StamusNetworks/KTS7

Error with Painless scripted field 'doc['flow_id'].value'.

Opened this issue · 69 comments

myrsecurity commented

Hi Ive tried to import the dashboards following the method

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:94)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:41)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2020.04.29-000001","node":"RmOnDn2mSsWSKkNKg2bgsA","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:94)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:41)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}}]},"status":400}

Im reading from a Remote PFSENSE via Filebeats. The logs hit Elastic after all of the filtering etc..

image

Thank you

pevma commented

How do you import the dashboards exactly ?

alphaDev23 commented

I'm receiving the same script exception. Dashboards, etc. are imported via the curl commands provided on the README page. The issue is preventing events in the EventsList from being displayed. I'm using the logstash filter that is linked to off the README page. The following is further information from the SN-ALL dashboard. Please advise.

script_exception at shard 0index logstash-flow-2020.11.22node VURsDiwmTnyNCTmjTmpqmQ
Type
script_exception
Reason
runtime error
Script stack
org.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121)
org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115)
'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()
^---- HERE

Script
'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()

Lang
painless
Position offset
73
Position start
0
Position end
232
Caused by type
illegal_state_exception
Caused by reason
A document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field!

pevma commented

Was able to reproduce. Will try to cook a patch today. I think it is related to a possible fix here- StamusNetworks/SELKS#255 (comment)

I would like to confirm - on which dahsboars/vizs does this appear ?

alphaDev23 commented

I only have Elasticsearch indexes for: alert, fileinfo, flow, http, tls. The issue is only appearing on SN-ALERTS from the data I have.

As a note, I attempted to use Filebeat to send Suricata logs directly to Elasticsearch using the elasticsearch7-template.json provided template. I verified the template was loaded in Elasticsearch. However, I believe my filebeat.yml file was incorrectly configured because I was only able to get a logstash- index, by modifying 'output.elasticsearch.index' and nothing was displayed in the dashboards. I'm not a Filebeat expert. If you have a filebeat.yml that works with the the template, it will eliminate the logstash service from the solution.

pevma commented

Were the indexes created/existed in Kibana/Management ?

alphaDev23 commented

The indexes were created through the logstash template provided off the README page. It is a slight modification given that 'type' doesn't exist in 7.x. The indexes did not exist prior to instantiating the stack.

pevma commented

Ok - just to confirm , the issue appears only on SN-ALL or on SN-ALERTS, from the error it comes in from the logstash-flow... index which is not used i think in SN-ALERTS.

alphaDev23 commented

I made a mistake in my last comment. It is only appearing on SN-ALL. I do not have any data in SN-ALERTS so I'm not able to confirm whether it occurs in SN-ALERTS.

alphaDev23 commented

Any update on the above?

pevma commented

This patch fixes the issue as mentioned here - #1 (comment)
It is either you can patch it up manually on each scripted field for each index - aka for example logstash-alert* / logstash-http* etc in Kibana Management .
Or it should also be taken care of on the next dashboards release, planned this week.
Apologies for the delay !

alphaDev23 commented

No worries. Thank you for fixing. Fantastic work on these dashboards, btw!

ManuelFFF commented

*Running SELKS 6 + ELK 7.10.0 + X-Pack enabled, so all communications are via https

I am having the same issue. So, the solution is just to enable the "community_id" in Suricata config and restart Suricata, or do I need to perform more steps?

Should I use doc['community_id.keyword'].value or doc['community_id'].value?

Thank you

pevma commented

It does not seem the issue is related?
For enabling the community id - yest it just needs to be enabled and suricata restarted.

ManuelFFF commented

Hi @pevma,

Like I said, I am experiencing the same issue. When I open Discover in Kibana, there's always a pop-up warning stating there is an issue with 2/15 shards. Please see the screenshots below:

Shard error
Shard error 2
Shard error 3

This issue starts as soon I enable X-Pack and all the communications turned over https protocol. We have talked about this matter and some side effects this brings to SELKS suite in other posts. I was hopping that a new SELKS release or patch would fix this and other issues, that just appears if the user enables X-Pack with basic security features in ELK. Then I saw this post and I thought that maybe there is an easy way to address this issue, since other users have seen the same error.

I tried enabling the community_id in Suricata config, then restarted Suricata and Evebox. The issue do not disappear, just mutate into a different error, as you can see here:
No community_id field

It does not make any difference if I add or leave the .keyword. Maybe I am missing additional important steps.
I hope you can help me to make this error go away.

Thank you

ManuelFFF commented

Any advise?

pevma commented

Think you should use it without the .keyword
Before that you should make sure you see it properly in the json logs (eve.json) - there should be a community flow id key/record in the logs.

ManuelFFF commented

Hi,

I only tried the .keyword because of this comment StamusNetworks/SELKS#255 (comment), but even that did not resolve the issue.

Checking the eve.json logs I can see flow_id field and also the community_id field:

{"timestamp":"2020-12-04T08:50:26.651146-0500","flow_id":1308048361440886,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.128","src_port":58589,"dest_ip":"239.255.255.250","dest_port":3702,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":7,"pkts_toclient":0,"bytes_toserver":4886,"bytes_toclient":0,"start":"2020-12-04T08:47:26.378486-0500","end":"2020-12-04T08:47:33.171907-0500","age":7,"state":"new","reason":"unknown","alerted":false},"community_id":"1:JJD9J+CckkTq2iKzZP6j8zVZjNY="}
{"timestamp":"2020-12-04T08:50:26.651523-0500","flow_id":1308048361440886,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.128","src_port":58589,"dest_ip":"239.255.255.250","dest_port":3702,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":7,"pkts_toclient":0,"bytes_toserver":4886,"bytes_toclient":0,"start":"2020-12-04T08:47:26.378486-0500","end":"2020-12-04T08:47:33.171907-0500","age":7,"state":"new","reason":"unknown","alerted":false},"community_id":"1:JJD9J+CckkTq2iKzZP6j8zVZjNY="}
{"timestamp":"2020-12-04T08:50:27.318169-0500","flow_id":2012176036617619,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.179","src_port":50754,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":150,"bytes_toclient":0,"start":"2020-12-04T08:47:15.613779-0500","end":"2020-12-04T08:47:16.020953-0500","age":1,"state":"new","reason":"unknown","alerted":false},"community_id":"1:eR0XiX1AMxyOvQcJd8kGHF+YIzY="}
{"timestamp":"2020-12-04T08:50:27.318319-0500","flow_id":2012176036617619,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.179","src_port":50754,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":150,"bytes_toclient":0,"start":"2020-12-04T08:47:15.613779-0500","end":"2020-12-04T08:47:16.020953-0500","age":1,"state":"new","reason":"unknown","alerted":false},"community_id":"1:eR0XiX1AMxyOvQcJd8kGHF+YIzY="}

The above logs are from a fresh SELKS 6 install and up to date, including ELK 7.10.0. I have not enabled the community_id field in suricata.yaml, but field is enabled in SELKS custom config file that overrides Suricata basic config (/etc/suricata/selks6-addin.yaml). So, the eve.json logs is including both fields: flow_id and community_id, and yet getting the shard errors related to the flow_id.

What would you recommend me to check/try next?

Thank you

pevma commented

Where exactly are you making the change/addition in the scripted fields - is it in logstash-flow* index in Kibana management ?
And on what discovery/viz you exactly get the error ?

ManuelFFF commented

Hi,

Error appears when I check app Discover/logstash-*. Error it is NOT present if I check Discover/logstash-flow-*. I tried modifications on Index Patterns/logstash-*. Index Patterns/logstash-flow-* does not have a scripted field.

pevma commented

Ok - so you mean if you do discovery with the index logstahs-* ? What about if you try for example logstash-dns-* or logstash-http-*

ManuelFFF commented

Verified one by one all logs in Discover/logstash-protocol-*. Only Discover/logstash-* it's being affected

ManuelFFF commented

Any thoughts?

pevma commented
ManuelFFF commented

Hi,

I am sorry if I wasn't clear enough on my previous message, so you could be able to help me. Index logstash-service-* does not really exist. I tried to use a pattern name to refer to all the following indexes:

logstash-*
logstash-alert-*
logstash-anomaly-*
logstash-dhcp-*
logstash-dnp3-*
logstash-dns-*
logstash-fileinfo-*
logstash-flow-*
logstash-http-*
logstash-ikev2-*
logstash-krb5-*
logstash-nfs-*
logstash-rdp-*
logstash-rfb-*
logstash-sip-*
logstash-smb-*
logstash-smtp-*
logstash-snmp-*
logstash-ssh-*
logstash-tftp-*
logstash-tls-*

Perhaps I should have used logstash-[event_type]-* instead or just use the exact index name like this time. What I wanted to say is that I checked all the previous indexes, one by one, and the error comes only when I check Discover/logstash-*

pevma commented

I think using logstash-event_type-* is better in terms of zooming in the specific index/event_type.
You can also look at any of the event types in their own dashboards including the raw events themselves at the bottom of every dashboard. So you just need to select the dashboard actually (From Kibana-> Dashboards) - for example SN-SMB will show you a dashboard with some visualizations and the raw logs of the event type SMB (or SMB protocol events).

ManuelFFF commented

So, there is no way to fix this error?
image

pevma commented

You should be able to import the raw API exports from here -
https://github.com/StamusNetworks/KTS7#how-to-use to fix the issue.

alphaDev23 commented

Was this issue resolved in the master branch? I just pulled and I'm receiving the following:

script_exception at shard 0index logstash-flow-2020.12.23node n6KVwvteRyaKlBCWbQPACwTypescript_exceptionReasonruntime errorScript stackorg.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121) org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115) 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase() ^---- HEREScript'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()LangpainlessPosition offset73Position start0Position end232Caused by typeillegal_state_exceptionCaused by reasonA document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field!

pevma commented
alphaDev23 commented

I've recreated the entire ELK stack. Same issue. Please advise.

pevma commented
alphaDev23 commented

I'm using suricata 1:4.1.2-2 with filebeat 7.9.1 and ELK stack 7.9.1. The following is my filebeat config. The stack can easily be recreated if needed. I've done so just to ensure that the setup was from scratch. Thoughts?

filebeat.inputs:

  • input_type: log
    enabled: true
    paths:
    • /var/log/suricata/eve.json

output.elasticsearch:
hosts: ["<ES_IP>:9200"]

pevma commented
alphaDev23 commented

I'm using the following commands to load the objects (from the API-KIBANA7) directory. This is the same thing that you mention above, correct? These were executed after a cloning anew as of my comment 2 days ago.

curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@index-pattern.ndjson
curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@search.ndjson
curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@visualization.ndjson
curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@dashboard.ndjson
curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@query.ndjson**

pevma commented
alphaDev23 commented

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 487k 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 487k 0 0 100 487k 0 242k 0:00:02 0:00:02 --:--:-- 242k
100 487k 100 30 100 487k 14 235k 0:00:02 0:00:02 --:--:-- 235k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 506k 100 30 100 506k 50 851k --:--:-- --:--:-- --:--:-- 851k
100 506k 100 30 100 506k 50 846k --:--:-- --:--:-- --:--:-- 845k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 975k 0 0 100 975k 0 968k 0:00:01 0:00:01 --:--:-- 969k
100 975k 100 30 100 975k 22 716k 0:00:01 0:00:01 --:--:-- 717k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1003k 0 0 100 1003k 0 995k 0:00:01 0:00:01 --:--:-- 996k
100 1003k 100 30 100 1003k 20 684k 0:00:01 0:00:01 --:--:-- 684k
100 1003k 100 30 100 1003k 20 684k 0:00:01 0:00:01 --:--:-- 684k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2869 100 30 100 2839 2421 223k --:--:-- --:--:-- --:--:-- 231k

alphaDev23 commented

After further testing, the templates appear to be designed for a version of the ELK stack < 7.9.1. Can these be upgraded? Below is the output when I run the commands separately.

{"success":true,"successCount":22}{"statusCode":422,"error":"Unprocessable Entity","message":"Document "0e515070-731c-11ea-b5dd-05bd1e5fbf82" has property "search" which belongs to a more recent version of Kibana [7.9.3].The last known version is [7.4.0]"}{"statusCode":422,"error":"Unprocessable Entity","message":"Document "00c602c0-74de-11ea-bb42-278f04c43ada" has property "visualization" which belongs to a more recent version of Kibana [7.10.0]. The last known version is [7.8.0]"}{"statusCode":422,"error":"Unprocessable Entity","message":"Document"fab31360-c1c8-11e8-9888-3f5bc9c31629" has property "visualization" which belongs to a more recent version of Kibana [7.10.0]. The last known version is [7.8.0]"}{"success":true,"successCount":4}bash-4.2$

pevma commented
alphaDev23 commented

I upgraded to a 7.10.1 stack. Indexes (22) and queries (4) load. Others do not. After executing the following, there are no visualizations in Kibana's saved objects.

bash-4.2$ curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@visualization.ndjson

{"successCount":390,"success":false,"successResults":[{"type":"visualization","id":"00c602c0-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"00dbb830-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipVersion","icon":"visualizeApp"}},{"type":"visualization","id":"01acef80-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-KerberosSnames","icon":"visualizeApp"}},{"type":"visualization","id":"02363350-c2f6-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-TFTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"03ba7ce0-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"04e045d0-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Pdu","icon":"visualizeApp"}},{"type":"visualization","id":"04e4ecd0-cb3f-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"0a54ea10-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByProcedure","icon":"visualizeApp"}},{"type":"visualization","id":"0c6f2dd0-c199-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Detailed-Type","icon":"visualizeApp"}},{"type":"visualization","id":"0de33020-74ef-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientVersion","icon":"visualizeApp"}},{"type":"visualization","id":"0e792240-c1d3-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"111b9450-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"1317e9e0-caf6-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySname","icon":"visualizeApp"}},{"type":"visualization","id":"13b4a300-c1ca-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"13c631e0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnProtoVersion","icon":"visualizeApp"}},{"type":"visualization","id":"15d06790-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipMethod","icon":"visualizeApp"}},{"type":"visualization","id":"15f78410-731d-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Layer","icon":"visualizeApp"}},{"type":"visualization","id":"18409990-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Version","icon":"visualizeApp"}},{"type":"visualization","id":"19f31700-c1d0-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"1af05bf0-cc06-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficIdOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"1dcb8bf0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"1e74daa0-c2f9-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-FILE-Total","icon":"visualizeApp"}},{"type":"visualization","id":"2013c6a0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"21b892d0-d332-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByType","icon":"visualizeApp"}},{"type":"visualization","id":"27e8ded0-c199-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-SubnetMasks-Served","icon":"visualizeApp"}},{"type":"visualization","id":"2a0d0b20-0817-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Total","icon":"visualizeApp"}},{"type":"visualization","id":"2b23dd60-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspDomain","icon":"visualizeApp"}},{"type":"visualization","id":"2c7909a0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"2cf8aef0-cb44-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-TLS-ByJa3Hash","icon":"visualizeApp"}},{"type":"visualization","id":"2e044410-3dc3-11ea-9663-b39dc1f7db8b","meta":{"title":"SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"2f7d1860-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"2f7fcdd0-707c-11e7-9d3e-29d8a1ffc52b","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"305b0610-cb3f-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"30674f90-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"32b68a80-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-FILE-Count","icon":"visualizeApp"}},{"type":"visualization","id":"3339b490-cc06-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficLabelOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"33e3d3c0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"34a287d0-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"35c3bd80-0621-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-SSH-ByServerHashByServerIPByPort","icon":"visualizeApp"}},{"type":"visualization","id":"35fe0970-76a2-11e7-8761-edc8301be2be","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"3cc02790-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnProtoString","icon":"visualizeApp"}},{"type":"visualization","id":"3ee767e0-74ef-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientCookie","icon":"visualizeApp"}},{"type":"visualization","id":"3f2fc250-06f9-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-HTTP2-RequestSettings","icon":"visualizeApp"}},{"type":"visualization","id":"3f6bdc20-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"40935fa0-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Channels","icon":"visualizeApp"}},{"type":"visualization","id":"40d1f1b0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspUser","icon":"visualizeApp"}},{"type":"visualization","id":"428c5020-38fb-11ea-9ee1-11f0d2cd99c4","meta":{"title":"SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"4562de80-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"467c7160-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"48baf4f0-cb34-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"49460e90-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Dialect","icon":"visualizeApp"}},{"type":"visualization","id":"4a915930-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipUri","icon":"visualizeApp"}},{"type":"visualization","id":"4eb365b0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"50cfd230-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"54cb1bf0-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"54da3520-c193-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Role","icon":"visualizeApp"}},{"type":"visualization","id":"561165b0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspHost","icon":"visualizeApp"}},{"type":"visualization","id":"56f846b0-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByCname","icon":"visualizeApp"}},{"type":"visualization","id":"574dce20-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"58f30160-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"5ce42c30-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"5ec287c0-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"5f1a83f0-7d8f-11ea-af8c-954c77eacc8f","meta":{"title":"SN-ANOMALY-EventType","icon":"visualizeApp"}},{"type":"visualization","id":"5f62a330-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"6195c7f0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"640f7da0-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Community","icon":"visualizeApp"}},{"type":"visualization","id":"64d48d40-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"65d35270-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-ClientDialect","icon":"visualizeApp"}},{"type":"visualization","id":"66130c70-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByFileTx","icon":"visualizeApp"}},{"type":"visualization","id":"669c73d0-c194-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"6c617f40-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"6c626e50-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Event_Type","icon":"visualizeApp"}},{"type":"visualization","id":"6dd9b190-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-ScreenShared","icon":"visualizeApp"}},{"type":"visualization","id":"7012e330-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"70e3bf80-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7186a510-c228-11e8-9c42-9d2ae2bde3ab","meta":{"title":"SN-Timelion-Protocols","icon":"visualizeApp"}},{"type":"visualization","id":"7248b300-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"79bdb5e0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7b3bb500-7d8e-11ea-af8c-954c77eacc8f","meta":{"title":"SN-TLS-ByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"7b549170-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7c50dd40-caf6-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByWeakEncryption","icon":"visualizeApp"}},{"type":"visualization","id":"7dbcee70-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SMB-Total","icon":"visualizeApp"}},{"type":"visualization","id":"7f717a40-0819-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"80f4d150-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Status","icon":"visualizeApp"}},{"type":"visualization","id":"812142a0-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"818e1210-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByEncryption","icon":"visualizeApp"}},{"type":"visualization","id":"836ad6e0-734b-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Type","icon":"visualizeApp"}},{"type":"visualization","id":"837522f0-cb34-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"8451e8a0-0621-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-SSH-ByClientHashByClientIPByPort","icon":"visualizeApp"}},{"type":"visualization","id":"85eddf30-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"89bd2f10-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"8c64b280-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipReason","icon":"visualizeApp"}},{"type":"visualization","id":"8e02e410-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"8e299c30-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDst","icon":"visualizeApp"}},{"type":"visualization","id":"8efad7b0-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"8f89a9e0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SMTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"8fc3c0a0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Share","icon":"visualizeApp"}},{"type":"visualization","id":"91b6dba0-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientKeyboardType","icon":"visualizeApp"}},{"type":"visualization","id":"97436e00-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"97b1cb90-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByErrCode","icon":"visualizeApp"}},{"type":"visualization","id":"9934b1a0-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"995b2750-0817-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-MqttOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"995f5e40-73f4-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Vars","icon":"visualizeApp"}},{"type":"visualization","id":"9a91f300-caf3-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"9ec0d330-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByFileName","icon":"visualizeApp"}},{"type":"visualization","id":"9ff304c0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-TLS-Total","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Bottom20Signatures","meta":{"title":"SN-Alert-Bottom20Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByExtraInfoType","meta":{"title":"SN-Alert-ByExtraInfoType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpContentType","meta":{"title":"SN-Alert-ByHttpContentType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpMethod","meta":{"title":"SN-Alert-ByHttpMethod","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpProtocolByUserAgentByOS","meta":{"title":"SN-Alert-ByHttpProtocolByUserAgentByOS","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySmtpHello","meta":{"title":"SN-Alert-BySmtpHello","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySshClientProtoBySshClientSoftwareVer","meta":{"title":"SN-Alert-BySshClientProtoBySshClientSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySshServerProtoBySshSoftwareVer","meta":{"title":"SN-Alert-BySshServerProtoBySshSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerByTlsSniByTlsVersionNotGoogleYahooTwiter","meta":{"title":"SN-Alert-ByTlsIssuerByTlsSniByTlsVersionNotGoogleYahooTwiter","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerByTlsSniNotGoogleYahooTwiter","meta":{"title":"SN-Alert-ByTlsIssuerByTlsSniNotGoogleYahooTwiter","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerdn","meta":{"title":"SN-Alert-ByTlsIssuerdn","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsSni","meta":{"title":"SN-Alert-ByTlsSni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByVLANID","meta":{"title":"SN-Alert-ByVLANID","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByVLANIDTop20","meta":{"title":"SN-Alert-ByVLANIDTop20","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Count","meta":{"title":"SN-Alert-Count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-GeoMap","meta":{"title":"SN-Alert-GeoMap","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Proto","meta":{"title":"SN-Alert-Proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Timeline","meta":{"title":"SN-Alert-Timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top10Signatures","meta":{"title":"SN-Alert-Top10Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20DstIP","meta":{"title":"SN-Alert-Top20DstIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20DstPorts","meta":{"title":"SN-Alert-Top20DstPorts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20Signatures","meta":{"title":"SN-ThreatHunt-ALERTS-Top100Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20SrcIP","meta":{"title":"SN-Alert-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20SrcPorts","meta":{"title":"SN-Alert-Top20SrcPorts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-categories","meta":{"title":"SN-Alerts categories","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-count","meta":{"title":"SN-Alerts count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-details","meta":{"title":"SN-Alerts details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-locations","meta":{"title":"SN-Alerts locations","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-over-time","meta":{"title":"SN-Alerts over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-per-probes","meta":{"title":"SN-Alerts per probes","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-severity","meta":{"title":"SN-Alerts severity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-signatures","meta":{"title":"SN-Alerts signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-ApplayerProtoDestIPDestPort","meta":{"title":"SN-ApplayerProtoDestIPDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-ApplayerProtoSrcIPSrcPort","meta":{"title":"SN-ApplayerProtoSrcIPSrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Application-protocol","meta":{"title":"SN-Application protocol","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Average-packet-size","meta":{"title":"SN-Average packet size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Browsers","meta":{"title":"SN-Browsers","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Count","meta":{"title":"SN-Count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-ByProto","meta":{"title":"SN-DNS-ByProto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-ByTtl","meta":{"title":"SN-DNS-ByTtl","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-DnsEventsOverTime","meta":{"title":"SN-DNS-DnsEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-DnsOverTime","meta":{"title":"SN-DNS-DnsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-GeoIP","meta":{"title":"SN-DNS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-NXDOMAINGeoIP","meta":{"title":"SN-DNS-NXDOMAINGeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rcode","meta":{"title":"SN-DNS-Rcode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rdata","meta":{"title":"SN-DNS-Rdata","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rrname","meta":{"title":"SN-DNS-Rrname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rrtype","meta":{"title":"SN-DNS-Rrtype","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-SshOverTime","meta":{"title":"SN-DNS-SshOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20DestIP","meta":{"title":"SN-DNS-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20DestPort","meta":{"title":"SN-DNS-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20SrcIP","meta":{"title":"SN-DNS-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20SrcPort","meta":{"title":"SN-DNS-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Type","meta":{"title":"SN-DNS-Type","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Dest_ports","meta":{"title":"SN-Dest_ports","icon":"visualizeApp"}},{"type":"visualization","id":"SN-EventTypeOverTimeAll","meta":{"title":"SN-EventTypeOverTimeAll","icon":"visualizeApp"}},{"type":"visualization","id":"SN-EventTypeOverTimeExcept-StatsAndFlow","meta":{"title":"SN-EventTypeOverTimeExcept-StatsAndFlow","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByGeoCityByType","meta":{"title":"SN-FILE-ByGeoCityByType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByProtoByHostnameServed","meta":{"title":"SN-FILE-ByProtoByHostnameServed","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByTypeOverTime","meta":{"title":"SN-FILE-ByTypeOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-EventsOverTime","meta":{"title":"SN-FILE-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-FileSizeByExtention","meta":{"title":"SN-FILE-FileSizeByExtention","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-GeoIP","meta":{"title":"SN-FILE-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-GeoIPPDFAndExecutables","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20DestIP","meta":{"title":"SN-FILE-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20DestPort","meta":{"title":"SN-FILE-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20SrcIP","meta":{"title":"SN-FILE-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20SrcPort","meta":{"title":"SN-FILE-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-count","meta":{"title":"SN-Files count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-informations-details","meta":{"title":"SN-Files informations details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-informations-over-time","meta":{"title":"SN-Files informations over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-protocols","meta":{"title":"SN-Files protocols","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Flow-unique-count-of-src-and-dst-IP","meta":{"title":"SN-Flow unique count of src and dst IP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncoding","meta":{"title":"SN-HTTP-AcceptEncoding","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncodingByConnection","meta":{"title":"SN-HTTP-AcceptEncodingByConnection","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncodingByHost","meta":{"title":"SN-HTTP-AcceptEncodingByHost","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-CacheControl","meta":{"title":"SN-HTTP-CacheControl","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-ContentTypeByAplication","meta":{"title":"SN-HTTP-ContentTypeByAplication","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-EventsOverTime","meta":{"title":"SN-HTTP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-GeoIP","meta":{"title":"SN-HTTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Servers","meta":{"title":"SN-HTTP-Servers","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-StatusCode","meta":{"title":"SN-HTTP-StatusCode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Top-hostnames","meta":{"title":"SN-HTTP Top hostnames","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Top-user-agents","meta":{"title":"SN-HTTP Top user agents","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgenOSMethodContent","meta":{"title":"SN-HTTP-UserAgenOSMethodContent","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentDevices","meta":{"title":"SN-HTTP-UserAgentDevices","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentMajor","meta":{"title":"SN-HTTP-UserAgentMajor","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentMinor","meta":{"title":"SN-HTTP-UserAgentMinor","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentName","meta":{"title":"SN-HTTP-UserAgentName","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentOS","meta":{"title":"SN-HTTP-UserAgentOS","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentOSName","meta":{"title":"SN-HTTP-UserAgentOSName","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentPatch","meta":{"title":"SN-HTTP-UserAgentPatch","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Vary","meta":{"title":"SN-HTTP-Vary","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-bandwidth","meta":{"title":"SN-HTTP bandwidth","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-events-over-time","meta":{"title":"SN-HTTP events over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-lengths","meta":{"title":"SN-HTTP lengths","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-methods","meta":{"title":"SN-HTTP methods","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-protocols","meta":{"title":"SN-HTTP protocols","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-referrals","meta":{"title":"SN-HTTP referrals","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-response-by-hostname","meta":{"title":"SN-HTTP response by hostname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-size","meta":{"title":"SN-HTTP size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-status","meta":{"title":"SN-HTTP status","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-status-by-hostname","meta":{"title":"SN-HTTP status by hostname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-top-referrals","meta":{"title":"SN-HTTP top referrals","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-total-size","meta":{"title":"SN-HTTP total size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-transactions-count","meta":{"title":"SN-HTTP transactions count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-transactions-details","meta":{"title":"SN-HTTP transactions details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Map","meta":{"title":"SN-Map","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Mean-flow-age-and-count","meta":{"title":"SN-Mean flow age and count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-ALERTEventsOverTime","meta":{"title":"SN-PerVLAN-ALERTEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-DNSEventsOverTime","meta":{"title":"SN-PerVLAN-DNSEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-FILETransEventsOverTime","meta":{"title":"SN-PerVLAN-FILETransEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-HTTPEventsOverTime","meta":{"title":"SN-PerVLAN-HTTPEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-SMTPEventsOverTime","meta":{"title":"SN-PerVLAN-SMTPEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-SSHEventsOverTime","meta":{"title":"SN-PerVLAN-SSHEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-TLSEventsOverTime","meta":{"title":"SN-PerVLAN-TLSEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Proto-app_proto","meta":{"title":"SN-Proto-app_proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Protocol","meta":{"title":"SN-Protocol","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-AttachmentsExtension","meta":{"title":"SN-SMTP-AttachmentsExtension","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-GeoIP","meta":{"title":"SN-SMTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-SmtpOverTime","meta":{"title":"SN-SMTP-SmtpOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20DestIP","meta":{"title":"SN-SMTP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20DestPort","meta":{"title":"SN-SMTP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailApplications","meta":{"title":"SN-SMTP-Top20MailApplications","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailOrganisations","meta":{"title":"SN-SMTP-Top20MailOrganisations","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailSendingIPs","meta":{"title":"SN-SMTP-Top20MailSendingIPs","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20SrcIP","meta":{"title":"SN-SMTP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20SrcPort","meta":{"title":"SN-SMTP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20VLAN","meta":{"title":"SN-SMTP-Top20VLAN","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20VLANsOverTime","meta":{"title":"SN-SMTP-Top20VLANsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20mail_from","meta":{"title":"SN-SMTP-Top20mail_from","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20rcpt_to","meta":{"title":"SN-SMTP-Top20rcpt_to","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByClientProtoVer","meta":{"title":"SN-SSH-ByClientProtoVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByClientSoftwareVer","meta":{"title":"SN-SSH-ByClientSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByServerProtoVer","meta":{"title":"SN-SSH-ByServerProtoVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByServerSoftwareVer","meta":{"title":"SN-SSH-ByServerSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Client-version","meta":{"title":"SN-SSH Client version","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections","meta":{"title":"SN-SSH Connections","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections-by-appliance","meta":{"title":"SN-SSH Connections by appliance","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections-count","meta":{"title":"SN-SSH Connections count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-EventsOverTime","meta":{"title":"SN-SSH-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-GeoIP","meta":{"title":"SN-SSH-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Server-version","meta":{"title":"SN-SSH Server version","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20DestIP","meta":{"title":"SN-SSH-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20DestPort","meta":{"title":"SN-SSH-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20SrcIP","meta":{"title":"SN-SSH-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20SrcPort","meta":{"title":"SN-SSH-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Transaction-Details","meta":{"title":"SN-SSH TransactionDetails","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-count","meta":{"title":"SN-SSH count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-transactions-count","meta":{"title":"SN-SSH transactionscount","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-transactions-over-time","meta":{"title":"SN-SSH transactions over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Src-and-dst-IP-unique-count","meta":{"title":"SN-Src and dst IP unique count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-CapturedPktsVsGaps","meta":{"title":"SN-Stats-CapturedPktsVsGaps","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Decoder-Deltas","meta":{"title":"SN-Stats-Decoder-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderAvgMaxPktSize","meta":{"title":"SN-Stats-DecoderAvgMaxPktSize","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderBytes-Packets","meta":{"title":"SN-Stats-DecoderBytes-Packets","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderProto-Deltas","meta":{"title":"SN-Stats-DecoderProto-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-EmergencyMode","meta":{"title":"SN-Stats-EmergencyMode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Frags","meta":{"title":"SN-Stats-Frags","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Frags-Deltas","meta":{"title":"SN-Stats-Frags-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-KernelPacketsAndDrops-Deltas","meta":{"title":"SN-Stats-KernelPacketsAndDrops-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Memcap-Deltas","meta":{"title":"SN-Stats-Memcap-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-TotalKernelPackets","meta":{"title":"SN-Stats-TotalKernelPackets","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-ipv4-ipv6-fragments","meta":{"title":"SN-Stats-ipv4-ipv6-fragments","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-memuse-Deltas","meta":{"title":"SN-Stats-memuse-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Syn-SynAck-Rst","meta":{"title":"SN-Syn-SynAck-Rst","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-ByIssuerdn","meta":{"title":"SN-TLS-ByIssuerdn","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-BySni","meta":{"title":"SN-TLS-BySni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-BySubject","meta":{"title":"SN-TLS-BySubject","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-ByVersionBySni","meta":{"title":"SN-TLS-ByVersionBySni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-EventsOverTime","meta":{"title":"SN-TLS-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-GeoIP","meta":{"title":"SN-TLS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-TCP-ports","meta":{"title":"SN-TLS TCP ports","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20DestIP","meta":{"title":"SN-TLS-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20DestPort","meta":{"title":"SN-TLS-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20SrcIP","meta":{"title":"SN-TLS-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20SrcPort","meta":{"title":"SN-TLS-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-certificates-issuers-and-subjects","meta":{"title":"SN-TLS certificates issuers and subjects","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-fingerprints","meta":{"title":"SN-TLS fingerprints","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-by-appliance","meta":{"title":"SN-TLS transactions byappliance","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-count","meta":{"title":"SN-TLS transactions count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-over-time","meta":{"title":"SN-TLS transactions over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-table","meta":{"title":"SN-TLS transactions table","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-versions","meta":{"title":"SN-TLS versions","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timeline","meta":{"title":"SN-Timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Category","meta":{"title":"SN-Timelion-Alert-Category","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Country","meta":{"title":"SN-Timelion-Alert-Country","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Severity","meta":{"title":"SN-Timelion-Alert-Severity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-NULL","meta":{"title":"SN-Timelion-DNS-NULL","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-NXDOMAIN","meta":{"title":"SN-Timelion-DNS-NXDOMAIN","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-TXT","meta":{"title":"SN-Timelion-DNS-TXT","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-slash-request-slash-reply","meta":{"title":"SN-Timelion-DNS/request/reply","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Flow-App_proto","meta":{"title":"SN-Timelion-Flow-App_proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-HTTP-slash-DNS-slash-SMTP","meta":{"title":"SN-Timelion-HTTP/DNS/SMTP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-HTTP-statuscode-522-slash-523-slash-0","meta":{"title":"SN-Timelion-HTTP-statuscode-522/523/0","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-ICMP-request-reply","meta":{"title":"SN-Timelion-ICMP-request-reply","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-IPv4-slash-IPv6","meta":{"title":"SN-Timelion-IPv4/IPv6","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-PPS-slash-Alerts","meta":{"title":"SN-Timelion-PPS/Alerts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-S-slash-SA-slash-R","meta":{"title":"SN-Timelion-S/SA/R","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-SSH-slash-TLS-slash-DNP3","meta":{"title":"SN-Timelion-SSH/TLS/DNP3","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Signatures","meta":{"title":"SN-Timelion-Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-TCP-slash-UDP-flows","meta":{"title":"SN-Timelion-TCP/UDP-flows","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-host","meta":{"title":"SN-Timelion-host","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDestPortsByCountry","meta":{"title":"SN-TopDestPortsByCountry","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDestPortsByCountryByCity","meta":{"title":"SN-TopDestPortsByCountryByCity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDstIPDstPort","meta":{"title":"SN-TopDstIPDstPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcIPSrcPort","meta":{"title":"SN-TopSrcIPSrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcPortsByCountry","meta":{"title":"SN-TopSrcPortsByCountry","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcPortsByCountryByCity","meta":{"title":"SN-TopSrcPortsByCountryByCity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Traffic-events-type-timeline","meta":{"title":"SN-Traffic events type timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Urls-visited","meta":{"title":"SN-Urls visited","icon":"visualizeApp"}},{"type":"visualization","id":"SN-VLAN-ByEventType","meta":{"title":"SN-VLAN-ByEventType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-VLAN-Top20VLANsUsed","meta":{"title":"SN-VLAN-Top20VLANsUsed","icon":"visualizeApp"}},{"type":"visualization","id":"a17b9ea0-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Authentication-Sectype","icon":"visualizeApp"}},{"type":"visualization","id":"a1aa05e0-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByType","icon":"visualizeApp"}},{"type":"visualization","id":"a6376820-cb3e-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"a987de80-1cdf-11ea-9ee1-11f0d2cd99c4","meta":{"title":"SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"aa00adb0-c191-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"aa0139c0-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"ab975d80-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-DNS-Total","icon":"visualizeApp"}},{"type":"visualization","id":"acba4210-c1d6-11e8-9888-3f5bc9c31629","meta":{"title":"SN-FILE-ByAppProto","icon":"visualizeApp"}},{"type":"visualization","id":"ae49bf50-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ae4b74f0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Filename","icon":"visualizeApp"}},{"type":"visualization","id":"af7f6010-c1d7-11e8-9888-3f5bc9c31629","meta":{"title":"SN-FILE-ByHTTPByHostnameServed","icon":"visualizeApp"}},{"type":"visualization","id":"af89b340-734b-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Code","icon":"visualizeApp"}},{"type":"visualization","id":"b1b33d60-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"b6471090-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"b6867ae0-c193-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-VerMajMinor","icon":"visualizeApp"}},{"type":"visualization","id":"b85da310-d332-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-Count","icon":"visualizeApp"}},{"type":"visualization","id":"b9784930-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-ServerGUID","icon":"visualizeApp"}},{"type":"visualization","id":"bb4f69c0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-IKEv2-Total","icon":"visualizeApp"}},{"type":"visualization","id":"bbf76020-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"bd453c20-735f-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"be131f50-c1d1-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"be29a460-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientBuild","icon":"visualizeApp"}},{"type":"visualization","id":"c05711b0-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByIndicators","icon":"visualizeApp"}},{"type":"visualization","id":"c1122430-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByFailedRequests","icon":"visualizeApp"}},{"type":"visualization","id":"c11cccc0-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Routers-Servers","icon":"visualizeApp"}},{"type":"visualization","id":"c199c3d0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"c2fc55d0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-File","icon":"visualizeApp"}},{"type":"visualization","id":"c3997530-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"c6659f50-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"c66d1450-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"c7d5e520-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SSH-Total","icon":"visualizeApp"}},{"type":"visualization","id":"c8657640-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"cdbbf0f0-caf3-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"cf040440-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Mode","icon":"visualizeApp"}},{"type":"visualization","id":"d13dacf0-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Type","icon":"visualizeApp"}},{"type":"visualization","id":"d1427890-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficID","icon":"visualizeApp"}},{"type":"visualization","id":"d2061990-7d8c-11ea-af8c-954c77eacc8f","meta":{"title":"SN-TLS-ByJa3SHash","icon":"visualizeApp"}},{"type":"visualization","id":"d294cdf0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"d39f5450-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficID","icon":"visualizeApp"}},{"type":"visualization","id":"d45f0ba0-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"d4b13740-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-DHCP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"d5843f00-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"d5c45630-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"d6358e70-73f4-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Usm","icon":"visualizeApp"}},{"type":"visualization","id":"d6720b50-c19b-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Releays","icon":"visualizeApp"}},{"type":"visualization","id":"dcd91fb0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Packet","icon":"visualizeApp"}},{"type":"visualization","id":"dd9b8e50-cb33-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-EventsOverTimeByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"dec25e60-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientName","icon":"visualizeApp"}},{"type":"visualization","id":"dfe2a9f0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-HTTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"e20c8650-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrc","icon":"visualizeApp"}},{"type":"visualization","id":"e41ad0b0-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"e4aa4cb0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnUsernames","icon":"visualizeApp"}},{"type":"visualization","id":"e67a7c10-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipCode","icon":"visualizeApp"}},{"type":"visualization","id":"e7337e70-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByMsgType","icon":"visualizeApp"}},{"type":"visualization","id":"e7c2b5c0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ea18f570-c1d1-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ea8a7000-c191-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"eafe1a30-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"eb100030-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficLabel","icon":"visualizeApp"}},{"type":"visualization","id":"ec437ac0-c1ca-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Function","icon":"visualizeApp"}},{"type":"visualization","id":"ecbb25e0-74d7-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"ede2f660-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByStatus","icon":"visualizeApp"}},{"type":"visualization","id":"eef848e0-cb3e-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"f14a6010-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Server-Security-Failure","icon":"visualizeApp"}},{"type":"visualization","id":"f2024e50-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"f87379e0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"f9c21fc0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"fab31360-c1c8-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"fcae7fd0-734a-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-EventsOverTimeByAppProto","icon":"visualizeApp"}},{"type":"visualization","id":"fd1577f0-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"fde239e0-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByRealm","icon":"visualizeApp"}}],"errors":[{"type":"index-pattern","id":"92edee20-74c4-11ea-bb42-278f04c43ada","title":"logstash-sip-","meta":{"title":"logstash-sip-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"06e1e3c0-c1c7-11e8-9888-3f5bc9c31629","title":"logstash-smb-","meta":{"title":"logstash-smb-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"770c39b0-c1c8-11e8-9888-3f5bc9c31629","title":"logstash-tftp-","meta":{"title":"logstash-tftp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"de695070-74c3-11ea-bb42-278f04c43ada","title":"logstash-rfb-","meta":{"title":"logstash-rfb-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"e2f3d2c0-73e0-11ea-abd9-295bc1fa20bb","title":"logstash-snmp-","meta":{"title":"logstash-snmp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"35f3ece0-cae5-11e8-9f69-c36de0ada098","title":"logstash-nfs-","meta":{"title":"logstash-nfs-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"84c3b570-c190-11e8-9888-3f5bc9c31629","title":"logstash-dhcp-","meta":{"title":"logstash-dhcp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"036d9030-74eb-11ea-bb42-278f04c43ada","title":"logstash-rdp-","meta":{"title":"logstash-rdp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"defa6c90-cae7-11e8-9f69-c36de0ada098","title":"logstash-krb5-","meta":{"title":"logstash-krb5-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"cc5489c0-06e2-11eb-bd80-0b9cf2e814b3","title":"logstash-mqtt-","meta":{"title":"logstash-mqtt-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"fed9ba80-7319-11ea-b5dd-05bd1e5fbf82","title":"logstash-anomaly-","meta":{"title":"logstash-anomaly-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-flow-","title":"logstash-flow-","meta":{"title":"logstash-flow-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-fileinfo-","title":"logstash-fileinfo-","meta":{"title":"logstash-fileinfo-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"699cedb0-d31b-11e8-8a07-17cc065d3fe1","title":"logstash-dnp3-","meta":{"title":"logstash-dnp3-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-tls-","title":"logstash-tls-","meta":{"title":"logstash-tls-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-alert-","title":"logstash-alert-","meta":{"title":"logstash-alert-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-ssh-","title":"logstash-ssh-","meta":{"title":"logstash-ssh-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-http-","title":"logstash-http-","meta":{"title":"logstash-http-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"769209d0-c18a-11e8-9888-3f5bc9c31629","title":"logstash-ikev2-","meta":{"title":"logstash-ikev2-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-smtp-","title":"logstash-smtp-","meta":{"title":"logstash-smtp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-","title":"logstash-","meta":{"title":"logstash-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-dns-","title":"logstash-dns-","meta":{"title":"logstash-dns-*","icon":"indexPatternApp"},"error":{"type":"conflict"}}]

pevma commented
alphaDev23 commented

Is there a way to load via curl to resolve the issue? Manual loading of saved objects is less than ideal given that the stack can, and often is, be torn down and re-created. I have added the curl commands to a bootstrap in logstash where these are best located.

pevma commented
alphaDev23 commented

I attempted to import visualizations.ndjson...received:

Sorry, there was an error
The file could not be processed due to error: "Failed to fetch"

pevma commented
pevma commented
alphaDev23 commented

Your suggestion appeared to resolve the issue but I'm now receiving errors in the at least the following dashboards:

HTTP
Could not locate that index-pattern-field (id: http.accept_encoding.keyword)
Could not locate that index-pattern-field (id: http.vary.keyword)

Alerts
Could not locate that index-pattern-field (id: vlan)
Could not locate that index-pattern-field (id: smtp.helo.keyword)

pevma commented

Maybe you dont have those logs/fileds for those visualizations ?
Can you share a record/log that has the fileds?

alphaDev23 commented

It appears that all the logs are in the logstash-flow- indexes. Is this correct or is there an issue with templates, etc?

pevma commented
alphaDev23 commented

I do have http traffic.

alphaDev23 commented

Any thoughts on the above? There are no logstash-http-* indexes in ES which is expected I believe in order for the SN-HTTP dashboard to work correctly. I only have 2 ES indexes related to the dashboards, logstash-flow-* and logstash-*

Is there anything additional needed to be added to filebeat.yml (below)?

input_type: log
    enabled: true
    paths:
        /var/log/suricata/eve.json

output.elasticsearch:
hosts: ["<ES_IP>:9200"]
pevma commented

Have you made any changes to the ES template - i can not think of any other reason, it is either that or there is actually no such traffic?
If you tcpdump - would there be http traffic on the sniffing interface?

alphaDev23 commented

I have not made any changes to the ES template. There is http traffic on the interface (on a router), internet facing, because I have a web server on the inside interface and I can connect to from an external IP.

pevma commented

Ok - (sorry did not understand) do you see that http traffic on the sniffing interface of SELKS with tcpdump ?

alphaDev23 commented

The traffic is from internet -> router (running suricata and filebeat) -> ELK stack. That is, suricata is storing the logs in the eve.json file and filebeat is shipping the logs to the ELK stack. The logstash-flow and logsstash indexes are being created. The logstash-http indexes are not.

Note, this was not an issue in the 6.x version.

pevma commented

Do you see the http with tcpdump on the sniffing interface, just confirming ?

alphaDev23 commented

Yes, there is both http and https traffic in tcpdump. I assume that the logstash-http captures both http and https. The website is accessible externally on both http and https. The traffic is showing in the eve.json file (actual IP addresses replaced with vars), e.g.

{"timestamp":"2021-01-17T13:25:05.000930+0000","flow_id":1534816133408444,"event_type":"flow","src_ip":"<IP>","src_port":443,"dest_ip":"<IP2>","dest_port":60804,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":0,"bytes_toserver":216,"bytes_toclient":0,"start":"2021-01-17T13:23:57.157372+0000","end":"2021-01-17T13:24:04.419029+0000","age":7,"state":"new","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"00","tcp_flags_ts":"00","tcp_flags_tc":"00"}}
pevma commented

Ok, thank you for the update.

Do you have a recent "event_type":"http" event in the eve.json you can share?

alphaDev23 commented

Here are 2, IP and DOMAIN are substituted for actual:

{"timestamp":"2021-01-20T16:38:52.910511+0000","flow_id":1809817020410129,"in_iface":"eth0","event_type":"http","src_ip":"124.156.102.27","src_port":48470,"dest_ip":"<IP>","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"","url":"/","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":302,"redirect":"https://<DOMAIN>/","length":220}}
{"timestamp":"2021-01-20T16:41:52.887344+0000","flow_id":1347197514852422,"in_iface":"eth0","event_type":"http","src_ip":"23.148.145.17","src_port":61745,"dest_ip":"<IP>","dest_port":443,"proto":"TCP","tx_id":0,"http":{"hostname":"","http_port":443,"url":"/","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":400,"length":362}}

pevma commented

ok , thank you for confirming.
Can you check the Kibana management if you have the indexes created for the different protocols in that case?

alphaDev23 commented

Yes, in Kibana all the indexes are created with different protocols including logstash-http-*

pevma commented

Ok so that seems correct.
So if you search for those logs above (you can simply search on the flow id 1809817020410129) you would find the logs in which dashboard?

alphaDev23 commented

These are not in any dashboard. The 'SN-HTTP' dashboard has a count of 0.

pevma commented

Can you show the output of
ls -lh /var/log/suricata/ - the owner should be the user logstash for eve.json. Is that so?

alphaDev23 commented

There is no logstash user on the router; Logstash is on a separate server. Filebeat is sending logs from eve.json to Elasticsearch.

The issue is occurring because there are no logstash-http-* indexes being created. This differs from what was occupying in V6 of the dashboards. I've modified filebeat.yml to the what is below but it is still not working; I believe because filebeat is not identifying "event_type" in the 'output.elasticsearch.index'. Note, the addition of the variables 'setup.template.', with the exception of 'setup.template.json.', is due to a filebeat bug. These should not be needed absent the bug. Thoughts on how filebeat can send the correct index to elasticsearch by using the the 'event_type' field.

filebeat.inputs:

  • input_type: log
    enabled: true
    paths:
    • /var/log/suricata/eve.json

output.elasticsearch:
hosts: ["<ELASTICSEARCH_DOMAIN_NAME>:9200"]
index: "logstash-%{[event_type]}-%{+yyyy.MM.dd}"

setup.template:
enabled: true
name: logstash
pattern: no-name-*
overwrite: true
json:
enabled: true
path: "/etc/filebeat/elasticsearch7-template.json"

pevma commented

Do you have default SELKS or you have made customizations?

alphaDev23 commented

I'm not using SELKS in the architecture. The router is running suricata and filebeat which sends the logs an ELK stack. Actually, in this case, Logstash is not needed since the filebeat logs are going direct to Elasticsearch.

pevma commented

I was not aware of that - that you are not using selks but a custom set up - the troubleshooting will be totally different in that case.You should look at the logstash template for SELKS and use a similar approach.

keatonLiu commented

I had the same issue, but I fixed it by changing the index pattern script code of the EveBox in logstash-alert-*. It simply because the script does not check the missing field or missing value.
if(doc.containsKey('flow_id') && doc['flow_id'].size()>0){ return doc['flow_id'].value }
Then it works fine.