Visualizations based on values

Hello all

I am trying to create a visualization based on AWS logs, where I want to count the number of hits on a specific host. the host information is within the json as below.

I tried all possible ways, but I cannot retrieve the host names (which is at Preformatted text{ name: "Host", value: "host.com" }Preformatted text)

below is the full record. request your suggestions and help in this

Blockquote
{
"_index": "wazuh-alerts-4.xxxxxxxx",
"_type": "_doc",
"_id": "fkjsdlfjortiwur",
"_version": 1,
"_score": null,
"_source": {
"input": {
"type": "log"
},
"agent": {
"name": "wazuh",
"id": "000"
},
"manager": {
"name": "wazuh"
},
"data": {
"integration": "aws",
"aws": {
"terminatingRuleId": "CyberSecurityCloudInc-CyberSecurityCloud-HighSecurityOWASPSet-",
"terminatingRuleType": "MANAGED_RULE_GROUP",
"log_info": {
"s3bucket": "bucket",
"log_file": "log_file"
},
"ruleGroupList": [
{
"excludedRules": null,
"terminatingRule": null,
"nonTerminatingMatchingRules": ,
"ruleGroupId": "AWS#AWSManagedRulesAmazonIpReputationList"
},
{
"excludedRules": null,
"terminatingRule": {
"ruleMatchDetails": null,
"action": "BLOCK",
"ruleId": "suspicious_access-url-001"
},
"nonTerminatingMatchingRules": ,
"ruleGroupId": "Cyber Security Cloud Inc.#CyberSecurityCloud-HighSecurityOWASPSet-"
}
],
"httpSourceId": "httpSourceID",
"source": "source",
"webaclId": "awebaclId",
"action": "BLOCK",
"rateBasedRuleList": ,
"httpRequest": {
"country": "CO",
"headers": [
{
"name": "Host",
"value": "host.com"
},
{
"name": "Accept-Encoding",
"value": "identity"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)"
}
],
"httpVersion": "HTTP/1.1",
"requestId": "requestId",
"clientIp": "1.1.1.1",
"httpMethod": "GET",
"uri": "/.git//index"
},
"httpSourceName": "SN",
"nonTerminatingMatchingRules": ,
"formatVersion": "1",
"terminatingRuleMatchDetails": ,
"timestamp": "1606978681385.000000"
}
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 3,
"description": "description",
"groups": [
"group"
],
"id": "11111"
},
"location": "location",
"decoder": {
"name": "json"
},
"id": "1606978871.6364322991",
"timestamp": "2020-12-03T10:01:11.913+0300"
},
"fields": {
"timestamp": [
"2020-12-03T07:01:11.913Z"
]
},
"highlight": {
"manager.name": [
"@kibana-highlighted-field@wazuh@/kibana-highlighted-field@"
],
"data.aws.httpRequest.headers.value": [
"@kibana-highlighted-field@field@/kibana-highlighted-field@"
]
},
"sort": [
1606978871913
]
}

Blockquote

Hi @Niranjan_Acharya,

I'd suggest first to injest you data differently.
It would be easier to analyze your data if you'd have a separate host field in you documents:
for example:

{
 "headers.raw": [
{
"name": "Host",
"value": "host.com"
}...],
 headers.host: "host.com"
}

You can pre-process documents before indexing using ingest node: https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ingest-node.html

If it is not possible to add these fields during ingestion, then you could try to extract them using scripted fields

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.