Kibana Dashboards¶
Stamus Central Server embed the suite ELK and Kibana’s dashboards are accessible through the app switcher in the header.
Open Kibana. Once in Kibana, click on the Dashboard menu to see the full list of available dashboards. The use case examples below are for the purpose of idea generation and are not meant to be exhaustive.
Note
Any data from the Kibana dashboards or visualizations can be exported as CSV or PDF.
Dashboard |
Description |
Data types |
Example Use Cases |
---|---|---|---|
SN-ALERTS |
Alerts dashboard. |
Alerts with metadata. |
|
SN-ALERTS-CVE |
CVE specific alerts dashboard. |
Alerts with metadata. |
|
SN-ALERTS-EXE-HUNT-1 |
Executables hunt and metadata export dashboard. |
Alerts with metadata. |
|
SN-ALERTS-PHISHING |
Phishing specific alerts dashboard. |
Alerts with metadata. |
|
SN-ALL |
General events dashboard. |
Any log type. |
|
SN-ANOMALY |
Protocol anomaly events dashboard. |
Anomaly events. |
|
SN-BEACONING-TLS |
TLS beacons dashboard. |
Beaconing events. |
|
SN-DCERPC |
DCERPC protocol events dashboard. |
DCERPC logs. |
|
SN-DHCP |
DHCP protocol events dashboard. |
DHCP logs. |
|
SN-DNP3 |
DNP3 protocol events dashboard. |
DNP3 logs. |
|
SN-DNS |
DNS protocol events dashboard. |
DNS logs. |
|
SN-DNS-HUNT-Tunnel |
DNS tunnel detection and threat hunting dashboard. |
DNS logs. |
|
SN-FILE-Transactions |
File transactions protocol events dashboard. |
Fileinfo, file transaction logs. |
|
SN-FLOW |
Generic FLOW records dashboard. |
Flow, netflow logs. |
|
SN-FLOW-HTTP |
HTTP flow records dashboard. |
Flow logs specific to HTTP. |
|
SN-FLOW-HUNT-DNS-EXFIL |
Larger DNS flows dashboard. Possible exfil. |
Flow logs specific to DNS. |
|
SN-FLOW-HUNT-ICMP-Possible-EXFIL |
ICMP tunneling or exfil hunting dashboard. |
Flow logs specific to ICMP. |
|
SN-FLOW-SIZE |
Generic FLOW size based search dashboard. |
Flow logs. |
|
SN-FLOW-SMB |
SMB flow records dashboard. |
Flow logs specific to SMB. |
|
SN-FLOW-SSH |
SSH flow records dashboard. |
Flow logs specific to SSH. |
|
SN-FLOW-TCP |
TCP flow records dashboard. |
Flow logs specific to TCP. |
|
SN-FLOW-TLS |
TLS flow records dashboard. |
Flow logs specific to TLS. |
|
SN-FLOW-UDP |
UDP flow records dashboard. |
Flow logs specific to UDP. |
|
SN-HTTP |
HTTP protocol events dashboard. |
HTTP logs. |
|
SN-HTTP-HUNT |
HTTP protocol hunting dashboard. |
HTTP logs. |
|
SN-HUNT-1 |
All events hunting dashboard. IP or user search. |
TLS, HTTP, DNS, Flow, SMB, KRB, ICMP, File transaction logs. |
|
SN-IDS |
Generic IDS alerts timelion dashboard. |
Alert logs. |
|
SN-IKEv2 |
IKE protocol events dashboard. |
IKE logs. |
|
SN-IoC-Search |
IoC search and audit dashboard. |
TLS, HTTP, DNS logs. |
|
SN-KRB5 |
KRB5 protocol events dashboard. |
KRB5 logs. |
|
SN-MQTT |
MQTT protocol events dashboard. |
MQTT logs. |
|
SN-NFS |
NFS protocol events dashboard. |
NFS logs. |
|
SN-Network-Overview |
Network flow data overview dashboard. |
Flow logs. |
|
SN-Network-Overview-1 |
SN Probe Network flow data overview dashboard. |
Flow logs. |
|
SN-Network-Overview-2 |
Network flow data overview dashboard. |
Flow logs. |
|
SN-OVERVIEW |
General network overview dashboard. |
Any logs. |
|
SN-POLICY-OLD-TLS |
Older or vulnerable TLS protocol encryption. |
TLS logs. |
|
SN-POLICY-Violations |
General Policy violations. |
Alert logs. |
|
SN-POSTPROC-Stats |
Post processing stats dashboard. |
Stats logs. |
|
SN-RDP |
RDP protocol events dashboard. |
RDP logs. |
|
SN-RFB |
RFB protocol events dashboard. |
RFB logs. |
|
SN-SIGHTINGS |
Newly discovered communication never seen before. |
TLS, HTTP, DNS, SMB, logs. |
|
SN-SIGNATURE-Performance |
Signature performance profiles |
Signature profiling metrics on CPU ticks |
|
SN-SIP |
SIP protocol events dashboard. |
SIP logs. |
|
SN-SMB |
SMB protocol events dashboard. |
SMB logs. |
|
SN-SMB-DCERPC-Lateral-1 |
Stamus Networks Lateral Detection Dashboard |
SMB logs. |
|
SN-SMTP |
SMTP protocol events dashboard. |
SMTP logs. |
|
SN-SNMP |
SNMP protocol events dashboard. |
SNMP logs. |
|
SN-SSH |
SSH protocol events dashboard. |
SSH logs. |
|
SN-STAMUS |
Declarations of Compromise dashboard. |
DoC logs. |
|
SN-TFTP |
TFTP protocol events dashboard. |
TFTP logs. |
|
SN-TLS |
TLS protocol events dashboard. |
TLS logs. |
|
SN-TrafficID |
Social media dashboard. |
Alert logs. |
|
SN-VLAN |
VLAN dashboard. |
All logs. |
|
Export Kibana visualizations as CSV file¶
In order to export any of the visualizations on Kibana Dashboards as a CSV file, you need to do the following:
Open the selected Dashboard
Click on the three dots in the right hand corner of the visualization
From the menu -> click on
Inspect
A side menu will be loaded. From there, you need to click on
Download CSV
and choose the type of csv (formatted or raw).
Export Kibana visualizations and dashbords from Stack Management¶
Another useful way to export Kibana Dashboards and/or Visualizations is to use the Saved Objects
in Stack Management
.
The feature also allows you to export multiple Dashboards and/or Visualizations.
In order to do the export, you need to go to Kibana menu -> Stack Management
and click on Saved Objects
.
You can use the search bar to look for a specific dashboard or visualization. Next, you have to select the checkbox for it and click on Export
button on the right hand-side of the page.
Edit Kibana visualizations¶
If you wish to edit an already existing visualization in Kibana, you can choose between two approaches to do this.
First approach is to use the Visualize Library
. To access it you need to click on the menu, located in the top left-hand side of the page.
Next, you will see a list of all available visualizations. Choose the visualization you would like to edit and click on it.
The visualization edition menu is on the right-hand side of the page. You can choose between editing Metrics
and Buckets
.
Once you have finished editing the visualization, you need to click on the Update
button.
Another approach to editing Kibana’s Visualizations is to do this directly from any Dashboard.
In order to do this, you have to go to a dashboard, then click on Edit
button on the top right hand-side of the page.
Next, you have to click on the gear icon at the top right-hand corner of the visualization you would like to edit and choose Edit Visualization
Create Kibana visualizations¶
If you would like to create your own visualizations, you should go to Kibana menu -> Visualize Library
.
From there, click on Create visualization
button and select the type of visualization, like Aggregation based, Lens, etc.
Next you should choose how to display your data. You can choose between Metric, Pie, Gouge, Data table, etc.
Once you have selected this, you need to choose the data source
.
Note
Data sources in SCS are available by event type. Thus, TLS
events are part of the logstash-tls*
data source; DNS
are part of the logstash-dns*
data source, etc.
Finally, you have to configure your visualization, by choosing the relevant Metrics
and Buckets
.
Click on the Update
button at the bottom right corner of the page in order to see your visualizaion.
Note
You might need to adjsut the time range in order to get relevant data.
Note
If you would like to save your newly created visualization, simply click on the Save
button.
Once you have saved it, you will be able to see it in the Visualize Library
.