{ "annotations": { "list": [ { "builtIn": 1, "datasource": "-- Grafana --", "enable": true, "hide": true, "iconColor": "rgba(0, 211, 255, 1)", "name": "Annotations & Alerts", "target": { "limit": 100, "matchAny": false, "tags": [], "type": "dashboard" }, "type": "dashboard" } ] }, "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, "id": 23, "iteration": 1644864155168, "links": [], "liveNow": false, "panels": [ { "collapsed": false, "gridPos": { "h": 1, "w": 24, "x": 0, "y": 0 }, "id": 155, "panels": [], "title": "Suricata", "type": "row" }, { "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" } ] } }, "overrides": [] }, "gridPos": { "h": 5, "w": 7, "x": 0, "y": 1 }, "id": 373, "options": { "colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "/^_value$/", "values": false }, "text": {}, "textMode": "auto" }, "pluginVersion": "8.3.3", "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_category\")\r\n |> map(fn: (r) => ({ r with _count: r[\"_value\"]}))\r\n |> group(columns: [\"_value\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n:1)", "refId": "A" } ], "title": "Top Alert Category", "type": "stat" }, { "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" }, { "color": "red", "value": 80 } ] } }, "overrides": [] }, "gridPos": { "h": 5, "w": 3, "x": 7, "y": 1 }, "id": 463, "options": { "colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "/^src_ip$/", "limit": 1, "values": true }, "textMode": "auto" }, "pluginVersion": "8.3.3", "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_category\")\r\n |> map(fn: (r) => ({ r with _count: r[\"src_ip\"]}))\r\n |> group(columns: [\"src_ip\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n:1)", "refId": "A" } ], "title": "Top Source IP", "type": "stat" }, { "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "hideFrom": { "legend": false, "tooltip": false, "viz": false } }, "mappings": [] }, "overrides": [] }, "gridPos": { "h": 9, "w": 7, "x": 10, "y": 1 }, "id": 419, "options": { "legend": { "displayMode": "table", "placement": "right", "values": [ "value" ] }, "pieType": "pie", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": true }, "tooltip": { "mode": "single" } }, "pluginVersion": "8.3.3", "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_category\")\r\n |> map(fn: (r) => ({ r with _count: r[\"dest_port\"]}))\r\n |> group(columns: [\"dest_port\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n: 10)", "refId": "A" } ], "title": "Top 10 Destination Ports", "type": "piechart" }, { "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "hideFrom": { "legend": false, "tooltip": false, "viz": false } }, "mappings": [] }, "overrides": [] }, "gridPos": { "h": 9, "w": 7, "x": 17, "y": 1 }, "id": 507, "options": { "displayLabels": [], "legend": { "displayMode": "table", "placement": "right", "sortBy": "Value", "sortDesc": true, "values": [ "value" ] }, "pieType": "pie", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": true }, "tooltip": { "mode": "single" } }, "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"proto\")\r\n |> map(fn: (r) => ({ r with _count: r[\"_value\"]}))\r\n |> group(columns: [\"_value\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])", "refId": "A" } ], "title": "Protocols", "type": "piechart" }, { "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" }, { "color": "red", "value": 80 } ] } }, "overrides": [] }, "gridPos": { "h": 4, "w": 7, "x": 0, "y": 6 }, "id": 375, "options": { "colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "/^_value$/", "values": true }, "textMode": "auto" }, "pluginVersion": "8.3.3", "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_signature\")\r\n |> map(fn: (r) => ({ r with _count: r[\"_value\"]}))\r\n |> group(columns: [\"_value\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n:1)", "refId": "A" } ], "title": "Top Alert Signature", "type": "stat" }, { "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" }, { "color": "red", "value": 80 } ] } }, "overrides": [] }, "gridPos": { "h": 4, "w": 3, "x": 7, "y": 6 }, "id": 551, "options": { "colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "/^dest_ip$/", "values": false }, "textMode": "auto" }, "pluginVersion": "8.3.3", "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_category\")\r\n |> map(fn: (r) => ({ r with _count: r[\"dest_ip\"]}))\r\n |> group(columns: [\"dest_ip\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n:1)", "refId": "A" } ], "title": "Top Destination IP", "type": "stat" }, { "description": "", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "hideFrom": { "legend": false, "tooltip": false, "viz": false } }, "displayName": "${__field.labels.__values}", "mappings": [] }, "overrides": [] }, "gridPos": { "h": 9, "w": 10, "x": 0, "y": 10 }, "id": 285, "options": { "displayLabels": [], "legend": { "displayMode": "table", "placement": "right", "values": [ "value" ] }, "pieType": "pie", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": true }, "tooltip": { "mode": "single" } }, "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_category\")\r\n |> map(fn: (r) => ({ r with _count: r[\"_value\"]}))\r\n |> group(columns: [\"_value\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n:10)", "refId": "A" } ], "title": "Top 10 Alert Categories", "transformations": [], "type": "piechart" }, { "description": "", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "hideFrom": { "legend": false, "tooltip": false, "viz": false } }, "displayName": "${__field.labels.__values}", "mappings": [] }, "overrides": [ { "__systemRef": "hideSeriesFrom", "matcher": { "id": "byNames", "options": { "mode": "exclude", "names": [ "_count", "ET INFO Session Traversal Utilities for NAT (STUN Binding Response)" ], "prefix": "All except:", "readOnly": true } }, "properties": [ { "id": "custom.hideFrom", "value": { "legend": false, "tooltip": false, "viz": true } } ] } ] }, "gridPos": { "h": 9, "w": 14, "x": 10, "y": 10 }, "id": 329, "options": { "displayLabels": [], "legend": { "displayMode": "table", "placement": "right", "values": [ "value" ] }, "pieType": "pie", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "/^_count$/", "values": true }, "tooltip": { "mode": "single" } }, "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: \"opnsense\")\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_signature\")\r\n |> map(fn: (r) => ({ r with _count: r[\"_value\"]}))\r\n |> group(columns: [\"_value\"])\r\n |> count(column: \"_count\")\r\n |> group()\r\n |> sort(desc:true, columns: [\"_count\"])\r\n |> limit(n:10)", "refId": "A" } ], "title": "Top 10 Alert Signatures", "transformations": [], "type": "piechart" }, { "description": "Last 100 events, newest on top", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "custom": { "align": "left", "displayMode": "auto" }, "mappings": [], "thresholds": { "mode": "absolute", "steps": [ { "color": "green" } ] } }, "overrides": [ { "matcher": { "id": "byName", "options": "Metric" }, "properties": [ { "id": "custom.width", "value": 192 } ] }, { "matcher": { "id": "byName", "options": "Time" }, "properties": [ { "id": "custom.width", "value": 205 } ] }, { "matcher": { "id": "byName", "options": "Signature" }, "properties": [ { "id": "custom.width", "value": 432 } ] }, { "matcher": { "id": "byName", "options": "Source IP" }, "properties": [ { "id": "custom.width", "value": 203 } ] }, { "matcher": { "id": "byName", "options": "Source Port" }, "properties": [ { "id": "custom.width", "value": 242 } ] }, { "matcher": { "id": "byName", "options": "Destination IP" }, "properties": [ { "id": "custom.width", "value": 394 } ] } ] }, "gridPos": { "h": 8, "w": 24, "x": 0, "y": 19 }, "id": 241, "options": { "footer": { "fields": "", "reducer": [ "sum" ], "show": false }, "frameIndex": 0, "showHeader": true, "sortBy": [] }, "pluginVersion": "8.3.3", "targets": [ { "datasource": { "type": "influxdb", "uid": "${dataSource}" }, "query": "from(bucket: v.defaultBucket)\r\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\r\n |> filter(fn: (r) => r[\"_measurement\"] == \"suricata\")\r\n |> filter(fn: (r) => r[\"_field\"] == \"alert_signature\")\r\n |> group()\r\n |> sort(columns: [\"_time\"], desc: true)\r\n |> limit(n:100)", "refId": "A" } ], "title": "Alert Logs", "transformations": [ { "id": "labelsToFields", "options": { "keepLabels": [ "dest_ip", "dest_port", "src_ip", "src_port" ] } }, { "id": "organize", "options": { "excludeByName": { "_field": true, "_measurement": true, "event_type": true, "host": true, "path": true }, "indexByName": { "_field": 6, "_measurement": 7, "_time": 0, "_value": 1, "dest_ip": 4, "dest_port": 5, "event_type": 8, "host": 9, "path": 10, "src_ip": 2, "src_port": 3 }, "renameByName": { "_time": "Time", "_value": "Alert Signature", "alert_signature": "Signature", "dest_ip": "Destination IP", "dest_port": "Destination Port", "src_ip": "Source IP", "src_port": "Source Port" } } }, { "id": "sortBy", "options": { "fields": {}, "sort": [ { "desc": true, "field": "Time" } ] } } ], "type": "table" } ], "schemaVersion": 34, "style": "dark", "tags": [], "templating": { "list": [ { "current": { "selected": false, "text": "InfluxDB", "value": "InfluxDB" }, "hide": 0, "includeAll": false, "label": "InfluxDB", "multi": false, "name": "dataSource", "options": [], "query": "influxdb", "refresh": 1, "regex": "", "skipUrlSync": false, "type": "datasource" } ] }, "time": { "from": "now-5m", "to": "now" }, "timepicker": {}, "timezone": "", "title": "OPNsense Suricata", "uid": "94raP_-7z", "version": 5, "weekStart": "" }