Versions Compared

Old Version 6

changes.mady.by.user andrew johnston

Saved on

compared with

New Version Current

changes.mady.by.user AlexI

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Overview

You can use the Record Analyzer (encapsulation of the Kibana GUI

...

From Sep 2014, the Kibana GUI also lets you view appropriately indexed custom jobs and documents.

 

Image Removed

...

) to gain insights into structured records such as logs.  This enables analysis of "record" objects.

Info

Versions of

...

the platform earlier than v0.3 (May 2014) do not support this functionality, nor do v0.3+ running on earlier versions of elasticsearch (<1.0). The 'infinit.e.record.engine' RPM must be installed.

About the Kibana Implementation

Ingest of records into

...

the platform is currently only possible via the Logstash extractor

...

Most of the documentation on the main Kibana site holds for the Infinit.e implementation.

The following are Infinit.e-specific details:

...

.

Once the records have been ingested, they can be visualized using the record Analyzer widget.

Info

Note that the Kibana web page can also be accessed in a normal browser window/tab, via:

"<ROOT_URL>/infinit.e.records/static/kibana/". By default this will show "stashed" mode and all communities - this can be adjusted by the following URL parameters:

  • "cids=<comma separated list of community ids>"
  • "mode=<live|stashed>"
  • Which data types to view:
    • "records=<true|false>" (default true)
    • "custom=<true|false>" (default false)
    • "docs=<true|false>" (default false)

This view does not provide a login option - you must login via one of the standard routes (manager or main GUI).

 

Live and Saved Modes

When records are ingested, there are two modes: "streaming: true", and "streaming: false"

In "streaming" mode, records are only retained for 30 days.

...

 In "stashed" mode, records are retained until manually deleted

...

 The "View Live" and "View Saved" toggle buttons on the widget toolbar toggle between viewing of these two modes.

...

  • (Note that the "refresh button" in the top right of the Kibana view must currently be pressed after changing the toggle.)

...

  • (After changing the toggles, the Kibana refresh button must be used to update the display)
  • Logs: Show records harvested using the Logstash extractor
  • Custom: Shows the results of custom jobs that have been configure with "$output.indexMode": "custom"
    • The custom fields get given "_type": "custom", and "sourceKey": <"custom:" then the custom job title>
  • Docs: Shows a subset of "normal" (Infinit.e) documents. 
    • Note that communities created before 
    • Only the following fields are (currently) visible in the "Table" view (eg "All Events"): "message" (from the title), "@timestamp" (from publishedDate), "url", "displayUrl", "tags", "type" (from mediaType)
      • Other fields (except entities and assocations) can be used in the other dashboards and queries. 
        • Various dropdowns list the available fields (Eg Fields>All) in the "Table" view (eg "All Events")
        • (Entities and assocations use "nested" fields, which Kibana does not currently support)
      • Note that fields configured to be non-indexed by the harvester (eg Search index settings pipeline element) cannot be viewed

...

  • Dashboards are stored as Infinit.e shares that can be edited/shared/deleted from the File Uploader
  • "Live" dashboards are only visible in "live" mode, and similarly for "Saved"
  • When a dashboard is first saved, it is shared across all currently selected communities and for the given live/stashed mode.

...

Using the Widget

Querying the Record Analyzer

When you query the main GUI, you can pass the query to the record Analayzer by clicking on "Add Doc Query."

Provided that you have "records" within the selected communities/sources they will be displayed by the Record Analyzer.

To query the Record Analyzer

  1. Provide a query to the GUI and ensure that the Record Analyzer widget is added to the workspace.
  2. In the Record Analyzer widget toolbar, click on Add Doc Query.
  3. Ensure that the "Show:" settings are tuned appropriately.  You will need to at least show some Logs or Docs.  Provided the query is successful, the Record Analyzer is populated with the Data Types, Sources, and Event data that correspond to the Live template or Saved template.

For more information, see section Record Analyzer Interface.

Viewing and Filtering Logs in the Event Table

Once you have selected your Communities and performed a query against the record objects, you can use the Record Analyzer widget to view the events in the Event Table.

To view the logs

  1. From the widget interface, scroll down to All Events.
  2. Select the fields to be displayed from the left navigation.
  3. Click on one of the fields to filter accordingly.  For example, you can filter by type (eg. apache, DNS, Snort etc.)

Investigating an Event

A common cyber threat analysis procedure is to investigate a specific log file as part of malware analysis.

To perform an investigation

  1. From the Record Analyzer widget, scroll own to the All Events table
  2. Use log analysis and filtering techniques to hone in on the records for further analysis
  3. Click on the log file entry to expand it.  You can view the data in a table, as JSON, or in raw format.  In some cases, the message will contain links to more information concerning a specific cyber threat.

Refreshing a Community

In some cases you will want to enable/disable scanning of Communities.  When this control is toggled on/of you must also perform a refresh from within the Record Analyzer widget.

To refresh a Community

  1. Change the state of the community filter on/off.
  2. From the Kibana GUI click on Refresh.  The Community filter setting is changed and the widgets update to reflect the new setting.

Refreshing the Data Types

You can view three data types from the record Analyzer widget: Logs, Custom, Docs.

To change the state

  1. Toggle on/off the three different record types.
  2. Click the Kibana refresh button.  The data type setting is changed and the widgets update to reflect the new setting.

Creating Custom Dashboards

Using the Record Analyzer widget it is possible to create custom Dashboards.

To create a custom Dashboard

  1. Using the Record Analyzer widget add/delete Rows and Panels as required.  For more information, see the Kibana Documentation.
  2. When the Dashboard is to your liking, click Save.
  3. Provide a name for the new dashboard and click on the Save icon again.

About Creating Custom Dashboards

If creating a custom dashboard:

For records:

In live mode only "daily" timestamps are supported, together with the following index names:

  • "[logstash-]YYYY.MM.DD" or "[ls-]YYYY.MM.DD" - will shows records from all selected communities. (Just a short cut that maps to:)
  • "[recs_t_<community id>_]YYYY.MM.DD" - for any community id to which the user belongs.

Note that this does not override the community selection in the main GUI.

In stashed mode, only "none" timestamps are supported, together with the following index names:

  • "_all" - will

...

  • show records from all selected communities. (Just a short cut that maps to:)
  • "recs_<community id>" - for any community id to which the user belongs. 

(Within each community index, the "sourceKey" field can be used to pull out individual sources)

Note that this does not override the community selection in the main GUI.

For documents:

  • Documents are all stored in "docs_<community id>" with type "document_index". Note that

...

  • "cids=<comma separated list of community ids>"
  • "mode=<live|stashed>"
  • Which data types to view:
    • "records=<true|false>" (default true)
    • "custom=<true|false>" (default false)
    • "docs=<true|false>" (default false)

This view does not provide a login option - you must login via one of the standard routes (manager or main GUI).

Info

Note finally that, as for all Javascript-based widgets, the "add to clipboard" function is not available.

...

  • :
    • Entities and associations are nested (so eg it is not possible to aggregate over them from Kibana, though it is by hand)
    • Only a small subset of the fields are in the "_source" field. The others can be aggregated over (including in Kibana) or retrieved from the store (Kibana does not support this)
    • Within each community index, the "sourceKey" field can be used to pull out individual sources

For custom objects:

  • If the custom source sets the data to be indexed, then the data is stored in "custom_<job id>_1" or "custom_<job id>_2", depending on which of the 2 output collections is active.
    • Each job is aliased to the community index, "customs_<community id>"
    • Within these indexes, the "sourceKey" field can be used to pull out individual sources

For V2 objects:

  • The set of indexes is deterministically generated from the bucket full name (see BucketTemplateUtils.getUniqueSignature for an example of how to generate the base index). 
  • The actual indexes have both temporal suffixes, suffixes for the different active buffer (similar to the _1 or _2 in the custom jobs), and suffix for segments, but:
    • The safe form for reading all records from a bucket is "r__<base index>*"
    • Given knowledge of the temporal signature, then "r__<base index>_<time signature>*" can be used to cut down on the amount of data
  • The bucket indexes are not guaranteed to have a field (other than "_index", which has some restrictions on its used) that can be used to pull out desired buckets from a multi-index query (though nothing stops the source developer from adding such a thing!), but...
    • ...(Roadmap: the record server API will provide an override param "&v2_path=<list of virtual file path globs, supporting * and ** wildcards>" to pull out only the desired buckets

Importing Dashboards

It is possible to save Kibana dashboards and import them into the platform as JSON shares.  Once imported as shares, the Dashboards can be loaded into the Record Analyzer.

To import a Dashboard

  1. From the Record Analyzer widget, click on the "Load" icon.  The uploaded JSON shares from the selected communities are available from the menu.  
  2. Select the Dashboard of choice.  The new Dashboard is loaded into the interface.

Panel

In this section:

Table of Contents
maxLevel2
indent16px

 

Panel

Related User Documentation:

Record Analyzer Interface

Kibana Documentation

Panel

Related Media:

Cyber Log Analysis Use Case Video

...

Record Analyzer Interface

...