{ "title": "Example", "services": { "query": { "list": { "0": { "query": "netflow.protocol:1", "alias": "", "color": "#7EB26D", "id": 0, "pin": true, "type": "lucene", "enable": true }, "1": { "id": 1, "color": "#EAB839", "alias": "", "pin": false, "type": "lucene", "enable": true, "query": "*" } }, "ids": [ 0, 1 ] }, "filter": { "list": { "0": { "type": "time", "field": "@timestamp", "from": "now-7d", "to": "now", "mandate": "must", "active": true, "alias": "", "id": 0 }, "1": { "type": "querystring", "query": "netflow.l4_dst_port:21", "mandate": "must", "active": false, "alias": "", "id": 1 }, "2": { "type": "terms", "field": "netflow.ipv4_dst_addr", "value": 3232235827, "mandate": "must", "active": false, "alias": "", "id": 2 }, "3": { "type": "querystring", "query": "netflow.protocol:17", "mandate": "must", "active": false, "alias": "", "id": 3 } }, "ids": [ 0, 1, 2, 3 ] } }, "rows": [ { "title": "Options", "height": "50px", "editable": true, "collapse": true, "collapsable": true, "panels": [], "notice": false }, { "title": "Graph", "height": "250px", "editable": true, "collapse": false, "collapsable": true, "panels": [ { "error": false, "span": 4, "editable": true, "group": [ "default" ], "type": "text", "status": "Stable", "mode": "markdown", "content": "This is a pre-designed Kibana dashboard for the purposes of this lab. \n\nIt contains various panels to demonstrate the capabilities of Kibana and help students answer the questions of the lab. The panels include a graph of network traffic over time, a table of the bytes sent over each protocol, statistics about the bytes of traffic, a table of the number of packets per ICMP destination port (dst_port = (ICMP type <<8)+code), pie-charts of the source and destination ports of the traffic and a panel of the records. \n\nFeel free to explore it, use Queries and Filters, view the events and panels or even create your own in order to answer the tasks.", "style": {}, "title": "Network Forensics Lab" }, { "span": 8, "editable": true, "type": "histogram", "loadingEditor": false, "mode": "total", "time_field": "@timestamp", "value_field": "netflow.in_bytes", "x-axis": true, "y-axis": true, "scale": "1", "y_format": "bytes", "grid": { "max": null, "min": 0 }, "queries": { "mode": "unpinned", "ids": [ 1 ] }, "annotate": { "enable": false, "query": "*", "size": 20, "field": "_type", "sort": [ "_score", "desc" ] }, "auto_int": true, "resolution": 100, "interval": "1h", "intervals": [ "auto", "1s", "1m", "5m", "10m", "30m", "1h", "3h", "12h", "1d", "1w", "1y" ], "lines": true, "fill": 0, "linewidth": 3, "points": false, "pointradius": 5, "bars": false, "stack": true, "spyable": true, "zoomlinks": true, "options": true, "legend": true, "show_query": true, "interactive": false, "legend_counts": true, "timezone": "browser", "percentage": false, "zerofill": true, "derivative": false, "tooltip": { "value_type": "cumulative", "query_as_alias": true }, "title": "Traffic", "scaleSeconds": false }, { "error": false, "span": 2, "editable": true, "type": "stats", "loadingEditor": false, "queries": { "mode": "unpinned", "ids": [ 1 ] }, "style": { "font-size": "24pt" }, "format": "number", "mode": "total", "display_breakdown": "yes", "sort_field": "", "sort_reverse": false, "label_name": "Query", "value_name": "Value", "spyable": true, "show": { "count": true, "min": true, "max": true, "mean": true, "std_deviation": true, "sum_of_squares": true, "total": true, "variance": true }, "title": "Bytes", "field": "netflow.in_bytes", "unit": "Bytes" }, { "error": false, "span": 3, "editable": true, "type": "terms", "loadingEditor": false, "field": "netflow.protocol", "exclude": [], "missing": true, "other": true, "size": 10, "order": "total", "style": { "font-size": "10pt" }, "donut": false, "tilt": false, "labels": true, "arrangement": "horizontal", "chart": "table", "counter_pos": "above", "spyable": true, "queries": { "mode": "all", "ids": [ 0, 1 ] }, "tmode": "terms_stats", "tstat": "total", "valuefield": "netflow.in_bytes", "title": "Bytes per Protocol" }, { "error": false, "span": 3, "editable": true, "type": "terms", "loadingEditor": false, "field": "netflow.l4_dst_port", "exclude": [], "missing": true, "other": true, "size": 10, "order": "total", "style": { "font-size": "10pt" }, "donut": false, "tilt": false, "labels": true, "arrangement": "horizontal", "chart": "table", "counter_pos": "above", "spyable": true, "queries": { "mode": "pinned", "ids": [ 0 ] }, "tmode": "terms_stats", "tstat": "total", "valuefield": "netflow.in_pkts", "title": "Pkts Per ICMP message" }, { "error": false, "span": 3, "editable": true, "type": "terms", "loadingEditor": false, "field": "netflow.ipv4_src_addr", "exclude": [], "missing": true, "other": true, "size": 10, "order": "count", "style": { "font-size": "10pt" }, "donut": true, "tilt": true, "labels": true, "arrangement": "horizontal", "chart": "pie", "counter_pos": "above", "spyable": true, "queries": { "mode": "all", "ids": [ 0, 1 ] }, "tmode": "terms_stats", "tstat": "total", "valuefield": "netflow.in_bytes", "title": "Source address" }, { "error": false, "span": 3, "editable": true, "type": "terms", "loadingEditor": false, "field": "netflow.l4_src_port", "exclude": [], "missing": true, "other": true, "size": 10, "order": "count", "style": { "font-size": "10pt" }, "donut": true, "tilt": true, "labels": true, "arrangement": "horizontal", "chart": "pie", "counter_pos": "above", "spyable": true, "queries": { "mode": "all", "ids": [ 0, 1 ] }, "tmode": "terms_stats", "tstat": "total", "valuefield": "netflow.in_bytes", "title": "Source Port" }, { "error": false, "span": 3, "editable": true, "type": "terms", "loadingEditor": false, "field": "netflow.ipv4_dst_addr", "exclude": [], "missing": true, "other": true, "size": 10, "order": "count", "style": { "font-size": "10pt" }, "donut": true, "tilt": true, "labels": true, "arrangement": "horizontal", "chart": "pie", "counter_pos": "above", "spyable": true, "queries": { "mode": "all", "ids": [ 0, 1 ] }, "tmode": "terms_stats", "tstat": "total", "valuefield": "netflow.in_bytes", "title": "Destination address" }, { "error": false, "span": 3, "editable": true, "type": "terms", "loadingEditor": false, "field": "netflow.l4_dst_port", "exclude": [], "missing": true, "other": true, "size": 10, "order": "count", "style": { "font-size": "10pt" }, "donut": true, "tilt": true, "labels": true, "arrangement": "horizontal", "chart": "pie", "counter_pos": "above", "spyable": true, "queries": { "mode": "all", "ids": [ 0, 1 ] }, "tmode": "terms_stats", "tstat": "total", "valuefield": "netflow.in_bytes", "title": "Destination Port" } ], "notice": false }, { "title": "Events", "height": "650px", "editable": true, "collapse": true, "collapsable": true, "panels": [ { "error": false, "span": 12, "editable": true, "group": [ "default" ], "type": "table", "size": 100, "pages": 5, "offset": 0, "sort": [ "netflow.l4_src_port", "desc" ], "style": { "font-size": "9pt" }, "overflow": "min-height", "fields": [ "netflow.protocol", "netflow.l4_src_port", "netflow.l4_dst_port", "netflow.ipv4_src_addr", "netflow.ipv4_dst_addr", "netflow.in_bytes" ], "highlight": [], "sortable": true, "header": true, "paging": true, "spyable": true, "queries": { "mode": "all", "ids": [ 0, 1 ] }, "field_list": true, "status": "Stable", "trimFactor": 300, "normTimes": true, "title": "Documents", "all_fields": false, "localTime": false, "timeField": "@timestamp" } ], "notice": false } ], "editable": true, "index": { "interval": "day", "pattern": "[logstash_netflow5-pod15-]YYYY.MM.DD", "default": "[logstash_netflow5-pod02-]YYYY.MM.DD", "warm_fields": true }, "style": "dark", "failover": false, "panel_hints": true, "loader": { "save_gist": false, "save_elasticsearch": true, "save_local": true, "save_default": true, "save_temp": true, "save_temp_ttl_enable": true, "save_temp_ttl": "30d", "load_gist": true, "load_elasticsearch": true, "load_elasticsearch_size": 20, "load_local": true, "hide": false }, "pulldowns": [ { "type": "query", "collapse": false, "notice": false, "query": "*", "pinned": true, "history": [ "netflow.protocol=6", "*", "netflow.ipv4_dst_addr==:10.0.1.1", "netflow.l4_src_port:80", "netflow.l4_src_port:21", "netflow.l4_src_port == 21", "netflow.l4_src_port == 80", "netflow.l4_src==21" ], "remember": 10, "enable": true }, { "type": "filtering", "collapse": false, "notice": true, "enable": true } ], "nav": [ { "type": "timepicker", "collapse": false, "notice": false, "status": "Stable", "time_options": [ "5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d" ], "refresh_intervals": [ "5s", "10s", "30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d" ], "timefield": "@timestamp", "enable": true, "now": true, "filter_id": 0 } ], "refresh": "10s" }