{ "v": "1", "id": "af84f707-7473-4258-bb2a-9d9617247bdd", "rev": 21, "name": "Fortigate CEF Logs - Content Pack", "summary": " Stream and dashboards for Fortinet Fortigate CEF logs ", "description": "# Fortigate CEF Logs - Graylog Content Pack\n\nThis [Graylog][graylog] content pack includes a steam and dashboards for Fortinet Fortigate Common Event Format (CEF) logs.\n\n## Streams\n\n### Fortigate CEF Logs\n\nRoutes CEF logs from Fortigates to the `Fortigate CEF Logs` Graylog index set\n\n## Dashboards\n\n### Fortigate - Applications and Devices\n\nAnalysis of devices and application traffic\n\nIncludes IP addresses, MAC addresses, device manufacturers, and application layer network traffic\n\n### Fortigate - DNS Traffic\n\nDetails of DNS queries and responses\n\nIncludes details of the query, response, action, and category\n\n### Fortigate - IPS Alerts\n\nIntrusion Prevention System (IPS) alert details\n\nIncludes signature, action, severity, source, and destination information\n\n### Fortigate - Overview\n\nAn overview of incoming messages from Fortigates\n\nIncludes Fortigate hostnames, serial numbers, and full message details\n\n### Fortigate - SSL/TLS Interventions\n\nSSL/TLS actions taken by Fortigates\n\nProvides records of when Fortigates intervened (with or without decrypting) in SSL/TLS traffic\n\n### Fortigate - Web Traffic\n\nWeb traffic details\n\nIncludes category, action, and more\n\n## Searches\n\n### Fortigate CEF\n\nAll Fortigate CEF logs\n\n## Graylog Setup\n\nEdit the Graylog server configuration file at `/etc/graylog/server/server.conf`. Locate the `allow_leading_wildcard_searches` and `allow_highlighting` options, and set both to `true`. Restart the Graylog server by running `sudo systemctl restart graylog-server.service`.\n\nImport the Content Pack into Graylog by navigating to System> Content Packs, clicking on the upload button, and uploading the Content Pack JSON file.\n\nIn Graylog an Input accepts log traffic from a source an parses it. That data is sent to Streams, which filters and routes log traffic to Index Sets. Index Sets manage the Elasticsearch indexes that Graylog uses as a backend.\n\nThe Stream that comes with this content pack is configured to route the logs to a separate Index Set called `Fortigate CEF Logs`. It does not create the Index Set, so the Index Set needs to be created.\n\nNavigate to System> Indices, and create a new Index Set with a title of `Fortigate CEF Logs` and an index prefix of `fortigate_cef`. Then, click on Streams in the main navigation bar. Edit the `Fortigate CEF Logs` Stream and ensure it is configured to use the Index Set that you just created.\n\n**Important**: Leave `Remove matches from ‘All messages’ stream` box checked, or the data will be duplicated over two Index Sets.\n\nCreate a CEF UDP **or** a CEF TCP input by navigating to System> Inputs as a Graylog administrator, and clicking on Launch New Input.\n\nBefore creating a CEF TCP input:\n\nEnsure that your certificate and and key are readable by the user running Graylog, or Graylog will create it's own self-signed certificate (which Fortigates will not trust) without informing you in the web UI (this error can be found in `server.log`.)\n\nIt is recommended to use a commercial external Certificate Authority (CA). Documentation contributions for using internal CAs would be appreciated. Documentation for using Let's Encrypt Certificates is in progress.\n\nWhen creating a CEF TLS Input, be sure to check the `Accept encrypted connections` checkbox.\n\n## Fortigate setup\n\nConfigure your Fortigates to send data to Graylog in CEF format by using the FortiOS [Command Line Interface (CLI)][CLI].\n\nReplace the server address and port with the address and port of your input, of course.\n\n## Time zone\n\nTo simplify and unify log management, it is important that every firewall be configured to use the GMT timezone, which for logging purposes is equivalent UTC.\n\n```fortios\nconfig system global\n set timezone 80\nend\n```\n\n## Log filtering\n\nBy default, logs sent to the syslog server are not filtered. To ensure that the Graylog Input gets all logs, ensure all log filter options are at their default settings.\n\n```fortios\nconfig log syslogd filter\n unset severity\n unset forward-traffic\n unset local-traffic\n unset multicast-traffic\n unset sniffer-traffic\n unset anomaly\n unset voip\nend\n```\n\n### CEF UDP\n\n**Warning** : UDP traffic is unencrypted.\n\n```fortios\nconfig log syslogd setting\n set status enable\n set server \"graylog.example.com\"\n set port 5555\n set format cef\n set mode udp\nend\n```\n\n### CEF TCP\n\n**Warning**: When using CEF TCP, the 'server' setting **must** be set the Graylog server's fully-qualified hostname, **not** the IP address.\n\n```fortios\nconfig log syslogd setting\n set status enable\n set server \"graylog.example.com\"\n set port 5555\n set format cef\n set mode reliable\nend\n```\n\n[Graylog]: https://www.graylog.org/\n[CLI]: https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/445620/config-log-syslogd-setting\n", "vendor": "Sean Whalen - @seanthegeek", "url": "https://github.com/seanthegeek/graylog-fortigate-cef", "parameters": [], "entities": [ { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "b900b4e3-0448-427b-96cf-abbd3b47e4f0", "data": { "summary": { "@type": "string", "@value": "Web traffic details" }, "search": { "queries": [ { "id": "8c251406-7ec3-4259-ac68-43ad4fbc435a", "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "requestContext", "limit": 20 } ], "type": "pivot", "id": "c6fc9e03-b0f1-41c6-953c-1beef4fa41c5", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:webfilter" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "act", "limit": 15 } ], "type": "pivot", "id": "16265d60-4ed6-457e-9f38-e841a2c595b4", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:webfilter" }, "name": null, "timerange": { "type": "relative", "from": 300 }, "offset": 0, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "filter": null, "decorators": [], "type": "messages", "id": "f1d667cf-792b-449f-a4c5-90332138d555", "limit": 150 } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2022-04-28T23:21:00.322Z" }, "created_at": "2021-08-22T00:04:35.919Z", "requires": {}, "state": { "8c251406-7ec3-4259-ac68-43ad4fbc435a": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Web Traffic" }, "widget": { "998c4004-631c-46e3-be1b-f00c8e1bdcea": "Details", "626657a1-685f-4050-ba36-d4eaa1f414da": "Messages for FTNTFGTutmaction:allow", "0f91d521-54f5-4b52-aab9-79b0fda99f6b": "Action", "bc70a97e-ba93-4d1b-8b07-289d22bb344d": "Top 20 Categories" } }, "widgets": [ { "id": "bc70a97e-ba93-4d1b-8b07-289d22bb344d", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "requestContext", "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "0f91d521-54f5-4b52-aab9-79b0fda99f6b", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:webfilter" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "act", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "998c4004-631c-46e3-be1b-f00c8e1bdcea", "type": "messages", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:webfilter" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "fields": [ "timestamp", "src", "dst", "dhost", "requestContext", "act" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "0f91d521-54f5-4b52-aab9-79b0fda99f6b": [ "16265d60-4ed6-457e-9f38-e841a2c595b4" ], "998c4004-631c-46e3-be1b-f00c8e1bdcea": [ "f1d667cf-792b-449f-a4c5-90332138d555" ], "bc70a97e-ba93-4d1b-8b07-289d22bb344d": [ "c6fc9e03-b0f1-41c6-953c-1beef4fa41c5" ] }, "positions": { "0f91d521-54f5-4b52-aab9-79b0fda99f6b": { "col": 8, "row": 6, "height": 5, "width": 5 }, "998c4004-631c-46e3-be1b-f00c8e1bdcea": { "col": 1, "row": 11, "height": 5, "width": "Infinity" }, "bc70a97e-ba93-4d1b-8b07-289d22bb344d": { "col": 1, "row": 6, "height": 5, "width": 7 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate - Web Traffic" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Includes category, action, and more" } }, "constraints": [ { "type": "server-version", "version": ">=4.3.4+aae97b4" } ] }, { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "e1104538-c01b-4b16-b18a-0e55ebc2765e", "data": { "summary": { "@type": "string", "@value": "An overview of incoming messages from Fortigates" }, "search": { "queries": [ { "id": "e9fb44da-ba72-4d73-842d-677b784b23d4", "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [], "series": [ { "type": "count", "id": "messages", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "deviceExternalId", "limit": 1000 }, { "type": "values", "field": "source", "limit": 1000 }, { "type": "values", "field": "device_version", "limit": 1000 } ], "type": "pivot", "id": "6aa5a615-425b-4f2e-9c83-5ff192e42265", "column_groups": [], "sort": [ { "type": "pivot", "field": "deviceExternalId", "direction": "Descending" } ] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": null, "timerange": { "type": "relative", "from": 300 }, "offset": 0, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "filter": null, "decorators": [], "type": "messages", "id": "2b043515-5c0c-45b8-a919-96180862f1bc", "limit": 150 }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "messages", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "FTNTFGTsubtype", "limit": 15 } ], "type": "pivot", "id": "6f1be878-e3b8-4943-b0c9-455c3f71feb5", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "Message Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [], "type": "pivot", "id": "62a99ec8-8c34-4797-8a13-e03ebc8c5ee9", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "FTNTFGTlevel", "limit": 15 } ], "type": "pivot", "id": "de17a876-c41a-4274-81e6-7a475c103628", "column_groups": [], "sort": [] } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2022-04-28T23:16:39.972Z" }, "created_at": "2021-08-21T18:39:24.733Z", "requires": {}, "state": { "e9fb44da-ba72-4d73-842d-677b784b23d4": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Overview" }, "widget": { "6ce98b55-8b80-4e7b-99b1-dc7eac862800": "Incoming Message Count", "773f59c1-2a64-4e0b-bbe3-804e52590749": "Message Count by FTNTFGTsubtype", "de904358-5537-4ba1-8990-f3c7106f5a97": "Firewalls", "b71059b1-bbc5-45ca-8b98-abadf80a44a4": "System Logs", "b70c2eb1-001c-42e3-908f-1125c80d12bd": "Log Levels", "3ada64fa-a06b-44bc-b184-7218d7ad07d3": "Details" } }, "widgets": [ { "id": "6ce98b55-8b80-4e7b-99b1-dc7eac862800", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "numeric", "event_annotation": false, "row_pivots": [], "series": [ { "config": { "name": "Message Count" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "773f59c1-2a64-4e0b-bbe3-804e52590749", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [ { "field": "FTNTFGTsubtype", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "b70c2eb1-001c-42e3-908f-1125c80d12bd", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "FTNTFGTlevel", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "de904358-5537-4ba1-8990-f3c7106f5a97", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [ { "field": "deviceExternalId", "type": "values", "config": { "limit": 1000 } }, { "field": "source", "type": "values", "config": { "limit": 1000 } }, { "field": "device_version", "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [ { "type": "pivot", "field": "deviceExternalId", "direction": "Descending" } ] } }, { "id": "3ada64fa-a06b-44bc-b184-7218d7ad07d3", "type": "messages", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "fields": [ "timestamp", "FTNTFGTlevel", "FTNTFGTsubtype", "FTNTFGTeventtype", "msg", "source" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "b70c2eb1-001c-42e3-908f-1125c80d12bd": [ "de17a876-c41a-4274-81e6-7a475c103628" ], "de904358-5537-4ba1-8990-f3c7106f5a97": [ "6aa5a615-425b-4f2e-9c83-5ff192e42265" ], "6ce98b55-8b80-4e7b-99b1-dc7eac862800": [ "62a99ec8-8c34-4797-8a13-e03ebc8c5ee9" ], "3ada64fa-a06b-44bc-b184-7218d7ad07d3": [ "2b043515-5c0c-45b8-a919-96180862f1bc" ], "773f59c1-2a64-4e0b-bbe3-804e52590749": [ "6f1be878-e3b8-4943-b0c9-455c3f71feb5" ] }, "positions": { "b70c2eb1-001c-42e3-908f-1125c80d12bd": { "col": 9, "row": 10, "height": 3, "width": 4 }, "de904358-5537-4ba1-8990-f3c7106f5a97": { "col": 4, "row": 10, "height": 3, "width": 5 }, "6ce98b55-8b80-4e7b-99b1-dc7eac862800": { "col": 1, "row": 10, "height": 3, "width": 3 }, "3ada64fa-a06b-44bc-b184-7218d7ad07d3": { "col": 3, "row": 13, "height": 7, "width": 10 }, "773f59c1-2a64-4e0b-bbe3-804e52590749": { "col": 1, "row": 13, "height": 7, "width": 2 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate - Overview" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Includes Fortigate hostnames, serial numbers, and full message details" } }, "constraints": [ { "type": "server-version", "version": ">=4.3.4+aae97b4" } ] }, { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "3fb9e2ac-fa33-4ef1-9c23-231a343804cb", "data": { "summary": { "@type": "string", "@value": "SSL/TLS actions taken by Fortigates" }, "search": { "queries": [ { "id": "2a502371-8047-4812-81a3-8f5db8a2f123", "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ssl" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "act", "limit": 15 } ], "type": "pivot", "id": "c87f4574-89c2-46d4-81e1-58a88aaf3b11", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ssl" }, "name": null, "timerange": { "type": "relative", "from": 300 }, "offset": 0, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "filter": null, "decorators": [], "type": "messages", "id": "df3ef55d-7b1d-4d2b-b584-9b9919c9a548", "limit": 150 } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2022-04-28T23:20:25.282Z" }, "created_at": "2021-08-22T23:47:06.988Z", "requires": {}, "state": { "2a502371-8047-4812-81a3-8f5db8a2f123": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "SSL/TLS" }, "widget": { "1944a9c0-0869-4531-9d19-cd48a356581f": "Details", "5ca947fa-8a21-4ed9-bd46-481ff01bb583": "SSL Log (copy)", "d7980de5-bca6-41b3-ba4b-7be6ac7f2fe6": "Action", "7130df2e-28c4-48ba-9baa-55cad247b191": "SSL/TLS Action (copy)" } }, "widgets": [ { "id": "d7980de5-bca6-41b3-ba4b-7be6ac7f2fe6", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ssl" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "act", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "1944a9c0-0869-4531-9d19-cd48a356581f", "type": "messages", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ssl" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "fields": [ "timestamp", "src", "FTNTFGTeventtype", "dst", "dhost", "FTNTFGTeventsubtype", "act", "source" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "1944a9c0-0869-4531-9d19-cd48a356581f": [ "df3ef55d-7b1d-4d2b-b584-9b9919c9a548" ], "d7980de5-bca6-41b3-ba4b-7be6ac7f2fe6": [ "c87f4574-89c2-46d4-81e1-58a88aaf3b11" ] }, "positions": { "1944a9c0-0869-4531-9d19-cd48a356581f": { "col": 1, "row": 16, "height": 5, "width": "Infinity" }, "d7980de5-bca6-41b3-ba4b-7be6ac7f2fe6": { "col": 1, "row": 12, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate - SSL/TLS Interventions" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Provides records of when Fortigates intervened (with or without decrypting) in SSL/TLS traffic" } }, "constraints": [ { "type": "server-version", "version": ">=4.3.4+aae97b4" } ] }, { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "523b58b8-4a69-4e7c-9c30-dc2cbfdbec19", "data": { "summary": { "@type": "string", "@value": "Details of DNS queries and responses" }, "search": { "queries": [ { "id": "609256a5-b8f0-40e3-9183-633a5ea7b115", "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "name": null, "timerange": { "type": "relative", "from": 300 }, "offset": 0, "streams": [], "filter": null, "decorators": [], "type": "messages", "id": "fdeb16d8-7b32-4ec4-a785-ae8a7904bb98", "limit": 150 }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "messages", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "src", "limit": 500 }, { "type": "values", "field": "FTNTFGTsrcmac", "limit": 500 } ], "type": "pivot", "id": "7c54381b-f606-44fb-99bc-2cf21a074fde", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "FTNTFGTcatdesc", "limit": 20 } ], "type": "pivot", "id": "7f3905fd-e712-4842-b16f-2276fe918945", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "act", "limit": 15 } ], "type": "pivot", "id": "338d7cd0-399f-4560-b802-a80f5322e818", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTeventtype:dns-*" }, "name": "chart", "timerange": { "type": "relative", "from": 300 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "messages", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "dst", "limit": 500 } ], "type": "pivot", "id": "b848ae3c-ac46-4374-aab6-a74ffb340be0", "column_groups": [], "sort": [] } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2022-04-28T23:17:45.162Z" }, "created_at": "2021-08-22T22:40:31.199Z", "requires": {}, "state": { "609256a5-b8f0-40e3-9183-633a5ea7b115": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "DNS" }, "widget": { "69c2ab5f-6744-4ce8-bf84-22c75ee32877": "Details", "5a1fdf1a-a77b-4182-a0a9-c6817630d0a8": "DNS Action", "b0673ba6-8d12-4e2d-92b9-95f46131b9d4": "Top 20 DNS Categories", "7d4f422d-e3c6-4e69-ad8c-5105084a1b56": "Top 500 DNS Resolvers", "17f52e81-e4ab-40c9-85a8-ee372dfe31af": "Top 500 DNS Clients" } }, "widgets": [ { "id": "b0673ba6-8d12-4e2d-92b9-95f46131b9d4", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "FTNTFGTcatdesc", "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "17f52e81-e4ab-40c9-85a8-ee372dfe31af", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [ { "field": "src", "type": "values", "config": { "limit": 500 } }, { "field": "FTNTFGTsrcmac", "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "69c2ab5f-6744-4ce8-bf84-22c75ee32877", "type": "messages", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "fields": [ "timestamp", "src", "dst", "FTNTFGTqname", "FTNTFGTqtype", "FTNTFGTcatdesc", "act", "source" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "5a1fdf1a-a77b-4182-a0a9-c6817630d0a8", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:dns" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "act", "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "7d4f422d-e3c6-4e69-ad8c-5105084a1b56", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTeventtype:dns-*" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [ { "field": "dst", "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "69c2ab5f-6744-4ce8-bf84-22c75ee32877": [ "fdeb16d8-7b32-4ec4-a785-ae8a7904bb98" ], "7d4f422d-e3c6-4e69-ad8c-5105084a1b56": [ "b848ae3c-ac46-4374-aab6-a74ffb340be0" ], "b0673ba6-8d12-4e2d-92b9-95f46131b9d4": [ "7f3905fd-e712-4842-b16f-2276fe918945" ], "5a1fdf1a-a77b-4182-a0a9-c6817630d0a8": [ "338d7cd0-399f-4560-b802-a80f5322e818" ], "17f52e81-e4ab-40c9-85a8-ee372dfe31af": [ "7c54381b-f606-44fb-99bc-2cf21a074fde" ] }, "positions": { "69c2ab5f-6744-4ce8-bf84-22c75ee32877": { "col": 1, "row": 28, "height": 5, "width": "Infinity" }, "7d4f422d-e3c6-4e69-ad8c-5105084a1b56": { "col": 1, "row": 23, "height": 4, "width": 6 }, "b0673ba6-8d12-4e2d-92b9-95f46131b9d4": { "col": 1, "row": 18, "height": 5, "width": 6 }, "5a1fdf1a-a77b-4182-a0a9-c6817630d0a8": { "col": 7, "row": 18, "height": 5, "width": 6 }, "17f52e81-e4ab-40c9-85a8-ee372dfe31af": { "col": 7, "row": 24, "height": 4, "width": 6 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate - DNS Traffic" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Includes details of the query, response, action, and category" } }, "constraints": [ { "type": "server-version", "version": ">=4.3.4+aae97b4" } ] }, { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "f0189bdc-496d-4cce-9d99-c122936fa592", "data": { "summary": { "@type": "string", "@value": "Intrusion Prevention System (IPS) alert details" }, "search": { "queries": [ { "id": "7566f84a-e75a-4878-88c3-dd1e91a7f7d8", "timerange": { "type": "relative", "from": 300 }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "FTNTFGTeventtype:signature" }, "name": "chart", "timerange": { "type": "relative", "from": 604800 }, "streams": [], "series": [ { "type": "count", "id": "count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "FTNTFGTattackid", "limit": 1000 }, { "type": "values", "field": "FTNTFGTattack", "limit": 1000 } ], "type": "pivot", "id": "5ac30ef1-3c93-4bfd-8dcd-bcf6edba64b0", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "name": "chart", "timerange": { "type": "relative", "from": 604800 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "src", "limit": 1000 }, { "type": "values", "field": "FTNTFGTsrccountry", "limit": 1000 } ], "type": "pivot", "id": "a8d04c02-183e-4030-a644-2731d2338f56", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "name": null, "timerange": { "type": "relative", "from": 604800 }, "offset": 0, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "filter": null, "decorators": [], "type": "messages", "id": "227f51be-3463-4d64-aa36-7280c4387e30", "limit": 150 }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "name": "chart", "timerange": { "type": "relative", "from": 604800 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "act", "limit": 10 } ], "type": "pivot", "id": "1abea032-aa20-4bcd-8a6f-8334600f0233", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "name": "chart", "timerange": { "type": "relative", "from": 604800 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "FTNTFGTsrccountry", "limit": 20 } ], "type": "pivot", "id": "639b8e3e-3a61-4542-9d81-c29fbaa6f80e", "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "name": "chart", "timerange": { "type": "relative", "from": 604800 }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "field": "FTNTFGTseverity", "limit": 10 } ], "type": "pivot", "id": "ff2c8a80-18d1-4a31-8b43-a88755f9a692", "column_groups": [], "sort": [] } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2022-04-28T23:19:16.525Z" }, "created_at": "2021-08-21T02:43:39.934Z", "requires": {}, "state": { "7566f84a-e75a-4878-88c3-dd1e91a7f7d8": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "IPS Alerts" }, "widget": { "042f589d-7c0e-49b0-8dcf-721b5fca42be": "Top 10 attack source countries (copy)", "d327ea3c-9ce0-4f68-b486-50cee8af639d": "Severity", "7ed33e84-a1d9-4b54-8bba-c978a9b52774": "Messages for FTNTFGTattackid:45765", "cef63959-1434-4063-984c-a7b22bae3d12": "Attacks", "570e2667-01d3-43cf-8721-29a552b401d9": "Action", "cafca786-15bc-4b05-9fa6-99821a8fe5f7": "Details", "361cad97-5725-4622-8c4c-5a04d5988644": "Attack source countries (copy) (copy)", "d680ae46-016e-47b6-be30-82b50dff6869": "Attack source countries", "363dd4e2-54bc-4509-a868-cb7f249273a7": "Top 20 Attack Source Countries", "b9084ecd-7c59-414b-bedd-9f03890a771e": "Attack Source IP Addresses" } }, "widgets": [ { "id": "363dd4e2-54bc-4509-a868-cb7f249273a7", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 604800 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "FTNTFGTsrccountry", "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "cafca786-15bc-4b05-9fa6-99821a8fe5f7", "type": "messages", "filter": null, "timerange": { "type": "relative", "from": 604800 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "fields": [ "timestamp", "FTNTFGTattackid", "FTNTFGTattack", "FTNTFGTsrccountry", "act", "src", "dst" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "b9084ecd-7c59-414b-bedd-9f03890a771e", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 604800 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [ { "field": "src", "type": "values", "config": { "limit": 1000 } }, { "field": "FTNTFGTsrccountry", "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": "count" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "570e2667-01d3-43cf-8721-29a552b401d9", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 604800 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "act", "type": "values", "config": { "limit": 10 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "cef63959-1434-4063-984c-a7b22bae3d12", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 604800 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTeventtype:signature" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "table", "event_annotation": false, "row_pivots": [ { "field": "FTNTFGTattackid", "type": "values", "config": { "limit": 1000 } }, { "field": "FTNTFGTattack", "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": "count" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "d327ea3c-9ce0-4f68-b486-50cee8af639d", "type": "aggregation", "filter": null, "timerange": { "type": "relative", "from": 604800 }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTsubtype:ips" }, "streams": [ "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" ], "config": { "visualization": "pie", "event_annotation": false, "row_pivots": [ { "field": "FTNTFGTseverity", "type": "values", "config": { "limit": 10 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "cafca786-15bc-4b05-9fa6-99821a8fe5f7": [ "227f51be-3463-4d64-aa36-7280c4387e30" ], "b9084ecd-7c59-414b-bedd-9f03890a771e": [ "a8d04c02-183e-4030-a644-2731d2338f56" ], "363dd4e2-54bc-4509-a868-cb7f249273a7": [ "639b8e3e-3a61-4542-9d81-c29fbaa6f80e" ], "d327ea3c-9ce0-4f68-b486-50cee8af639d": [ "ff2c8a80-18d1-4a31-8b43-a88755f9a692" ], "cef63959-1434-4063-984c-a7b22bae3d12": [ "5ac30ef1-3c93-4bfd-8dcd-bcf6edba64b0" ], "570e2667-01d3-43cf-8721-29a552b401d9": [ "1abea032-aa20-4bcd-8a6f-8334600f0233" ] }, "positions": { "cafca786-15bc-4b05-9fa6-99821a8fe5f7": { "col": 1, "row": 40, "height": 8, "width": "Infinity" }, "b9084ecd-7c59-414b-bedd-9f03890a771e": { "col": 7, "row": 36, "height": 4, "width": 6 }, "363dd4e2-54bc-4509-a868-cb7f249273a7": { "col": 8, "row": 32, "height": 4, "width": 5 }, "d327ea3c-9ce0-4f68-b486-50cee8af639d": { "col": 1, "row": 32, "height": 4, "width": 4 }, "cef63959-1434-4063-984c-a7b22bae3d12": { "col": 1, "row": 36, "height": 4, "width": 6 }, "570e2667-01d3-43cf-8721-29a552b401d9": { "col": 5, "row": 32, "height": 4, "width": 3 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate - IPS Alerts" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Includes signature, action, severity, source, and destination information" } }, "constraints": [ { "type": "server-version", "version": ">=4.3.4+aae97b4" } ] }, { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "1b42d211-7cfb-48a9-8440-edf84319902b", "data": { "summary": { "@type": "string", "@value": "Analysis of devices and application traffic" }, "search": { "queries": [ { "id": "a2831f63-a6f7-4e2b-bd8b-81aa056c7b1d", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTapp" ], "limit": 20 } ], "type": "pivot", "id": "8fe17fed-6a9b-4d12-a74c-56eb7af882de", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTdevtype" ], "limit": 20 } ], "type": "pivot", "id": "e67bd74e-274c-44b5-8e66-f9f9476e2839", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "filter": null, "decorators": [], "type": "messages", "id": "8d38862c-b759-4274-87c1-f4d8260ad0a1", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTapprisk" ], "limit": 20 } ], "type": "pivot", "id": "023f660c-0af5-40a6-b5c0-d156a5941b3e", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTappcat" ], "limit": 20 } ], "type": "pivot", "id": "94d26ba2-c867-4ec8-bde9-4f219f4bb657", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ { "type": "count", "id": "messages", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dst" ], "limit": 500 }, { "type": "values", "fields": [ "dhost" ], "limit": 15 } ], "type": "pivot", "id": "41f4ae76-bc90-49ed-8765-bd57df671eed", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "deviceInboundInterface" ], "limit": 20 } ], "type": "pivot", "id": "26c996fb-43bb-41cc-aa64-6090b81ec26d", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTsrchwvendor" ], "limit": 20 } ], "type": "pivot", "id": "08c46380-bc73-48b7-ae97-7380f8df91e2", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "FTNTFGTappcat:* AND FTNTFGTutmaction:*" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTosname" ], "limit": 20 } ], "type": "pivot", "id": "f804de66-5021-4c2a-9631-3537fcd8f50a", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ { "type": "count", "id": "messages", "field": "FTNTFGTapp" } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTapp" ], "limit": 500 } ], "type": "pivot", "id": "986cd626-1343-4f2d-b049-c9734e56c6cd", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTappcat AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "deviceOutboundInterface" ], "limit": 20 } ], "type": "pivot", "id": "78f5b7bf-eb7e-4880-aef1-e046bae2e3e6", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ { "type": "count", "id": "messages", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "src" ], "limit": 500 }, { "type": "values", "fields": [ "FTNTFGTsrcmac" ], "limit": 500 }, { "type": "values", "fields": [ "shost" ], "limit": 500 }, { "type": "values", "fields": [ "FTNTFGTsrchwvendor" ], "limit": 500 }, { "type": "values", "fields": [ "FTNTFGTsrcfamily" ], "limit": 500 }, { "type": "values", "fields": [ "FTNTFGTosname" ], "limit": 500 }, { "type": "values", "fields": [ "FTNTFGTdevtype" ], "limit": 500 } ], "type": "pivot", "id": "0ae7b2a5-e353-437d-ae40-084db739e484", "filters": [], "column_groups": [], "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, { "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "FTNTFGTutmaction" ], "limit": 20 } ], "type": "pivot", "id": "65603f89-d238-4f98-827d-2b1e3fb001bb", "filters": [], "column_groups": [], "sort": [] } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2023-04-12T15:35:40.836Z" }, "created_at": "2021-08-20T14:52:35.012Z", "requires": {}, "state": { "a2831f63-a6f7-4e2b-bd8b-81aa056c7b1d": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Applications" }, "widget": { "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b": "Top 20 Source Vendors", "c689f7d9-7603-4bbe-9270-0cd72d7d3813": "Application Risk", "ed46bbe6-3fd2-4789-9c3f-e2e92b7d51d6": "Connection Action", "7d41b01e-835f-4a28-a004-3471a948ebb2": "Application Control Action", "cff4179d-cb6d-4804-a37c-98934095097c": "Source Hostnames", "348c53bd-c803-4140-83f4-d5098ecf9673": "Top 500 Sources", "3e9ad8a6-a061-4201-9ea7-35a9e4edede0": "Destenation Interface Roles", "c2193b01-5433-4738-bf8a-5fd9c511c452": "Top 500 Destinations", "14dfad00-67c4-4765-8050-d5bac9f4c1ac": "Top 20 Source Interfaces", "6f858779-4e46-4496-9cda-a808081c0440": "Top 20 Destination interfaces", "9e5821e4-a2ad-4879-847c-58572c59656a": "Top 500 Applications", "832fb0c5-4fb7-48cd-8fcb-9d6420a4acc5": "Source Hardware Details", "f5ec7f4b-862c-4b82-8e65-a1d8bed243cf": "Field Statistics for act", "8608789e-bfca-4a40-8e5e-c0cea58a3406": "Source Operating Systems", "6429b279-f937-4d57-ac07-0f1ef6741b65": "Top 20 Application Categories", "e629c5ef-7fb8-4e95-9738-a6e7e9b8c1bc": "Top applications (copy)", "12219289-70dd-4d40-8fea-b33b94f4b96d": "Top 20 Applications", "e5536cef-4ab5-4a7d-b70b-ef0e8a622868": "Top 20 Source Interface Roles", "fe0bf0c8-ab22-41b0-a0e9-f190ba015ee1": "Field Statistics for dst", "11e26679-8f2a-4dab-8be7-724c5d2c3f1b": "Top 20 Source Device Types", "41f94aac-be42-4f60-a180-3f7d7962a219": "Source Vendors", "d6bbdb30-ded7-40b9-80fd-002ca662906d": "Details", "dde894bd-8943-4dd9-8922-3bff6fe1b1a2": "Top 20 Source Operating Systems" } }, "widgets": [ { "id": "c689f7d9-7603-4bbe-9270-0cd72d7d3813", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTapprisk" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "6429b279-f937-4d57-ac07-0f1ef6741b65", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTappcat" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "6f858779-4e46-4496-9cda-a808081c0440", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTappcat AND _exists_:FTNTFGTutmaction" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "deviceOutboundInterface" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "dde894bd-8943-4dd9-8922-3bff6fe1b1a2", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "FTNTFGTappcat:* AND FTNTFGTutmaction:*" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTosname" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "14dfad00-67c4-4765-8050-d5bac9f4c1ac", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "deviceInboundInterface" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "9e5821e4-a2ad-4879-847c-58572c59656a", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "FTNTFGTapp" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": "messages" }, "function": "count(FTNTFGTapp)" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "11e26679-8f2a-4dab-8be7-724c5d2c3f1b", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTdevtype" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "c2193b01-5433-4738-bf8a-5fd9c511c452", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "dst" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "dhost" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "d6bbdb30-ded7-40b9-80fd-002ca662906d", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "fields": [ "timestamp", "shost", "src", "dst", "dpt", "FTNTFGTapp", "FTNTFGTappcat", "FTNTFGTutmaction" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "8aadda2c-0a11-45bb-bb7f-dfdfb7d3aa9d" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTsrchwvendor" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "12219289-70dd-4d40-8fea-b33b94f4b96d", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTapp" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "7d41b01e-835f-4a28-a004-3471a948ebb2", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "FTNTFGTutmaction" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "348c53bd-c803-4140-83f4-d5098ecf9673", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "_exists_:FTNTFGTapp AND _exists_:FTNTFGTutmaction" }, "streams": [ "48395b4b-1afa-436f-91fc-a43ebe5b6322" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "src" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "FTNTFGTsrcmac" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "shost" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "FTNTFGTsrchwvendor" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "FTNTFGTsrcfamily" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "FTNTFGTosname" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "FTNTFGTdevtype" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": "messages" }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] } } ], "widget_mapping": { "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b": [ "08c46380-bc73-48b7-ae97-7380f8df91e2" ], "c689f7d9-7603-4bbe-9270-0cd72d7d3813": [ "023f660c-0af5-40a6-b5c0-d156a5941b3e" ], "7d41b01e-835f-4a28-a004-3471a948ebb2": [ "65603f89-d238-4f98-827d-2b1e3fb001bb" ], "348c53bd-c803-4140-83f4-d5098ecf9673": [ "0ae7b2a5-e353-437d-ae40-084db739e484" ], "c2193b01-5433-4738-bf8a-5fd9c511c452": [ "41f4ae76-bc90-49ed-8765-bd57df671eed" ], "14dfad00-67c4-4765-8050-d5bac9f4c1ac": [ "26c996fb-43bb-41cc-aa64-6090b81ec26d" ], "6f858779-4e46-4496-9cda-a808081c0440": [ "78f5b7bf-eb7e-4880-aef1-e046bae2e3e6" ], "9e5821e4-a2ad-4879-847c-58572c59656a": [ "986cd626-1343-4f2d-b049-c9734e56c6cd" ], "6429b279-f937-4d57-ac07-0f1ef6741b65": [ "94d26ba2-c867-4ec8-bde9-4f219f4bb657" ], "12219289-70dd-4d40-8fea-b33b94f4b96d": [ "8fe17fed-6a9b-4d12-a74c-56eb7af882de" ], "11e26679-8f2a-4dab-8be7-724c5d2c3f1b": [ "e67bd74e-274c-44b5-8e66-f9f9476e2839" ], "d6bbdb30-ded7-40b9-80fd-002ca662906d": [ "8d38862c-b759-4274-87c1-f4d8260ad0a1" ], "dde894bd-8943-4dd9-8922-3bff6fe1b1a2": [ "f804de66-5021-4c2a-9631-3537fcd8f50a" ] }, "positions": { "59ab0cbf-86ba-405e-9414-2f3c0f09ce3b": { "col": 9, "row": 37, "height": 4, "width": 4 }, "c689f7d9-7603-4bbe-9270-0cd72d7d3813": { "col": 9, "row": 33, "height": 4, "width": 4 }, "7d41b01e-835f-4a28-a004-3471a948ebb2": { "col": 9, "row": 10, "height": 4, "width": 4 }, "348c53bd-c803-4140-83f4-d5098ecf9673": { "col": 1, "row": 14, "height": 4, "width": "Infinity" }, "c2193b01-5433-4738-bf8a-5fd9c511c452": { "col": 1, "row": 18, "height": 4, "width": 6 }, "14dfad00-67c4-4765-8050-d5bac9f4c1ac": { "col": 1, "row": 33, "height": 4, "width": 4 }, "6f858779-4e46-4496-9cda-a808081c0440": { "col": 5, "row": 33, "height": 4, "width": 4 }, "9e5821e4-a2ad-4879-847c-58572c59656a": { "col": 7, "row": 18, "height": 4, "width": 6 }, "6429b279-f937-4d57-ac07-0f1ef6741b65": { "col": 1, "row": 29, "height": 4, "width": "Infinity" }, "12219289-70dd-4d40-8fea-b33b94f4b96d": { "col": 1, "row": 10, "height": 4, "width": 8 }, "11e26679-8f2a-4dab-8be7-724c5d2c3f1b": { "col": 5, "row": 37, "height": 4, "width": 4 }, "d6bbdb30-ded7-40b9-80fd-002ca662906d": { "col": 1, "row": 22, "height": 7, "width": "Infinity" }, "dde894bd-8943-4dd9-8922-3bff6fe1b1a2": { "col": 1, "row": 37, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate - Applications and Devices" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Includes IP addresses, MAC addresses, device manufacturers, and application layer network traffic" } }, "constraints": [ { "type": "server-version", "version": ">=5.0.6+51f2df8" } ] }, { "v": "1", "type": { "name": "search", "version": "1" }, "id": "df34acee-426b-407c-a496-402a1b8846e7", "data": { "summary": { "@type": "string", "@value": "" }, "search": { "queries": [ { "id": "2c3a5510-9385-42cf-b8b9-e3c15b24c77b", "timerange": { "type": "relative", "from": 300 }, "filter": { "type": "or", "filters": [ { "type": "stream", "id": "b22cba7f-8ae4-4a70-b84f-c71c888b00f4" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": null, "name": "chart", "timerange": null, "streams": [], "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "time", "field": "timestamp", "interval": { "type": "auto", "scaling": 1 } } ], "type": "pivot", "id": "67e773aa-737e-48f8-baa9-80efd4f0a6a3", "column_groups": [], "sort": [] }, { "query": null, "name": null, "timerange": null, "offset": 0, "streams": [], "filter": null, "decorators": [], "type": "messages", "id": "8b52c5e9-8866-4b01-875b-17f0852e8828", "limit": 150 } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2021-08-22T12:26:25.752Z" }, "created_at": "2021-08-22T12:26:13.246Z", "requires": {}, "state": { "2c3a5510-9385-42cf-b8b9-e3c15b24c77b": { "selected_fields": null, "static_message_list_id": null, "titles": { "widget": { "b4140a62-b7d7-48a1-a878-2909b590b44d": "Activity", "3940c3cf-6995-42ce-a46b-b342864d988c": "Details" } }, "widgets": [ { "id": "3940c3cf-6995-42ce-a46b-b342864d988c", "type": "messages", "filter": null, "timerange": null, "query": null, "streams": [], "config": { "fields": [ "timestamp", "FTNTFGTlevel", "FTNTFGTsubtype", "FTNTFGTeventtype", "FTNTFGTutmaction", "act", "source" ], "show_message_row": true, "show_summary": null, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "b4140a62-b7d7-48a1-a878-2909b590b44d", "type": "aggregation", "filter": null, "timerange": null, "query": null, "streams": [], "config": { "visualization": "bar", "event_annotation": false, "row_pivots": [ { "field": "timestamp", "type": "time", "config": { "interval": { "type": "auto", "scaling": 1 } } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "b4140a62-b7d7-48a1-a878-2909b590b44d": [ "67e773aa-737e-48f8-baa9-80efd4f0a6a3" ], "3940c3cf-6995-42ce-a46b-b342864d988c": [ "8b52c5e9-8866-4b01-875b-17f0852e8828" ] }, "positions": { "3940c3cf-6995-42ce-a46b-b342864d988c": { "col": 1, "row": 26, "height": 6, "width": "Infinity" }, "b4140a62-b7d7-48a1-a878-2909b590b44d": { "col": 1, "row": 24, "height": 2, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "Fortigate CEF" }, "type": "SEARCH", "description": { "@type": "string", "@value": "" } }, "constraints": [ { "type": "server-version", "version": ">=4.3.4+aae97b4" } ] }, { "v": "1", "type": { "name": "stream", "version": "1" }, "id": "48395b4b-1afa-436f-91fc-a43ebe5b6322", "data": { "alarm_callbacks": [], "outputs": [], "remove_matches": { "@type": "boolean", "@value": true }, "title": { "@type": "string", "@value": "Fortigate CEF Logs" }, "stream_rules": [ { "type": { "@type": "string", "@value": "EXACT" }, "field": { "@type": "string", "@value": "device_product" }, "value": { "@type": "string", "@value": "Fortigate" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "" } } ], "alert_conditions": [], "matching_type": { "@type": "string", "@value": "AND" }, "disabled": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "Common Event Format (CEF) loggs from Fortigate firewalls" }, "default_stream": { "@type": "boolean", "@value": false } }, "constraints": [ { "type": "server-version", "version": ">=5.0.6+51f2df8" } ] } ] }