I want to visualize my honeypot data by showing the source IP connection to destination port. Not necessarily for analysis or drill downs, just for a visualization. I want to show all connections for all source IP's and all ports. Is there a query that can show the entire network?
Graph was designed to find non-obvious relationships in data so I don't think there's really a way to use it to show all connections. The only suggestion I have is to go into the Graph settings and try changing the Certainty from the default value of 3 down to 1 and see if that shows more relationships (but still may not show all).
Yes, but you'll need to tweak some settings - see the 3 suggestions here: Graph Troubleshooting | Kibana User Guide [6.0] | Elastic
In addition, it is worth noting that if you have a lot of data that the graph analysis is performed on a sample of the data. While that sample could be large it might not represent all of the data and could just be dominated by records from only one pair of vertices (e.g. an IP address hitting port 80 10 million times). This would give a graph with only 2 vertices. To ensure your samples aren't dominated by a chatty pair you should use the diversification feature to look across many communicating pairs in your example. This will give better coverage and more vertices on-screen. I would recommend diversifying on a keyword field that contains a communicating pairs' IDs, sorted e.g. the value A->B would cover all docs where A called B or B called A. An example script to build that sort if index is here.
The settings in the Kibana GUI would look something like this:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.