{ "v": "1", "id": "85f976d9-4d2d-45f9-922d-25d2d9c11f87", "rev": 12, "name": "FortiGate Syslog", "summary": "Dashboards for FortiGate syslog data", "description": "# graylog-fortigate-syslog\n\nA Graylog Content Pack of dashboards for FortiGate syslog data\n\n## Setup\n\nA complete guide can be found on [my blog][blog]. It explains how to create a single-node Graylog instance, import this Content pack, and configure FortiGate firewalls to send logs to the Graylog server.\n\nIn Graylog, a stream routes log data to a specific index based on rules. This Content Pack includes one stream.\n\n## FortiGate Syslog stream\n\nIn Graylog, a stream routes log data to a specific index based on rules. This Content Pack includes one stream.\n\nThe FortiGate Syslog stream includes a rule that matches all logs with a field named `devid` that has a value that matches the regex pattern `^FG([0-9]{2,3})[A-Z]T|^FGT`, which is the beginning of every FortiGate seral number, and is included in every FortiGate log message.\n\n### FortiGate Syslog\n\nThe FortiGate Syslog dashboard has multiple pages. Each page contains a collection of dashboard widgets related to a specific type of log data.\n\n- Overview\n- Application Control\n- DNS Filter\n- Forward Traffic\n- IPS\n- Local Traffic\n- Multicast Traffic\n- SSL/TLS/SSH Inspection\n- VPN\n- Web Filter\n\n[blog]: https://seanthegeek.net/1270/how-to-create-a-single-node-graylog-instance-and-analyze-fortigate-logs/\n", "vendor": "Sean Whalen", "url": "https://github.com/seanthegeek/graylog-fortigate-syslog", "parameters": [], "entities": [ { "v": "1", "type": { "name": "dashboard", "version": "2" }, "id": "dbd48a0b-0eb7-402d-81c1-ff5e83aaa4fc", "data": { "summary": { "@type": "string", "@value": "Visualizations of FortiGate syslog data" }, "search": { "queries": [ { "id": "d091f7dd-dc7d-4eae-951c-fb094534ffe1", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": "chart", "timerange": { "from": 604800, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srccountry" ], "limit": 15 } ], "type": "pivot", "id": "618ada4b-d57c-4736-8189-513ee1e51336", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": "chart", "timerange": { "from": 604800, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dstip" ], "limit": 1000 } ], "type": "pivot", "id": "a2bbdcda-0bce-4d91-b8f3-3714174ab621", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": "chart", "timerange": { "from": 604800, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "crlevel" ], "limit": 15 } ], "type": "pivot", "id": "56df59c9-311a-41a6-9413-6ddad5cfa0f9", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": "chart", "timerange": { "from": 604800, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "action" ], "limit": 15 } ], "type": "pivot", "id": "5b90df49-db18-4703-949c-58d8216a7b9f", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": "chart", "timerange": { "from": 604800, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcip" ], "limit": 1000 } ], "type": "pivot", "id": "79d8eba6-56fa-4562-9d53-ccd28fda276f", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": null, "timerange": { "from": 604800, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "0707845a-b9ca-4b87-8343-c7480f1b6885", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "name": "chart", "timerange": { "from": 604800, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "attackid" ], "limit": 1000 }, { "type": "values", "fields": [ "attack" ], "limit": 1000 } ], "type": "pivot", "id": "e828db45-32a7-490c-a9d7-bc40ab7dab86", "filters": [], "column_groups": [], "sort": [] } ] }, { "id": "7f432e7d-7180-4335-8fa6-b3720401fdf9", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "source" ], "limit": 1000 }, { "type": "values", "fields": [ "devid" ], "limit": 1000 } ], "type": "pivot", "id": "39b63227-577e-4fc3-8241-0c940a70ad86", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "level" ], "limit": 15 } ], "type": "pivot", "id": "b98c4dc5-a8a5-4bab-96e9-5dfe02b38df6", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "Message Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [], "type": "pivot", "id": "68252868-1545-4d13-8d00-cbae56df5871", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "subtype" ], "limit": 100 } ], "type": "pivot", "id": "0bf39a74-de77-459b-8243-a2705d15cafa", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "8c38d879-e2f0-4738-8e96-e5116cfa063f", "limit": 150, "filters": [] } ] }, { "id": "72074b7f-aa55-4176-98e5-24e96325d82b", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcintf" ], "limit": 500 }, { "type": "values", "fields": [ "dstintf" ], "limit": 500 } ], "type": "pivot", "id": "87523952-f110-415b-9656-ec0d0ec5042c", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [], "filter": null, "decorators": [], "type": "messages", "id": "b7b4723d-79d8-4cbb-b0e2-3c9fd896dada", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcip" ], "limit": 500 }, { "type": "values", "fields": [ "srcmac" ], "limit": 500 }, { "type": "values", "fields": [ "srcname" ], "limit": 500 }, { "type": "values", "fields": [ "srchwvendor" ], "limit": 500 }, { "type": "values", "fields": [ "srcfamily" ], "limit": 500 }, { "type": "values", "fields": [ "osname" ], "limit": 500 }, { "type": "values", "fields": [ "devtype" ], "limit": 500 } ], "type": "pivot", "id": "9ae5284f-192c-4938-87d5-fac2fb564441", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:local AND _exists_:app" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "app" ], "limit": 500 } ], "type": "pivot", "id": "ca2cc9a0-2774-436a-a393-98f5287560ec", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dstip" ], "limit": 500 }, { "type": "values", "fields": [ "dstname" ], "limit": 500 } ], "type": "pivot", "id": "45220298-0417-4aae-bbb9-056ab56a751c", "filters": [], "column_groups": [], "sort": [] } ] }, { "id": "9d3956e6-8403-43e2-9794-6287c22e83e3", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:webfilter" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "catdesc" ], "limit": 15 } ], "type": "pivot", "id": "9f46d2a4-5143-487a-b4c2-750563a6d2e0", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:webfilter" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "action" ], "limit": 15 } ], "type": "pivot", "id": "c3b9070d-ab09-48fb-b765-beedcb3dbae4", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:webfilter" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "555da296-38d4-4ecc-8551-2f67861ffc60", "limit": 150, "filters": [] } ] }, { "id": "9d8f85ce-f536-44d4-95d6-c2223e233a42", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [], "filter": null, "decorators": [], "type": "messages", "id": "c541fb71-3851-495e-b2b3-b65d372bfdc4", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dstip" ], "limit": 500 }, { "type": "values", "fields": [ "dstname" ], "limit": 500 } ], "type": "pivot", "id": "c60da581-8a07-43c9-8b58-670a4d491c1c", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:forward AND _exists_:app" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "app" ], "limit": 500 } ], "type": "pivot", "id": "f1b7ba4c-24ad-459e-b9fd-d71ba69782a5", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcip" ], "limit": 500 }, { "type": "values", "fields": [ "srcmac" ], "limit": 500 }, { "type": "values", "fields": [ "srcname" ], "limit": 500 }, { "type": "values", "fields": [ "srchwvendor" ], "limit": 500 }, { "type": "values", "fields": [ "srcfamily" ], "limit": 500 }, { "type": "values", "fields": [ "osname" ], "limit": 500 }, { "type": "values", "fields": [ "devtype" ], "limit": 500 } ], "type": "pivot", "id": "24d12620-35f6-46ad-b750-a117a18d0893", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcintf" ], "limit": 500 }, { "type": "values", "fields": [ "dstintf" ], "limit": 500 } ], "type": "pivot", "id": "328febb2-49d4-40d9-97f4-746df74bf499", "filters": [], "column_groups": [], "sort": [] } ] }, { "id": "e6a39179-8355-4c52-83b0-9b771f546c75", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:ssl" }, "name": "chart", "timerange": { "from": 86400, "type": "relative" }, "column_limit": null, "streams": [], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "action" ], "limit": 15 } ], "type": "pivot", "id": "6f0d8ce5-72b0-49e3-bb32-65565f3dea54", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:ssl" }, "name": null, "timerange": { "from": 86400, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "eff100a3-ca43-4812-ac27-1164a090d11f", "limit": 150, "filters": [] } ] }, { "id": "34d9ef39-dd5c-4454-9307-a94551327f9d", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:vpn" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "12dbbdac-a1df-40a8-b62e-148d62f0972b", "limit": 150, "filters": [] } ] }, { "id": "db280891-ac9d-4c87-9ee0-3b2e9a9ebc6a", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dstip" ], "limit": 500 } ], "type": "pivot", "id": "866d898c-1205-488b-b254-6e9019513cd4", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [], "filter": null, "decorators": [], "type": "messages", "id": "1ab8c3f3-4d2e-49c0-9980-d24399277940", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcintf" ], "limit": 500 }, { "type": "values", "fields": [ "dstintf" ], "limit": 500 } ], "type": "pivot", "id": "cb7810c2-1c8e-4299-927b-2747949c1acc", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "service" ], "limit": 500 } ], "type": "pivot", "id": "38555621-6d28-4383-9846-2d0b289351f8", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "action" ], "limit": 50 } ], "type": "pivot", "id": "0a24040b-892d-4832-81eb-4cfbe352000f", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcip" ], "limit": 500 }, { "type": "values", "fields": [ "srcname" ], "limit": 500 } ], "type": "pivot", "id": "cacef5d0-0894-41f4-9c54-4910b739e4e9", "filters": [], "column_groups": [], "sort": [] } ] }, { "id": "a36fef84-e163-4220-95f8-94d0022ed5a1", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dstip" ], "limit": 500 } ], "type": "pivot", "id": "8552d965-965b-4f13-b336-caec3f9b44c8", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "1c66567d-d4b9-4f24-b111-49fbf4ee330f", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "action" ], "limit": 20 } ], "type": "pivot", "id": "4401daec-7bc8-4a01-b556-e44da9708a95", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcip" ], "limit": 500 } ], "type": "pivot", "id": "66385364-2e58-434f-adb9-c5a2c5b1e297", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "app" ], "limit": 20 } ], "type": "pivot", "id": "542b4e8b-4168-4bb2-8847-3be3ba399350", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "app" ], "limit": 500 } ], "type": "pivot", "id": "908c9c52-9445-4c35-bd53-52b469909764", "filters": [], "column_groups": [], "sort": [] } ] }, { "id": "0444614a-4f87-407e-953f-b6ade0610d45", "timerange": { "from": 300, "type": "relative" }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "subtype:dns" }, "name": null, "timerange": { "from": 300, "type": "relative" }, "offset": 0, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "filter": null, "decorators": [], "type": "messages", "id": "2d7ed932-282d-4db6-b46f-b506f0cc07bd", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-query" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "dstip" ], "limit": 500 } ], "type": "pivot", "id": "f640db42-2fb8-4ca8-95ea-07b7d214c3be", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-response" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "action" ], "limit": 20 } ], "type": "pivot", "id": "b2795861-9106-4194-ace2-6ce1b411c125", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-response" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "catdesc" ], "limit": 20 } ], "type": "pivot", "id": "c586b81d-8347-49d7-bc8d-ae2fd4c4fde2", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-query" }, "name": "chart", "timerange": { "from": 300, "type": "relative" }, "column_limit": null, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "srcip" ], "limit": 500 }, { "type": "values", "fields": [ "srcmac" ], "limit": 500 } ], "type": "pivot", "id": "401ab2d8-9636-4f36-838e-648a8c336f29", "filters": [], "column_groups": [], "sort": [] } ] } ], "parameters": [], "requires": {}, "owner": "sean", "created_at": "2023-04-23T16:16:42.743Z" }, "created_at": "2023-04-15T21:53:54.019Z", "requires": {}, "state": { "a36fef84-e163-4220-95f8-94d0022ed5a1": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Application Control" }, "widget": { "d576e359-11f4-4a5d-993b-2f8361910cbb": "Top 20 Applications", "c0230339-00f7-4ad0-b7a1-a5cd249b4fec": "Action", "a034857c-5241-4dfc-ab0b-a636b05fc7e9": "Traffic Type", "ee42cfae-87a9-400f-b837-e107a372e294": "Top 500 Destinations", "749acccd-93e5-4a82-9365-c3df5207dfd7": "Top 500 Applications", "3cb45dcb-6d39-45d9-b340-0e15d5b0f982": "Details", "ff79bc69-9e97-49c9-857b-0eec010cf998": "Top 500 Sources" } }, "widgets": [ { "id": "c0230339-00f7-4ad0-b7a1-a5cd249b4fec", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "action" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "ff79bc69-9e97-49c9-857b-0eec010cf998", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcip" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "d576e359-11f4-4a5d-993b-2f8361910cbb", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "app" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "749acccd-93e5-4a82-9365-c3df5207dfd7", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "app" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "3cb45dcb-6d39-45d9-b340-0e15d5b0f982", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "srcname", "srcip", "dstip", "dstport", "app", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "ee42cfae-87a9-400f-b837-e107a372e294", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:app\\-ctrl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "dstip" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "ee42cfae-87a9-400f-b837-e107a372e294": [ "8552d965-965b-4f13-b336-caec3f9b44c8" ], "c0230339-00f7-4ad0-b7a1-a5cd249b4fec": [ "4401daec-7bc8-4a01-b556-e44da9708a95" ], "d576e359-11f4-4a5d-993b-2f8361910cbb": [ "542b4e8b-4168-4bb2-8847-3be3ba399350" ], "749acccd-93e5-4a82-9365-c3df5207dfd7": [ "908c9c52-9445-4c35-bd53-52b469909764" ], "3cb45dcb-6d39-45d9-b340-0e15d5b0f982": [ "1c66567d-d4b9-4f24-b111-49fbf4ee330f" ], "ff79bc69-9e97-49c9-857b-0eec010cf998": [ "66385364-2e58-434f-adb9-c5a2c5b1e297" ] }, "positions": { "749acccd-93e5-4a82-9365-c3df5207dfd7": { "col": 9, "row": 19, "height": 4, "width": 4 }, "3cb45dcb-6d39-45d9-b340-0e15d5b0f982": { "col": 1, "row": 21, "height": 5, "width": "Infinity" }, "d576e359-11f4-4a5d-993b-2f8361910cbb": { "col": 1, "row": 11, "height": 5, "width": 9 }, "ff79bc69-9e97-49c9-857b-0eec010cf998": { "col": 1, "row": 16, "height": 4, "width": 4 }, "c0230339-00f7-4ad0-b7a1-a5cd249b4fec": { "col": 10, "row": 11, "height": 5, "width": 3 }, "ee42cfae-87a9-400f-b837-e107a372e294": { "col": 5, "row": 16, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "d091f7dd-dc7d-4eae-951c-fb094534ffe1": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "IPS" }, "widget": { "3804338a-f8a1-4147-9a4f-0a75f3bf594a": "Severity", "6560d99f-3012-4b4e-b79c-da58f571267c": "Action", "658ea93a-90ff-49dc-925a-05c69b694741": "Top 20 Source Countries", "37230a0a-f3b4-4fab-94b1-cfa1423fe945": "Attacks", "24056bb3-21e9-4a0a-9690-1037c658f1ae": "Attack Source IP Addresses", "b0a4ce7d-9fd1-49ec-a99b-b70461701330": "Attack Destination IP Addresses", "e1fe56f6-35fc-4bc6-bc7f-cf9e467baf0c": "Details" } }, "widgets": [ { "id": "37230a0a-f3b4-4fab-94b1-cfa1423fe945", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 1000, "row_pivots": [ { "fields": [ "attackid" ], "type": "values", "config": { "limit": 1000 } }, { "fields": [ "attack" ], "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "3804338a-f8a1-4147-9a4f-0a75f3bf594a", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "crlevel" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "6560d99f-3012-4b4e-b79c-da58f571267c", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "action" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "e1fe56f6-35fc-4bc6-bc7f-cf9e467baf0c", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "attackid", "attack", "srccountry", "srcip", "dstip", "dstport", "user" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "658ea93a-90ff-49dc-925a-05c69b694741", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "srccountry" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "b0a4ce7d-9fd1-49ec-a99b-b70461701330", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 1000, "row_pivots": [ { "fields": [ "dstip" ], "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "24056bb3-21e9-4a0a-9690-1037c658f1ae", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 604800, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ips" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 1000, "row_pivots": [ { "fields": [ "srcip" ], "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "e1fe56f6-35fc-4bc6-bc7f-cf9e467baf0c": [ "0707845a-b9ca-4b87-8343-c7480f1b6885" ], "37230a0a-f3b4-4fab-94b1-cfa1423fe945": [ "e828db45-32a7-490c-a9d7-bc40ab7dab86" ], "b0a4ce7d-9fd1-49ec-a99b-b70461701330": [ "a2bbdcda-0bce-4d91-b8f3-3714174ab621" ], "24056bb3-21e9-4a0a-9690-1037c658f1ae": [ "79d8eba6-56fa-4562-9d53-ccd28fda276f" ], "658ea93a-90ff-49dc-925a-05c69b694741": [ "618ada4b-d57c-4736-8189-513ee1e51336" ], "3804338a-f8a1-4147-9a4f-0a75f3bf594a": [ "56df59c9-311a-41a6-9413-6ddad5cfa0f9" ], "6560d99f-3012-4b4e-b79c-da58f571267c": [ "5b90df49-db18-4703-949c-58d8216a7b9f" ] }, "positions": { "e1fe56f6-35fc-4bc6-bc7f-cf9e467baf0c": { "col": 1, "row": 12, "height": 5, "width": "Infinity" }, "37230a0a-f3b4-4fab-94b1-cfa1423fe945": { "col": 1, "row": 8, "height": 4, "width": 4 }, "b0a4ce7d-9fd1-49ec-a99b-b70461701330": { "col": 9, "row": 8, "height": 4, "width": 4 }, "24056bb3-21e9-4a0a-9690-1037c658f1ae": { "col": 5, "row": 8, "height": 4, "width": 4 }, "658ea93a-90ff-49dc-925a-05c69b694741": { "col": 9, "row": 4, "height": 4, "width": 4 }, "3804338a-f8a1-4147-9a4f-0a75f3bf594a": { "col": 1, "row": 4, "height": 4, "width": 4 }, "6560d99f-3012-4b4e-b79c-da58f571267c": { "col": 5, "row": 4, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "72074b7f-aa55-4176-98e5-24e96325d82b": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Local Traffic" }, "widget": { "4f88a222-c404-451a-b958-cfe18153d9f8": "Top 500 Sources", "6fe9e2b7-b209-404c-aeac-336a97e78f67": "Top 500 Destinations", "undefined": "Top 500 Applications", "5a88304b-2a6c-4b45-bcd6-35282dac1c39": "Details", "cd153798-774d-4bac-b62d-9d83be4d2447": "Top 500 Interfaces", "ddd5d931-ed8c-4198-b1e0-8c06209f4868": "Top 500 Applications" } }, "widgets": [ { "id": "ddd5d931-ed8c-4198-b1e0-8c06209f4868", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:local AND _exists_:app" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "app" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "cd153798-774d-4bac-b62d-9d83be4d2447", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcintf" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "dstintf" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "6fe9e2b7-b209-404c-aeac-336a97e78f67", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "dstip" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "dstname" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "4f88a222-c404-451a-b958-cfe18153d9f8", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcip" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcmac" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcname" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srchwvendor" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcfamily" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "osname" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "devtype" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "5a88304b-2a6c-4b45-bcd6-35282dac1c39", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:local" }, "streams": [], "config": { "fields": [ "timestamp", "srcip", "srcname", "dstip", "dstname", "dstport", "app", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "4f88a222-c404-451a-b958-cfe18153d9f8": [ "9ae5284f-192c-4938-87d5-fac2fb564441" ], "cd153798-774d-4bac-b62d-9d83be4d2447": [ "87523952-f110-415b-9656-ec0d0ec5042c" ], "ddd5d931-ed8c-4198-b1e0-8c06209f4868": [ "ca2cc9a0-2774-436a-a393-98f5287560ec" ], "6fe9e2b7-b209-404c-aeac-336a97e78f67": [ "45220298-0417-4aae-bbb9-056ab56a751c" ], "5a88304b-2a6c-4b45-bcd6-35282dac1c39": [ "b7b4723d-79d8-4cbb-b0e2-3c9fd896dada" ] }, "positions": { "cd153798-774d-4bac-b62d-9d83be4d2447": { "col": 1, "row": 25, "height": 4, "width": 4 }, "ddd5d931-ed8c-4198-b1e0-8c06209f4868": { "col": 9, "row": 26, "height": 4, "width": 4 }, "6fe9e2b7-b209-404c-aeac-336a97e78f67": { "col": 5, "row": 25, "height": 4, "width": 4 }, "4f88a222-c404-451a-b958-cfe18153d9f8": { "col": 1, "row": 21, "height": 4, "width": "Infinity" }, "5a88304b-2a6c-4b45-bcd6-35282dac1c39": { "col": 1, "row": 30, "height": 6, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "0444614a-4f87-407e-953f-b6ade0610d45": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "DNS Filter" }, "widget": { "1fe2d94d-bb5b-4857-ad0b-b8e300c4bc06": "Details", "2941833c-8ee5-409e-a537-6ffa37cde0b5": "Top 20 DNS Categories", "140b980d-9f57-413b-90cf-1cd7dfd7696e": "DNS Action", "a46359a8-3ab0-46f9-8997-ab6f88ea97aa": "Top 500 DNS Resolvers", "123485ad-6213-40e7-a3f4-d85f709fc7d7": "Top 500 DNS Clients" } }, "widgets": [ { "id": "140b980d-9f57-413b-90cf-1cd7dfd7696e", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-response" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "action" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "123485ad-6213-40e7-a3f4-d85f709fc7d7", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-query" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcip" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcmac" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "a46359a8-3ab0-46f9-8997-ab6f88ea97aa", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-query" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "dstip" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "1fe2d94d-bb5b-4857-ad0b-b8e300c4bc06", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:dns" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "srcip", "qname", "qclass", "qtype", "eventtype", "catdesc", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "2941833c-8ee5-409e-a537-6ffa37cde0b5", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "eventtype:dns\\-response" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 20, "row_pivots": [ { "fields": [ "catdesc" ], "type": "values", "config": { "limit": 20 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "1fe2d94d-bb5b-4857-ad0b-b8e300c4bc06": [ "2d7ed932-282d-4db6-b46f-b506f0cc07bd" ], "a46359a8-3ab0-46f9-8997-ab6f88ea97aa": [ "f640db42-2fb8-4ca8-95ea-07b7d214c3be" ], "140b980d-9f57-413b-90cf-1cd7dfd7696e": [ "b2795861-9106-4194-ace2-6ce1b411c125" ], "123485ad-6213-40e7-a3f4-d85f709fc7d7": [ "401ab2d8-9636-4f36-838e-648a8c336f29" ], "2941833c-8ee5-409e-a537-6ffa37cde0b5": [ "c586b81d-8347-49d7-bc8d-ae2fd4c4fde2" ] }, "positions": { "a46359a8-3ab0-46f9-8997-ab6f88ea97aa": { "col": 8, "row": 16, "height": 4, "width": 5 }, "1fe2d94d-bb5b-4857-ad0b-b8e300c4bc06": { "col": 1, "row": 20, "height": 5, "width": "Infinity" }, "140b980d-9f57-413b-90cf-1cd7dfd7696e": { "col": 8, "row": 10, "height": 5, "width": 5 }, "123485ad-6213-40e7-a3f4-d85f709fc7d7": { "col": 1, "row": 15, "height": 4, "width": 7 }, "2941833c-8ee5-409e-a537-6ffa37cde0b5": { "col": 1, "row": 10, "height": 5, "width": 7 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "e6a39179-8355-4c52-83b0-9b771f546c75": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "SSL/TLS/SSH Inspection" }, "widget": { "cae6a7c4-8ac1-4b55-80bb-9512795a3133": "Action", "74547fb3-89d5-43fe-b1f9-d874b1bccdad": "Details" } }, "widgets": [ { "id": "74547fb3-89d5-43fe-b1f9-d874b1bccdad", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 86400, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ssl" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "srcip", "dstip", "hostname", "eventsubtype", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "cae6a7c4-8ac1-4b55-80bb-9512795a3133", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 86400, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:ssl" }, "streams": [], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "action" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "74547fb3-89d5-43fe-b1f9-d874b1bccdad": [ "eff100a3-ca43-4812-ac27-1164a090d11f" ], "cae6a7c4-8ac1-4b55-80bb-9512795a3133": [ "6f0d8ce5-72b0-49e3-bb32-65565f3dea54" ] }, "positions": { "74547fb3-89d5-43fe-b1f9-d874b1bccdad": { "col": 1, "row": 21, "height": 5, "width": "Infinity" }, "cae6a7c4-8ac1-4b55-80bb-9512795a3133": { "col": 1, "row": 17, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "db280891-ac9d-4c87-9ee0-3b2e9a9ebc6a": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Multicast Traffic" }, "widget": { "3b9b1eed-a05b-4a15-b881-cf642dbb4af0": "Top 500 Sources", "501f0827-14b6-44f0-9fbe-e1736ede3ab8": "Top 500 Destinations", "undefined": "Top 500 Applications", "7a14829f-4ad0-424d-8dbc-5be067901986": "Details", "cce71385-474e-447d-8f2a-3d9507935593": "Top 500 Interfaces", "ffa18ddf-8487-498e-afc7-54002571fa90": "Top 500 Applications", "94f227d2-3e21-42d8-8a68-128d90c79d3a": "Action" } }, "widgets": [ { "id": "7a14829f-4ad0-424d-8dbc-5be067901986", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "streams": [], "config": { "fields": [ "timestamp", "srcip", "srcname", "dstip", "dstport", "service", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "ffa18ddf-8487-498e-afc7-54002571fa90", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "service" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "3b9b1eed-a05b-4a15-b881-cf642dbb4af0", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcip" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcname" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "cce71385-474e-447d-8f2a-3d9507935593", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcintf" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "dstintf" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "501f0827-14b6-44f0-9fbe-e1736ede3ab8", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "dstip" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "94f227d2-3e21-42d8-8a68-128d90c79d3a", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:multicast" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 50, "row_pivots": [ { "fields": [ "action" ], "type": "values", "config": { "limit": 50 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "7a14829f-4ad0-424d-8dbc-5be067901986": [ "1ab8c3f3-4d2e-49c0-9980-d24399277940" ], "cce71385-474e-447d-8f2a-3d9507935593": [ "cb7810c2-1c8e-4299-927b-2747949c1acc" ], "3b9b1eed-a05b-4a15-b881-cf642dbb4af0": [ "cacef5d0-0894-41f4-9c54-4910b739e4e9" ], "ffa18ddf-8487-498e-afc7-54002571fa90": [ "38555621-6d28-4383-9846-2d0b289351f8" ], "94f227d2-3e21-42d8-8a68-128d90c79d3a": [ "0a24040b-892d-4832-81eb-4cfbe352000f" ], "501f0827-14b6-44f0-9fbe-e1736ede3ab8": [ "866d898c-1205-488b-b254-6e9019513cd4" ] }, "positions": { "cce71385-474e-447d-8f2a-3d9507935593": { "col": 8, "row": 4, "height": 4, "width": 5 }, "3b9b1eed-a05b-4a15-b881-cf642dbb4af0": { "col": 1, "row": 4, "height": 4, "width": 4 }, "ffa18ddf-8487-498e-afc7-54002571fa90": { "col": 1, "row": 8, "height": 4, "width": 7 }, "94f227d2-3e21-42d8-8a68-128d90c79d3a": { "col": 8, "row": 8, "height": 4, "width": 5 }, "501f0827-14b6-44f0-9fbe-e1736ede3ab8": { "col": 5, "row": 4, "height": 4, "width": 3 }, "7a14829f-4ad0-424d-8dbc-5be067901986": { "col": 1, "row": 12, "height": 6, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "9d8f85ce-f536-44d4-95d6-c2223e233a42": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Forward Traffic" }, "widget": { "ef814c0b-7f72-4851-83e8-896490bb21b4": "Top 500 Sources", "e32daa88-86fa-4494-8ff0-661d934dfc5d": "Top 500 Destinations", "fafe3366-f58b-4c5a-82a3-4999ee97e40a": "Top 10 Applications", "565ed325-86ae-47da-8d1c-461492a5aba1": "Top 10 Applications Categories", "60619577-03f8-401d-8c4b-86c9320c8b53": "Details", "9d9eaebf-0e0e-4e4d-b7ab-1e3cf90a870a": "Top 500 Applications", "dd3537ab-7925-4507-832c-cd1589a2546d": "Top 500 Interfaces", "4f3cff32-b6b2-4765-9657-73828b1cfad2": "Top 500 Applications" } }, "widgets": [ { "id": "e32daa88-86fa-4494-8ff0-661d934dfc5d", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "dstip" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "dstname" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "4f3cff32-b6b2-4765-9657-73828b1cfad2", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:forward AND _exists_:app" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "app" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "dd3537ab-7925-4507-832c-cd1589a2546d", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcintf" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "dstintf" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "60619577-03f8-401d-8c4b-86c9320c8b53", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "streams": [], "config": { "fields": [ "timestamp", "srcip", "srcname", "dstip", "dstname", "dstport", "app", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "ef814c0b-7f72-4851-83e8-896490bb21b4", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:forward" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 500, "row_pivots": [ { "fields": [ "srcip" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcmac" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcname" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srchwvendor" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "srcfamily" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "osname" ], "type": "values", "config": { "limit": 500 } }, { "fields": [ "devtype" ], "type": "values", "config": { "limit": 500 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "60619577-03f8-401d-8c4b-86c9320c8b53": [ "c541fb71-3851-495e-b2b3-b65d372bfdc4" ], "ef814c0b-7f72-4851-83e8-896490bb21b4": [ "24d12620-35f6-46ad-b750-a117a18d0893" ], "e32daa88-86fa-4494-8ff0-661d934dfc5d": [ "c60da581-8a07-43c9-8b58-670a4d491c1c" ], "4f3cff32-b6b2-4765-9657-73828b1cfad2": [ "f1b7ba4c-24ad-459e-b9fd-d71ba69782a5" ], "dd3537ab-7925-4507-832c-cd1589a2546d": [ "328febb2-49d4-40d9-97f4-746df74bf499" ] }, "positions": { "4f3cff32-b6b2-4765-9657-73828b1cfad2": { "col": 9, "row": 23, "height": 4, "width": 4 }, "ef814c0b-7f72-4851-83e8-896490bb21b4": { "col": 1, "row": 18, "height": 4, "width": "Infinity" }, "dd3537ab-7925-4507-832c-cd1589a2546d": { "col": 1, "row": 22, "height": 4, "width": 4 }, "e32daa88-86fa-4494-8ff0-661d934dfc5d": { "col": 5, "row": 22, "height": 4, "width": 4 }, "60619577-03f8-401d-8c4b-86c9320c8b53": { "col": 1, "row": 27, "height": 6, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "34d9ef39-dd5c-4454-9307-a94551327f9d": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "VPN" }, "widget": { "af5c76e1-25a2-4c3a-b01c-11ddd81eeac3": "Details" } }, "widgets": [ { "id": "af5c76e1-25a2-4c3a-b01c-11ddd81eeac3", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:vpn" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "action", "reason", "logdesc", "user" ], "show_message_row": true, "show_summary": false, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "af5c76e1-25a2-4c3a-b01c-11ddd81eeac3": [ "12dbbdac-a1df-40a8-b62e-148d62f0972b" ] }, "positions": { "af5c76e1-25a2-4c3a-b01c-11ddd81eeac3": { "col": 1, "row": 4, "height": 7, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "7f432e7d-7180-4335-8fa6-b3720401fdf9": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Overview" }, "widget": { "989db1bf-9206-4345-b95f-462ff0072d05": "Incoming Message Count", "916975d9-4fa1-46f6-90b9-c259227f95f6": "Firewalls", "db017cbf-de23-4220-8441-3a3b32093e08": "Details", "c43d042d-e42a-4ec7-81b3-57b08f6db347": "Log Levels", "81f73ae9-bd73-4f66-82ae-7db3e0be6246": "Message Types", "dbe512cb-0681-489f-a58c-b9d570debe11": "Messages for subtype:forward" } }, "widgets": [ { "id": "c43d042d-e42a-4ec7-81b3-57b08f6db347", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "level" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "989db1bf-9206-4345-b95f-462ff0072d05", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "numeric", "column_limit": null, "event_annotation": false, "row_limit": null, "row_pivots": [], "series": [ { "config": { "name": "Message Count" }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "db017cbf-de23-4220-8441-3a3b32093e08", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "source", "devid", "subtype" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } }, { "id": "81f73ae9-bd73-4f66-82ae-7db3e0be6246", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 100, "row_pivots": [ { "fields": [ "subtype" ], "type": "values", "config": { "limit": 100 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } }, { "id": "916975d9-4fa1-46f6-90b9-c259227f95f6", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "table", "column_limit": null, "event_annotation": false, "row_limit": 1000, "row_pivots": [ { "fields": [ "source" ], "type": "values", "config": { "limit": 1000 } }, { "fields": [ "devid" ], "type": "values", "config": { "limit": 1000 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [] }, "formatting_settings": null, "sort": [] } } ], "widget_mapping": { "989db1bf-9206-4345-b95f-462ff0072d05": [ "68252868-1545-4d13-8d00-cbae56df5871" ], "916975d9-4fa1-46f6-90b9-c259227f95f6": [ "39b63227-577e-4fc3-8241-0c940a70ad86" ], "81f73ae9-bd73-4f66-82ae-7db3e0be6246": [ "0bf39a74-de77-459b-8243-a2705d15cafa" ], "db017cbf-de23-4220-8441-3a3b32093e08": [ "8c38d879-e2f0-4738-8e96-e5116cfa063f" ], "c43d042d-e42a-4ec7-81b3-57b08f6db347": [ "b98c4dc5-a8a5-4bab-96e9-5dfe02b38df6" ] }, "positions": { "81f73ae9-bd73-4f66-82ae-7db3e0be6246": { "col": 1, "row": 16, "height": 5, "width": 3 }, "db017cbf-de23-4220-8441-3a3b32093e08": { "col": 4, "row": 16, "height": 5, "width": 9 }, "989db1bf-9206-4345-b95f-462ff0072d05": { "col": 1, "row": 12, "height": 4, "width": 4 }, "916975d9-4fa1-46f6-90b9-c259227f95f6": { "col": 5, "row": 12, "height": 4, "width": 4 }, "c43d042d-e42a-4ec7-81b3-57b08f6db347": { "col": 9, "row": 12, "height": 4, "width": 4 } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } }, "9d3956e6-8403-43e2-9794-6287c22e83e3": { "selected_fields": null, "static_message_list_id": null, "titles": { "tab": { "title": "Web Filter" }, "widget": { "9693b5ea-6caf-42d7-840d-51f2f025a36b": "Top 20 Categories", "f08c212f-5063-4c1b-9811-6ac338c6b820": "Action", "b5621cf7-0735-46e6-b1d1-f394ba376db6": "Details" } }, "widgets": [ { "id": "9693b5ea-6caf-42d7-840d-51f2f025a36b", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:webfilter" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "catdesc" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "f08c212f-5063-4c1b-9811-6ac338c6b820", "type": "aggregation", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:webfilter" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "visualization": "pie", "column_limit": null, "event_annotation": false, "row_limit": 15, "row_pivots": [ { "fields": [ "action" ], "type": "values", "config": { "limit": 15 } } ], "series": [ { "config": { "name": null }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] } }, { "id": "b5621cf7-0735-46e6-b1d1-f394ba376db6", "type": "messages", "filter": null, "filters": [], "timerange": { "from": 300, "type": "relative" }, "query": { "type": "elasticsearch", "query_string": "subtype:webfilter" }, "streams": [ "df852f10-5ee5-450d-a8da-3e7f26f5f15b" ], "config": { "fields": [ "timestamp", "srcip", "dstip", "hostname", "catdesc", "user", "action" ], "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] } } ], "widget_mapping": { "b5621cf7-0735-46e6-b1d1-f394ba376db6": [ "555da296-38d4-4ecc-8551-2f67861ffc60" ], "f08c212f-5063-4c1b-9811-6ac338c6b820": [ "c3b9070d-ab09-48fb-b765-beedcb3dbae4" ], "9693b5ea-6caf-42d7-840d-51f2f025a36b": [ "9f46d2a4-5143-487a-b4c2-750563a6d2e0" ] }, "positions": { "f08c212f-5063-4c1b-9811-6ac338c6b820": { "col": 9, "row": 22, "height": 5, "width": 4 }, "9693b5ea-6caf-42d7-840d-51f2f025a36b": { "col": 1, "row": 22, "height": 5, "width": 8 }, "b5621cf7-0735-46e6-b1d1-f394ba376db6": { "col": 1, "row": 27, "height": 8, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": {} } } }, "properties": [], "owner": "sean", "title": { "@type": "string", "@value": "FortiGate Syslog" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "Dashboards for analyzing Application Control, DNS Filtering, Forward Traffic, IPS, Local Traffic, Multicast Traffic, SSL/TLS/SSH Inspection, VPN, and Web Filtering logs" } }, "constraints": [ { "type": "server-version", "version": ">=5.0.6+51f2df8" } ] }, { "v": "1", "type": { "name": "stream", "version": "1" }, "id": "df852f10-5ee5-450d-a8da-3e7f26f5f15b", "data": { "alarm_callbacks": [], "outputs": [], "remove_matches": { "@type": "boolean", "@value": true }, "title": { "@type": "string", "@value": "FortiGate Syslog" }, "stream_rules": [ { "type": { "@type": "string", "@value": "REGEX" }, "field": { "@type": "string", "@value": "devid" }, "value": { "@type": "string", "@value": "^FG([0-9]{2,3})[A-Z]T|^FGT" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "Match FortiGate serial numbers" } } ], "alert_conditions": [], "matching_type": { "@type": "string", "@value": "AND" }, "disabled": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "Logs from FortiGate firewalls" }, "default_stream": { "@type": "boolean", "@value": false } }, "constraints": [ { "type": "server-version", "version": ">=5.0.6+51f2df8" } ] } ] }