup-02-clone-install.toml @@ -67,7 +67,8 @@ if [[ $- == *i* ]] && [[ -d ~/Malcolm ]] && [[ ! -f ~/Malcolm/.configured ]]; t --extracted-file-yara \ --netbox \ --netbox-enrich \ - --netbox-site-name malcolm + --netbox-site-name malcolm \ + --runtime docker # username: analyst # password: M@lc0lm diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1 index 7074043ba..f56b74132 100644 --- a/scripts/third-party-logs/fluent-bit-setup.ps1 +++ b/scripts/third-party-logs/fluent-bit-setup.ps1 @@ -9,7 +9,7 @@ ############################################################################### $fluent_bit_version = '3.1' -$fluent_bit_full_version = '3.1.6' +$fluent_bit_full_version = '3.1.9' ############################################################################### # select an item from a menu provided in an array diff --git a/shared/bin/capa-build.sh b/shared/bin/capa-build.sh index c77970a3f..60ab5d207 100644 --- a/shared/bin/capa-build.sh +++ b/shared/bin/capa-build.sh @@ -1,6 +1,6 @@ #!/bin/bash -export CAPA_VERSION="7.2.0" +export CAPA_VERSION="7.4.0" export CAPA_SRC_URL="https://github.com/mandiant/capa/archive/refs/tags/v${CAPA_VERSION}.zip" export CAPA_RULES_URL="https://github.com/mandiant/capa-rules/archive/refs/tags/v${CAPA_VERSION}.zip" diff --git a/shared/bin/maxmind-mmdb-download.sh b/shared/bin/maxmind-mmdb-download.sh new file mode 100755 index 000000000..ae3ea5c28 --- /dev/null +++ b/shared/bin/maxmind-mmdb-download.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +# Download Maxmind Geo IP Lite mmdb files from the official source (using +# a free API license key) for from an alternative location specified. +# see https://dev.maxmind.com/geoip/geoipupdate/#Direct_Downloads +# see https://github.com/arkime/arkime/issues/1350 +# see https://github.com/arkime/arkime/issues/1352 + +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. + +unset VERBOSE +MAXMIND_GEOIP_DB_LICENSE_KEY=${MAXMIND_GEOIP_DB_LICENSE_KEY:-} +MAXMIND_GEOIP_DB_LICENSE_KEY_FILE=${MAXMIND_GEOIP_DB_LICENSE_KEY_FILE:-} +MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL=${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL:-} +MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL_FILE=${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL_FILE:-} +OUTPUT_DIR=/tmp + +while getopts k:f:u:r:o:v opts; do + case ${opts} in + k) MAXMIND_GEOIP_DB_LICENSE_KEY=${OPTARG} ;; + f) MAXMIND_GEOIP_DB_LICENSE_KEY_FILE=${OPTARG} ;; + u) MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL=${OPTARG} ;; + r) MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL_FILE=${OPTARG} ;; + o) OUTPUT_DIR=${OPTARG} ;; + v) VERBOSE=1 ;; + esac +done + +if [[ -n "${VERBOSE}" ]]; then + set -x +fi + +if [[ -z "${MAXMIND_GEOIP_DB_LICENSE_KEY}" ]] && [[ -f "${MAXMIND_GEOIP_DB_LICENSE_KEY_FILE}" ]]; then + MAXMIND_GEOIP_DB_LICENSE_KEY="$(head -n 1 "${MAXMIND_GEOIP_DB_LICENSE_KEY_FILE}")" +fi + +if [[ -z "${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL}" ]] && [[ -f "${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL_FILE}" ]]; then + MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL="$(head -n 1 "${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL_FILE}")" +fi + +if [[ -z "${MAXMIND_GEOIP_DB_LICENSE_KEY}" ]] && [[ -z "${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL}" ]]; then + echo "No GeoIP DB license key or alternate download location specified" >&2 + exit 1 +fi + +# create a temporary directory to store our results in +WORKDIR="$(mktemp -d -t dlmmdb-XXXXXX)" + +# cleanup - on exit ensure the leftover files cleaned up +function cleanup { + popd >/dev/null 2>&1 + if ! rm -rf "${WORKDIR}"; then + echo "Failed to remove temporary directory \"${WORKDIR}\"" >&2 + exit 1 + fi +} + +if [[ -d "${WORKDIR}" ]]; then + pushd "${WORKDIR}" >/dev/null 2>&1 + trap "cleanup" EXIT + + if [[ -n "${MAXMIND_GEOIP_DB_LICENSE_KEY}" ]]; then + for DB in ASN Country City; do + curl -f -s -S -L -o "GeoLite2-${DB}.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-${DB}&license_key=${MAXMIND_GEOIP_DB_LICENSE_KEY}&suffix=tar.gz" 2>/dev/null && \ + tar xf "GeoLite2-${DB}.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 2>/dev/null && \ + chmod 644 "GeoLite2-${DB}.mmdb" && \ + rm -f "GeoLite2-${DB}.mmdb.tar.gz" + done + fi + + if [[ -n "${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL}" ]]; then + for DB in ASN Country City; do + if [[ ! -s "GeoLite2-${DB}.mmdb" ]]; then + curl -f -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL}/GeoLite2-${DB}.mmdb.tar.gz" 2>/dev/null && \ + tar xf "GeoLite2-${DB}.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 2>/dev/null && \ + chmod 644 "GeoLite2-${DB}.mmdb" && \ + rm -f "GeoLite2-${DB}.mmdb.tar.gz" + fi + done + fi + + if compgen -G "*.mmdb" >/dev/null 2>&1; then + mkdir -p "${OUTPUT_DIR}" + mv *.mmdb "${OUTPUT_DIR}"/ && ( find "${OUTPUT_DIR}" -type f -iname "*.mmdb" | sort ) + fi + +else + echo "Unable to create temporary directory \"$WORKDIR\"" 1>&2 + exit 1 +fi diff --git a/shared/bin/opensearch_index_size_prune.py b/shared/bin/opensearch_index_size_prune.py index df02b1fa7..f54be371b 100755 --- a/shared/bin/opensearch_index_size_prune.py +++ b/shared/bin/opensearch_index_size_prune.py @@ -155,11 +155,7 @@ def main(): sys.tracebacklimit = 0 # short-circuit without printing anything else - if ( - (args.limit == '0') - or (not args.index) - or (args.opensearchMode == malcolm_utils.DatabaseMode.ElasticsearchRemote) - ): + if (args.limit == '0') or (not args.index): return opensearchIsLocal = (args.opensearchMode == malcolm_utils.DatabaseMode.OpenSearchLocal) or ( @@ -223,9 +219,11 @@ def main(): if ('node' in stat) and (stat['node'] != 'UNASSIGNED'): esDiskUsageStats.append( { - key: humanfriendly.parse_size(value) - if re.match(r'^\d+(\.\d+)?\s*[kmgtp]?b$', value, flags=re.IGNORECASE) - else value + key: ( + humanfriendly.parse_size(value) + if re.match(r'^\d+(\.\d+)?\s*[kmgtp]?b$', value, flags=re.IGNORECASE) + else value + ) for (key, value) in stat.items() } ) diff --git a/shared/bin/pcap_watcher.py b/shared/bin/pcap_watcher.py index 25816e13d..428723f95 100755 --- a/shared/bin/pcap_watcher.py +++ b/shared/bin/pcap_watcher.py @@ -46,7 +46,7 @@ from watchdog.observers import Observer from watchdog.observers.polling import PollingObserver -from watchdog.utils import WatchdogShutdown +from watchdog.utils import WatchdogShutdownError ################################################################################################### MINIMUM_CHECKED_FILE_SIZE_DEFAULT = 24 @@ -564,9 +564,9 @@ def main(): logging.info(f"{scriptName}:\tshutting down...") if shuttingDown[0]: - raise WatchdogShutdown() + raise WatchdogShutdownError() - except WatchdogShutdown: + except WatchdogShutdownError: observer.unschedule_all() finally: diff --git a/shared/bin/suricata_config_populate.py b/shared/bin/suricata_config_populate.py index dc09286be..c9b356852 100755 --- a/shared/bin/suricata_config_populate.py +++ b/shared/bin/suricata_config_populate.py @@ -702,6 +702,16 @@ def main(): metavar='', help="Output YAML file (take precedence over --inplace)", ) + parser.add_argument( + '-s', + '--suricata', + dest='suricataBin', + type=str, + default=os.getenv('SURICATA_BIN', '/usr/bin/suricata'), + required=False, + metavar='', + help="Suricata binary", + ) try: parser.error = parser.exit args = parser.parse_args() @@ -1264,7 +1274,7 @@ def main(): script_return_code, output = run_process( [ - 'suricata', + args.suricataBin, f"-{('v' * (argsOrigVerbose-1)) if (argsOrigVerbose > 1) else 'v'}", '-c', os.path.join(tmpLogDir, 'suricata.yaml'), diff --git a/shared/bin/watch_common.py b/shared/bin/watch_common.py index 9457a1604..e448ee8f2 100644 --- a/shared/bin/watch_common.py +++ b/shared/bin/watch_common.py @@ -20,7 +20,7 @@ from multiprocessing.pool import ThreadPool from threading import get_native_id -from watchdog.utils import WatchdogShutdown +from watchdog.utils import WatchdogShutdownError from watchdog.observers import Observer from watchdog.observers.polling import PollingObserver from collections import namedtuple, defaultdict, OrderedDict @@ -327,9 +327,9 @@ def WatchAndProcessDirectory( observer.join(1) if shuttingDown[0]: - raise WatchdogShutdown() + raise WatchdogShutdownError() - except WatchdogShutdown: + except WatchdogShutdownError: observer.unschedule_all() finally: diff --git a/shared/bin/zeek-deb-download.sh b/shared/bin/zeek-deb-download.sh index d2586b333..c695ccad2 100755 --- a/shared/bin/zeek-deb-download.sh +++ b/shared/bin/zeek-deb-download.sh @@ -6,13 +6,19 @@ unset VERBOSE command -v dpkg >/dev/null 2>&1 && ARCH="$(dpkg --print-architecture)" || ARCH=amd64 DISTRO=Debian_12 OUTPUT_DIR=/tmp -ZEEK_VERSION=7.0.0-0 +ZEEK_VERSION=7.0.3-0 +PRESERVE_HIERARCHY=false +ZEEK_DEB_ALTERNATE_DOWNLOAD_URL=${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-} +ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE=${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE:-} -while getopts a:d:o:vz: opts; do +while getopts a:d:f:ho:u:vz: opts; do case ${opts} in a) ARCH=${OPTARG} ;; d) DISTRO=${OPTARG} ;; + f) ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE=${OPTARG} ;; + h) PRESERVE_HIERARCHY=true ;; o) OUTPUT_DIR=${OPTARG} ;; + u) ZEEK_DEB_ALTERNATE_DOWNLOAD_URL=${OPTARG} ;; v) VERBOSE=1 ;; z) ZEEK_VERSION=${OPTARG} ;; esac @@ -23,23 +29,37 @@ if [[ -n $VERBOSE ]]; then set -x fi -URL_PREFIX="https://downloadcontentcdn.opensuse.org/repositories/security:/zeek/${DISTRO}" -URLS=( - "${URL_PREFIX}/${ARCH}/libbroker-dev_${ZEEK_VERSION}_${ARCH}.deb" - "${URL_PREFIX}/${ARCH}/zeek-core-dev_${ZEEK_VERSION}_${ARCH}.deb" - "${URL_PREFIX}/${ARCH}/zeek-core_${ZEEK_VERSION}_${ARCH}.deb" - "${URL_PREFIX}/${ARCH}/zeek-spicy-dev_${ZEEK_VERSION}_${ARCH}.deb" - "${URL_PREFIX}/${ARCH}/zeek_${ZEEK_VERSION}_${ARCH}.deb" - "${URL_PREFIX}/${ARCH}/zeekctl_${ZEEK_VERSION}_${ARCH}.deb" - "${URL_PREFIX}/all/zeek-client_${ZEEK_VERSION}_all.deb" - "${URL_PREFIX}/all/zeek-zkg_${ZEEK_VERSION}_all.deb" - "${URL_PREFIX}/all/zeek-btest_${ZEEK_VERSION}_all.deb" - "${URL_PREFIX}/all/zeek-btest-data_${ZEEK_VERSION}_all.deb" +if [[ -z "${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL}" ]] && [[ -f "${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE}" ]]; then + ZEEK_DEB_ALTERNATE_DOWNLOAD_URL="$(head -n 1 "${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE}")" +fi + +URL_PREFIXES=( + "https://downloadcontentcdn.opensuse.org/repositories/security:/zeek" +) +[[ -n "$ZEEK_DEB_ALTERNATE_DOWNLOAD_URL" ]] && URL_PREFIXES+=( "$ZEEK_DEB_ALTERNATE_DOWNLOAD_URL" ) + +URL_SUFFIXES=( + "${DISTRO}/${ARCH}/libbroker-dev_${ZEEK_VERSION}_${ARCH}.deb" + "${DISTRO}/${ARCH}/zeek-core-dev_${ZEEK_VERSION}_${ARCH}.deb" + "${DISTRO}/${ARCH}/zeek-core_${ZEEK_VERSION}_${ARCH}.deb" + "${DISTRO}/${ARCH}/zeek-spicy-dev_${ZEEK_VERSION}_${ARCH}.deb" + "${DISTRO}/${ARCH}/zeek_${ZEEK_VERSION}_${ARCH}.deb" + "${DISTRO}/${ARCH}/zeekctl_${ZEEK_VERSION}_${ARCH}.deb" + "${DISTRO}/all/zeek-client_${ZEEK_VERSION}_all.deb" + "${DISTRO}/all/zeek-zkg_${ZEEK_VERSION}_all.deb" + "${DISTRO}/all/zeek-btest_${ZEEK_VERSION}_all.deb" + "${DISTRO}/all/zeek-btest-data_${ZEEK_VERSION}_all.deb" ) pushd "$OUTPUT_DIR" >/dev/null 2>&1 -for URL in ${URLS[@]}; do - curl -fsSL -O -J "${URL}" +for URL_SUFFIX in ${URL_SUFFIXES[@]}; do + [[ "$PRESERVE_HIERARCHY" == "true" ]] && OUTPUT_DIR_REL="$(dirname "$URL_SUFFIX")" || OUTPUT_DIR_REL=. + mkdir -p "$OUTPUT_DIR_REL" + pushd "$OUTPUT_DIR_REL" >/dev/null 2>&1 + for URL_PREFIX in ${URL_PREFIXES[@]}; do + curl -fsSL -O -J "${URL_PREFIX%/}/${URL_SUFFIX}" && break + done + popd >/dev/null 2>&1 done popd >/dev/null 2>&1 diff --git a/shared/bin/zeek_carve_watcher.py b/shared/bin/zeek_carve_watcher.py index 960464905..e457edd19 100755 --- a/shared/bin/zeek_carve_watcher.py +++ b/shared/bin/zeek_carve_watcher.py @@ -24,7 +24,7 @@ from multiprocessing.pool import ThreadPool from watchdog.observers import Observer from watchdog.observers.polling import PollingObserver -from watchdog.utils import WatchdogShutdown +from watchdog.utils import WatchdogShutdownError from zeek_carve_utils import ( CAPA_VIV_MIME, @@ -320,9 +320,9 @@ def main(): logging.info(f"{scriptName}:\tshutting down...") if shuttingDown[0]: - raise WatchdogShutdown() + raise WatchdogShutdownError() - except WatchdogShutdown: + except WatchdogShutdownError: observer.unschedule_all() finally: diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index ab535b333..9907331fc 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -30,18 +30,26 @@ function get_latest_github_tagged_release() { # zkg_install_github_repo # # zkg install the latest GitHub release tag if available (else, master/HEAD) -# release tag/branch can be overriden by specifying the branch name with after the URL delimited by a | -# +# some optional overrides can be specified using | as a delimiter in the URL parameter: +# URL|branch|environment variables +# URL - the full GitHub URL to install +# branch - the branch to checkout and install (otherwise, the latest release tag will be used, or the default branch if no releases exist) +# environment variables - semicolon-separated list of environment variables to set before calling zkg (e.g., CMAKE_BUILD_TYPE=Debug;HILTI_CXX_FLAGS=-fno-var-tracking-assignments) function zkg_install_github_repo() { URL_PARAM="$1" - URL_BRANCH_DELIM='|' - URL_BRANCH_DELIM_COUNT="$(awk -F"${URL_BRANCH_DELIM}" '{print NF-1}' <<< "${URL_PARAM}")" - if (( $URL_BRANCH_DELIM_COUNT > 0 )); then + URL_DELIM='|' + URL_DELIM_COUNT="$(awk -F"${URL_DELIM}" '{print NF-1}' <<< "${URL_PARAM}")" + REPO_URL="" + BRANCH_OVERRIDE="" + ENV_LIST="" + if (( $URL_DELIM_COUNT >= 0 )); then REPO_URL="$(echo "$URL_PARAM" | cut -d'|' -f1)" + fi + if (( $URL_DELIM_COUNT >= 1 )); then BRANCH_OVERRIDE="$(echo "$URL_PARAM" | cut -d'|' -f2)" - else - REPO_URL="$URL_PARAM" - BRANCH_OVERRIDE="" + fi + if (( $URL_DELIM_COUNT >= 2 )); then + ENV_LIST="$(echo "$URL_PARAM" | cut -d'|' -f3)" fi if [[ -n $REPO_URL ]]; then if [[ -n $BRANCH_OVERRIDE ]]; then @@ -49,6 +57,12 @@ function zkg_install_github_repo() { else REPO_LATEST_RELEASE="$(get_latest_github_tagged_release "$REPO_URL")" fi + if [[ -n $ENV_LIST ]]; then + IFS=';' read -ra ENVS <<< "${ENV_LIST}" + for ENV in "${ENVS[@]}"; do + export "$ENV" + done + fi if [[ -n $REPO_LATEST_RELEASE ]]; then zkg install --nodeps --force --skiptests --version "$REPO_LATEST_RELEASE" "$REPO_URL" else @@ -57,9 +71,12 @@ function zkg_install_github_repo() { fi } -# don't consume as many resources when building spicy-analyzers, even if it's slower. -# https://github.com/zeek/spicy-analyzers/pull/60 -export SPICY_ZKG_PROCESSES=1 +# don't consume as many resources when building spicy analyzers, even if it's slower. +# https://docs.zeek.org/projects/spicy/en/latest/toolchain.html +TOTAL_CPUS="$(nproc --all 2>/dev/null || echo '1')" +TOTAL_CPUS=$(( TOTAL_CPUS / 2 )) +(( $TOTAL_CPUS <= 0 )) && TOTAL_CPUS=1 +export HILTI_JIT_PARALLELISM=${BUILD_JOBS:-$TOTAL_CPUS} # install Zeek packages that install nicely using zkg ZKG_GITHUB_URLS=( @@ -75,6 +92,7 @@ ZKG_GITHUB_URLS=( "https://github.com/cisagov/icsnpp-ethercat" "https://github.com/cisagov/icsnpp-ge-srtp" "https://github.com/cisagov/icsnpp-genisys" + "https://github.com/cisagov/icsnpp-hart-ip" "https://github.com/cisagov/icsnpp-modbus" "https://github.com/cisagov/icsnpp-opcua-binary" "https://github.com/cisagov/icsnpp-profinet-io-cm" @@ -112,6 +130,7 @@ ZKG_GITHUB_URLS=( "https://github.com/zeek/spicy-tftp" "https://github.com/zeek/spicy-zip" ) + for i in ${ZKG_GITHUB_URLS[@]}; do zkg_install_github_repo "$i" done diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh index bbe27c536..2c977f4be 100755 --- a/shared/bin/zeekdeploy.sh +++ b/shared/bin/zeekdeploy.sh @@ -142,8 +142,14 @@ export TMP="$TMP_PATH" # if file extraction is enabled and file extraction script exists, set up the argument for zeek to use it [[ -z $ZEEK_RULESET ]] && ZEEK_RULESET="local" EXTRACTOR_ZEEK_SCRIPT="extractor.zeek" +EXTRACTOR_INTERESTING_ZEEK_SCRIPT="extractor_override.interesting.zeek" ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRIPT" +ZEEK_EXTRACTOR_INTERESTING_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_INTERESTING_ZEEK_SCRIPT" ([[ ! -r "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ "$ZEEK_EXTRACTOR_MODE" = "none" ]]) && ZEEK_EXTRACTOR_SCRIPT="" +if [[ "$ZEEK_EXTRACTOR_MODE" = "interesting" ]] && [[ -r "$ZEEK_EXTRACTOR_INTERESTING_SCRIPT" ]]; then + ZEEK_EXTRACTOR_OVERRIDE_FILE="$ZEEK_EXTRACTOR_INTERESTING_SCRIPT" + export ZEEK_EXTRACTOR_MODE="mapped" +fi ([[ ! -r "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]] || [[ -z "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ ! "$ZEEK_EXTRACTOR_MODE" = "mapped" ]]) && ZEEK_EXTRACTOR_OVERRIDE_FILE="" # make sure "intel" directory exists, even if empty @@ -181,6 +187,12 @@ else fi sed -r -i "s@(LogDir)\s*=\s*.*@\1 = $ARCHIVE_PATH@" ./zeekctl.cfg sed -r -i "s@(SpoolDir)\s*=\s*.*@\1 = $WORK_PATH@" ./zeekctl.cfg +# We're setting FileExtract::prefix for the directory for file extraction, so we +# don't want this new default behavior from zeekctl. So, set FileExtractDir +# there to an empty value. +# See https://github.com/zeek/zeekctl/blob/7e1a8448083ef0013f15e67ce001836e680589a2/CHANGES#L11-L26 +# and https://github.com/zeek/zeekctl/issues/65 +sed -r -i "s@(FileExtractDir)\s*=\s*.*@\1 =@" ./zeekctl.cfg sed -r -i "s/(MailConnectionSummary)\s*=\s*.*/\1 = 0/" ./zeekctl.cfg sed -r -i "s/(MinDiskSpace)\s*=\s*.*/\1 = 0/" ./zeekctl.cfg diff --git a/suricata/scripts/docker_entrypoint.sh b/suricata/scripts/docker_entrypoint.sh index b3044ed59..467d45b74 100755 --- a/suricata/scripts/docker_entrypoint.sh +++ b/suricata/scripts/docker_entrypoint.sh @@ -3,13 +3,15 @@ # ensure capabilities for capture setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/bin/suricata || true +[[ -x /usr/bin/suricata-offline ]] && SURICATA_TEST_CONFIG_BIN=/usr/bin/suricata-offline || SURICATA_TEST_CONFIG_BIN=/usr/bin/suricata + # modify suricata.yaml according to environment variables (as non-root) if [[ "$(id -u)" == "0" ]] && [[ -n "$PUSER" ]]; then su -s /bin/bash -p ${PUSER} << EOF - /usr/local/bin/suricata_config_populate.py ${SURICATA_TEST_CONFIG_VERBOSITY:-} >&2 + /usr/local/bin/suricata_config_populate.py --suricata ${SURICATA_TEST_CONFIG_BIN} ${SURICATA_TEST_CONFIG_VERBOSITY:-} >&2 EOF else - /usr/local/bin/suricata_config_populate.py ${SURICATA_TEST_CONFIG_VERBOSITY:-} >&2 + /usr/local/bin/suricata_config_populate.py --suricata ${SURICATA_TEST_CONFIG_BIN} ${SURICATA_TEST_CONFIG_VERBOSITY:-} >&2 fi # start supervisor (which will spawn pcap-suricata, cron, etc.) or whatever the default command is diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 7de26a3c7..e3aea8183 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -35,6 +35,7 @@ global disable_ics_enip = (getenv("ZEEK_DISABLE_ICS_ENIP") == true_regex) ? T : global disable_ics_ethercat = (getenv("ZEEK_DISABLE_ICS_ETHERCAT") == true_regex) ? T : F; global disable_ics_genisys = (getenv("ZEEK_DISABLE_ICS_GENISYS") == true_regex) ? T : F; global disable_ics_ge_srtp = (getenv("ZEEK_DISABLE_ICS_GE_SRTP") == true_regex) ? T : F; +global disable_ics_hart_ip = (getenv("ZEEK_DISABLE_ICS_HART_IP") == true_regex) ? T : F; global disable_ics_opcua_binary = (getenv("ZEEK_DISABLE_ICS_OPCUA_BINARY") == true_regex) ? T : F; global disable_ics_modbus = (getenv("ZEEK_DISABLE_ICS_MODBUS") == true_regex) ? T : F; global disable_ics_profinet = (getenv("ZEEK_DISABLE_ICS_PROFINET") == true_regex) ? T : F; @@ -55,7 +56,6 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; redef LogAscii::use_json = T; @endif -@load tuning/defaults @load frameworks/software/vulnerable @load frameworks/software/version-changes @load frameworks/software/windows-version-detection @@ -69,6 +69,7 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; @load protocols/ftp/software @load protocols/http/detect-sqli @load protocols/http/detect-webapps +@load protocols/http/header-names @load protocols/http/software @load protocols/http/software-browser-plugins @load protocols/mysql/software @@ -148,6 +149,10 @@ event zeek_init() &priority=-5 { if (disable_ics_all || disable_ics_ge_srtp) { Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_GE_SRTP_TCP); } + if (disable_ics_all || disable_ics_hart_ip) { + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HART_IP_TCP); + Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HART_IP_UDP); + } if (disable_ics_all || disable_ics_opcua_binary) { Analyzer::disable_analyzer(Analyzer::ANALYZER_ICSNPP_OPCUA_BINARY); } @@ -277,6 +282,8 @@ event zeek_init() &priority=-5 { redef LDAP::default_capture_password = T; @endif +redef HTTP::log_client_header_names = T; +redef HTTP::log_server_header_names = T; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F;