This is a useful data table that can help you identify alerts that are being generated by your intrusion detection system.
- Go to the Opensearch Dashboards web interface.
- Click on the "Visualize" tab in the left top area.
- Click on "Create visualization".
- Select "Data table" as the visualization type.
- Select the index pattern (logstash*) and click "Next step".
- Select "Split rows" and then "Aggregation" as "Terms".
- Select "Field" as
alert.signature.keywordand click "Apply". - Increase the "Size" to 1000 to show all the alerts.
- Save the visualization as "Data Table - Alerts".
This visualization can help you identify the geographical locations of the alerts generated by your intrusion detection system. This does not include alerts generated by local to local IP addresses.
- Go to the Opensearch Dashboards web interface.
- Click on the "Visualize" tab in the left top area.
- Click on "Create visualization".
- Select "Coordinate Map" as the visualization type.
- Select the index pattern (logstash*) and click "Next step".
- Select "Geohash" as the aggregation type.
- Select "Field" as
geoip.geohash. - Add a filter for
event_type.keyword:alertto ensure only alerts are shown. - Save the visualization as "Coordinate Map - Alert Geo Map".
This visualization can help you identify the top alerts generated by source IPv4 addresses.
- Go to the Opensearch Dashboards web interface.
- Click on the "Visualize" tab in the left top area.
- Click on "Create visualization".
- Select "Data table" as the visualization type.
- Select the index pattern (logstash*) and click "Next step".
- Select "Split rows" and then "Aggregation" as "Terms".
- Select "Field" as
src_ip.keywordand click "Apply". - Increase the "Size" to 1000 to show all the source IPs.
- Add a filter for
event_type.keyword:alertto ensure only alerts are shown. - Add a filter for IPv4 addresses only. Click "Add filter" then
src_ipwith operatoris betweenvalues0.0.0.0and255.255.255.255. - Save the visualization as "Data Table - Top Alerts by Source IP (IPv4)".
You can do the same to generate a visualization for destination IP addresses.
This visualization can help you identify the top alerts generated by source IPv6 addresses.
- Go to the Opensearch Dashboards web interface.
- Click on the "Visualize" tab in the left top area.
- Click on "Create visualization".
- Select "Data table" as the visualization type.
- Select the index pattern (logstash*) and click "Next step".
- Select "Split rows" and then "Aggregation" as "Terms".
- Select "Field" as
src_ip.keywordand click "Apply". - Increase the "Size" to 1000 to show all the source IPs.
- Add a filter for
event_type.keyword:alertto ensure only alerts are shown. - Add a filter for IPv6 addresses only. Click "Add filter" then
src_ipwith operatoris not betweenvalues0.0.0.0and255.255.255.255. - Save the visualization as "Data Table - Top Alerts by Source IP (IPv6)".
Do the same for destination IP addresses.
- Go to the Opensearch Dashboards web interface.
- Click on the "Visualize" tab in the left top area.
- Click on "Create visualization".
- Select "Data table" as the visualization type.
- Select the index pattern (logstash*) and click "Next step".
- Select "Split rows" and then "Aggregation" as "Terms".
- Select "Field" as
src_ip.keywordand click "Apply". - Increase the "Size" to 1000 to show all the source IPs.
- Add a filter for
event_type.keyword:alertto ensure only alerts are shown. - Add a filter for
alert.severity: 1. - Save the visualization as "Data Table - Top Source IP for High Severity Alerts".
Do the same for destination IP addresses.
For this we'll use TSVB to create a timeline visualization of the alert severity over time.
- Go to the Opensearch Dashboards web interface.
- Click on the "Visualize" tab in the left top area.
- Click on "Create visualization".
- Select "Time Series Visual Builder" as the visualization type.
- Select the index pattern (logstash*) and click "Next step".
- Select "Aggregation" as "Terms".
- Select "Field" as
alert.severityand click "Apply". - In label write "Alert Severity".
- Click on the "Save" button to save the visualization as "TSVB - Alert Severity Timeline".
This is useful for reviewing quickly some data about the alerts you are observing.
- Go to the Opensearch Dashboards web interface.
- Click on the "Discover" tab in the left top area.
- Click on "Create index pattern" and select the index pattern (logstash*).
- Click on "Discover" to see the data.
- You can filter the data by
event_type.keyword:alertto see only alerts. - Save the search as "Alert Discover".
Now that you have created all these visualizations, you can put them together in a dashboard to get a comprehensive view of the alerts generated by your intrusion detection system.
- Go to the Opensearch Dashboards web interface.
- Click on the "Dashboard" tab in the left top area.
- Click on "Create dashboard".
- Click on "Add" to add the visualizations you created to the dashboard.
- Arrange the visualizations as you see fit.
- Click on the "Save" button to save the dashboard.
Here's how it look like:
The best approach for this dashboard is rinse and repeat. Start removing any alerts that are false positives including all SURICATA:
NOT alert.signature: SURICATA*
Then start looking at the alerts that are left. You can start by looking at the top alerts by source IP and destination IP. This can help you identify the top sources of alerts in your network. You can then drill down into the alerts generated by these IP addresses to investigate further.
If you see an alert that stands out, isolate it and investigate. You can use the alert discover tab to quickly filter the data and see the details of the alert. This can help you understand the context in which the alert was generated and take appropriate action.
Then switch to the "Discover" tab and look for 1-2 minutes within that time frame. More information about this strategy is provided in the book.