bm11100
November 24, 2021, 4:03pm
1
Hello,
We have some Firewall data, that when viewed in the timeline, I'd expect the Flow row renderer to pick up and "beautify". I've attached a portion of the data for an example.
Can someone explain why this would not render?
Hey @bm11100 thanks for your question!
For the row renderers to work, the dataset needs to match the criteria for one of the renderers. The renderers are here:
import { threatMatchRowRenderer } from './cti/threat_match_row_renderer';
import { reasonColumnRenderer } from './reason_column_renderer';
// The row renderers are order dependent and will return the first renderer
// which returns true from its isInstance call. The bottom renderers which
// are netflowRenderer and plainRowRenderer are the most accepting where
// netflowRowRenderer returns true on any netflow related data set including
// Suricata and Zeek which is why Suricata and Zeek are above it. The
// plainRowRenderer always returns true to everything which is why it always
// should be last.
export const defaultRowRenderers: RowRenderer[] = [
threatMatchRowRenderer,
...auditdRowRenderers,
...systemRowRenderers,
suricataRowRenderer,
zeekRowRenderer,
netflowRowRenderer,
];
export const columnRenderers: ColumnRenderer[] = [
reasonColumnRenderer,
Could you share one of the firewall events?
For example for the event to match the netflow renderer it must have the following criteria met:
event.category must equal network_traffic and event.action must equal network_flow or netflow_flow.
bm11100
November 29, 2021, 9:48pm
3
Thanks @Jonathan_Buttner , that is super helpful! We don't have those fields mapped in that way, so that would explain it.
