Timelines Event Renderer - Why I don't see this in my timeline

hilo21 · May 6, 2020, 4:47am

So, I was parsing Fortigate events in a compliant way to ECS with some enrichment by adding categorization fields with logstash but instead of getting this :

I get this :

Even though I respected categorization field in the event mapping to the ECS documentation :

Here is a small part my logstash ECS mapping :

if "utm" in [type] and "1059028704" in [logid] {
                        if "pass" in [action] {
                                mutate {
                                add_tag => [ "utm" ]
                                add_field => { "event.module" => "UTM" }
                                add_field => { "observer.type" => "firewall" }
                                add_field => { "event.kind" => "event" }
                                add_field => { "event.category" => "network" }
                                add_field => { "event.code" => "Utm Allowed" }
                                add_field => { "event.id" => "1059028704" }
                                add_field => { "event.type" => "allowed" }
                                add_field => { "event.outcome" => "success" }
                                }
                        } else if "block" in [action] {
                                mutate {
                                add_tag => [ "utm" ]
                                add_field => { "event.module" => "UTM" }
                                add_field => { "observer.type" => "firewall" }
                                add_field => { "event.kind" => "event" }
                                add_field => { "event.category" => "network" }
                                add_field => { "event.code" => "Utm Denied" }
                                add_field => { "event.id" => "1059028704" }
                                add_field => { "event.type" => "denied" }
                                add_field => { "event.outcome" => "failure" }
                                }
                        }
mutate {

                        lowercase => [ "service" ]
                        lowercase => [ "app" ]
                        copy => { "srcip" => "source.ip" }
                        copy => { "dstip" => "destination.ip" }
                        #rename => { "xauthuser" => "user.name" }
                        #rename => { "vpntunnel" => "group.id" }
                        rename => { "logid" => "event.id" }
                        rename => { "devname" => "observer.hostname" }
                        rename => { "dir" => "netowrk.direction" }
                        rename => { "status" => "event.outcome" }
                        rename => { "srcport" => "source.port" }
                        rename => { "dstport" => "destination.port" }
                        rename => { "srcintf" => "observer.ingress.interface.name" }
                        rename => { "dstintf" => "observer.egress.interface.name" }
                        rename => { "sentbyte" => "source.bytes" }
                        rename => { "rcvdbyte" => "destination.bytes" }
                        rename => { "sentpkt" => "source.packets" }
                        rename => { "rcvdpkt" => "destination.packets" }
                        rename => { "proto" => "network.iana_number" }
                        #copy => { "service" => "service.type" }
                        copy => { "service" => "network.protocol" }
                        rename => { "action" => "event.action" }
                        rename => { "app" => "network.application" }
                        rename => { "url" => "url.path" }
                        rename => { "hostname" => "url.domain" }
                }

Am I missing some fields ? can you provide extra info about this since there is no way to inspect what timelines request are like unlike the other visualizations.

Thank you

hilo21 · May 6, 2020, 5:13am

Okey this was quick , I found a reddit answer for this :

I changed my event.category from network to network_traffic and it solved the issue. I wonder why though ?

Xavier_Mouligneau · May 6, 2020, 11:26am

Hi Hilo21,

Great that you find a solution to your problem, I just wanted to add that you can inspect the query of timeline by clicking on the gear>inspect, you will be able to inspect the query if you have a valid/working query in timeline.

hilo21 · May 6, 2020, 9:14pm

Thanks Xavier, very helpful

system · June 3, 2020, 9:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timeline result of events not showing SIEM	9	1365	June 24, 2021
Windows event classification mapping - is there a source for this? Logstash	3	397	April 6, 2022
Trying to be ECS compliance in order to have visual analysis. It's hard! Help needed Logstash	1	211	September 21, 2021
Error Events with ">" Logstash	2	197	March 22, 2023
Useragent filter plugin fields don't match ECS Logstash	6	1450	June 5, 2019

Timelines Event Renderer - Why I don't see this in my timeline

Related topics