Adding visual alerts on my Kibana Dashboards

DK1206 · July 30, 2018, 11:33am

Dear Elastic Community,

I have set-up my ElasticStack with having WinLogbeat and Packetbeat running through my logstash. I custmoized my Sysmon (winlogbeat) dashboard and I used some default templates for Packetbeat one.

Now I would like to add some alerts to my ES. My goal is to get as close as possible to SIEM with my ES. Now that I have some data and visuals flowing on my Kibana, I am missing some alerts that would stand out.

I would like to have some icon notification either in Dashboards or in Discover tab, that would notify me that this is is a possible incident / threat (for e.g. a red triangle (if severity is high) next to some output data).

Of course I tried browsing for it and I ran into ElastAlert. I tried that one, but if I understood it correct, it would notify me only on my e-mail (if I configured the rule so) whether a hit would be made. I am seeking for a solution that can do that too + can be displayed on my Kibana Dashboard.

EXAMPLE:
WinLogbeat detects a cmd.exe execution. I define that as a threat. Now once logstash forwards that to ElasticSearch, I want that Kibana displays that index as an alert (red triangle next to logdata, red text,..whatever, something to stand out among all those other logs).

Is there any other idea on how to implement such a thing?

Thanks

Brandon_Kobel · July 30, 2018, 5:27pm

Hey @DK1206, this sounds like a great candidate for Watcher and the e-mail and index actions.

Using Watcher, you can detect specific events occurring and then have it send an e-mail and index a document specifying what happened. After the document is indexed, you can integrate this to be displayed in the Kibana Dashboard a number of ways. You could create a Visualization that simply lists these alerts, or you can use Time Series Visual Builder's annotations to overlay this information on a specific chart.

DK1206 · July 30, 2018, 6:09pm

Hey Brandon! Thanks for your reply. Is Watcher also free to use tools? I forgot to mention I am trying to build my stack with free / opensource tools.

Best,
D

Brandon_Kobel · July 30, 2018, 6:11pm

Hey @DK1206, unfortunately Watcher/Alerting is part of our Gold subscription currently so it's not free/OSS.

DK1206 · July 30, 2018, 6:18pm

Do you perhaps know any OpenSource alternatives for what I am seeking for? I know something 3rd party wont integrate as nicely as your solution for my stack - but maybe if I put effort .

Brandon_Kobel · July 30, 2018, 6:19pm

Hey @DK1206 I'm not aware of anything, but other community members might be able to chime in with what they're doing.

Topic		Replies	Views
Alerts from Kibana/ES Elasticsearch	7	4018	July 6, 2017
X-Pack Watcher Alert Display on Kibana Dashboard Kibana	2	395	June 6, 2019
Can we integrate Watcher with Kibana Elasticsearch elastic-stack-alerting	5	4997	July 6, 2017
Create Alerting in Kibana using API Kibana elastic-stack-alerting	6	554	December 12, 2020
Can I add alerts to a dashboard? Kibana elastic-stack-alerting , dashboard	5	1132	April 17, 2024

Adding visual alerts on my Kibana Dashboards

Related topics