Kibana ECS Dashboards

Gosborne · July 27, 2021, 9:12am

Does anyone know if it's possible to create dashboards using the elastic common schema and not be restricted to logstash or filebeat logs?

We currently have the majority of our data comming in via logstash (logs-) however have just configured the AWS filebeat module for CloudTrail (filebeat-). I was wondering if it's possible to create dashboards based on ecs, such as a breakdown of all event.datasets we have or a simple count of logs over time based on ECS fields not just looking at top level indexes.

The other thing that i've been trying to do, which i know is not possible is create custom dashboard from the siem indexes. not sure the best place to raise that as a feature request as it would be really useful to be able to create dashboards for things such as which MITRE techniques are seen in detections and other metrics (mean time to resolve for example).

Felix_Roessel · July 27, 2021, 7:45pm

Yes thats possible.
Every kind of data can be used for a dashboard. The common problem is to find an index name that works for many different users.
Thatswhy ECS dashboards usually use beats data as data source.

Gosborne · July 28, 2021, 7:14am

Thank you for your reply.

So are you saying that the best idea is to modify the target indexes so that all our data goes into a standard index format, i.e. logs-standard-*.

Felix_Roessel · July 28, 2021, 7:48am

Exactly. That's the way Elastic is designing also the pre built dashboards from Fleet.

system · August 25, 2021, 7:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.