Help with visualization

ManuelF · May 12, 2020, 3:26pm

Hi,

*Current version ELK 6.8.8

I am using ELK + Suricata. I am trying to build a visualization in Kibana to filter the alerts received from index "logstash-alert-*". All alerts are received, but I would like to have a few visualization to show only the data related to "Brute Force attacks", or "Ransomware attacks", or "C&C attacks" for just giving some examples.

I tried adding a filter by field "alert.signature_id". This worked fine for cases when there are just a few rule IDs involved (1-20), but when I have 492 rule IDs related to a type of attack, that's too much to add each rule ID manually to the filter (still I tried and spent some time adding all the 492 rule IDs), plus I got an error saying it was a huge URL and system would not be able to process it.
Then I tried adding a filter by field "alert.signature" to search for keywords like "Botnet", "botnet", "Bot", etc. But the issue here is that not all the alerts related to "Botnet attacks" have some of the words in the field so I can add it, but still are that kind of attack and I need to add it somehow to the filter.
Can this be done in any other way that I am missing?
Can you point a good tutorial, preferable step by step?

Is it possible to hire technical support only services without buying a license?

Thank you

thomasneirynck · May 12, 2020, 9:03pm

Consider using a scripted-field. https://www.elastic.co/guide/en/kibana/6.8/scripted-fields.html

You would create a new field in the index-pattern that does this categorization for you. You can then use that new field with the category-value directly when building visualizations.

ManuelF · May 13, 2020, 5:34pm

It looks like I am not good at programming. This is what I have been trying to create, but keep getting errors:

   "type": "script_exception",
   "reason": "compile error",

Basically what I need is given a list of alert IDs, check if "doc['alert.signature_id'].value" match any and then return the pre-defined string value. In the example below all the IDs are related to Trojan type attacks and that's the filter I need to create.

A little help would be greatly appreciated.

def list = [2001553,2001904,2001906,2002842,2002992,2002993,2002994,2002995,2008230,2008362,2008453,2008454,2008455,2009346,2010494,2010642,2010643,2018253,2023019,2023304,2023901,2102275,2103152,2103273,2610252,2006435,2006546,2009830,2015023,2017309,2017310,2017311,2018689,2018755,2019876,2023815];

for(int i = 0; i < list.length; i++) {
if ( doc['alert.signature_id'].value == list[i].value) {
return "Trojan";
}
return "";
}

thomasneirynck · May 13, 2020, 5:59pm

I think you might want to initialize array differently:

something like:

int[] list = new int[] {2001553,2001904,2001906};

https://www.elastic.co/guide/en/elasticsearch/painless/current/painless-operators-array.html#array-initialization-operator

For debugging painless-scripts, it might be easier to do this straight in the Kibana dev-console.

For an example:

see
https://www.elastic.co/guide/en/elasticsearch/painless/current/painless-walkthrough.html#_accessing_doc_values_from_painless

Get your script field working there, and then copy paste it to the scripted-field UX of the index pattern.

ManuelF · May 13, 2020, 8:26pm

I appreciate the prompt response with so many details. I will be trying the way you advise and sharing feedback later.

PS: I was trying to work with the ID codes as strings, since I don't really need to calculate anything, but just match the string. I was using this as reference

https://www.elastic.co/guide/en/elasticsearch/reference/5.4/modules-scripting-painless-syntax.html

Thank you a lot!

ManuelF · May 13, 2020, 9:52pm

I have been working on this for hours. I keep getting the error "There's an error in your script", but I am unable to determine what is causing the error. I have checked every colon, semi colon, parenthesis, etc. Definitely Java or its derivatives are not my thing. Can you please help me to discover what might be the error in this super simple function?:

int[] list = new int[] {2001553,2001904,2001906};

for (int i=0; i<list.length; i++) {
     if (doc['alert.signature_id'].value == list[i].value) { 
         return "Trojan";
     }
     else {
           return "";
     }
}

Error details:

There's an error in your script

{
 "root_cause": [
  {
   "type": "script_exception",
   "reason": "compile error",
   "script_stack": [
    "... ure_id'].value == list[i].value) { \n         retur ...",
    "                             ^---- HERE"
   ],
   "script": "int[] list = new int[] {2001553,2001904,2001906};\n\nfor (int i=0; i<list.length; i++) {\n     if (doc['alert.signature_id'].value == list[i].value) { \n         return \"Trojan\";\n     }\n     else {\n           return \"\";\n     }\n}",
   "lang": "painless"
  },
  {
   "type": "script_exception",
   "reason": "compile error",
   "script_stack": [
    "... ure_id'].value == list[i].value) { \n         retur ...",
    "                             ^---- HERE"
   ],

Even tried the Dev Console, but still can't fix the error

system · June 10, 2020, 9:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.