diff --git a/dashboards/Data_Explorer b/dashboards/Data_Explorer index 9045250..a68f531 100644 --- a/dashboards/Data_Explorer +++ b/dashboards/Data_Explorer @@ -1,5 +1,223 @@ { - tabs: [{"tabName":"Connections", + tabs: [{"tabName":"Asset Classification","graphs":[ + { + dataLabelType: "PERCENTAGE", + description: "", + graphStyle: "donut", + maxPieSlices: 15, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let brand = (brand = null || brand = \"\") ? \"Unknown\" : brand\n| filter mac != \"\"\n| group \"unique_devices\"=estimate_distinct(mac) by brand\n| sort - unique_devices\n| limit 15", + title: "Brand Breakdown By Unique MAC Addresses", + layout: { + h: 16, + w: 20, + x: 20, + y: 0 +}, + totalNumberConfig: { + enabled: false, + label: "" + } + }, + { + dataLabelType: "PERCENTAGE", + description: "", + graphStyle: "donut", + layout: { + h: 16, + w: 20, + x: 40, + y: 0 +}, + maxPieSlices: 10, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let type_name = (type_name = null || type_name = \"\") ? \"Unknown\" : type_name\n| group \"unique_devices\"=estimate_distinct(mac) by type_name\n| sort - unique_devices\n| limit 10", + title: "Device Type Breakdown by Unique MAC Addresses", + totalNumberConfig: { + enabled: false, + label: "" + } + , + }, + { + description: "", + graphStyle: "", + layout: { + h: 16, + w: 20, + x: 0, + y: 0 +}, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let os_name = (os_name = null || os_name = \"\") ? \"Unknown\" : os_name\n| group \"unique_devices\"=estimate_distinct(mac) by os_name\n| sort - unique_devices\n| limit 10", + title: "Total Operating Systems By Unique MAC Addresses", + }, + { + dataLabelType: "PERCENTAGE", + description: "", + graphStyle: "donut", + layout: { + h: 16, + w: 20, + x: 0, + y: 16 +}, + maxPieSlices: 10, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let type_group = (type_group = null || type_group = \"\") ? \"Unknown\" : type_group\n| group \"unique_devices\"=estimate_distinct(ip) by type_group\n| sort - unique_devices\n| limit 10", + title: "Device Groupings by Unique IP Addresses", + totalNumberConfig: { + enabled: false, + label: "" + } + , + }, + { + dataLabelType: "PERCENTAGE", + description: "", + graphStyle: "donut", + layout: { + h: 16, + w: 20, + x: 20, + y: 16 +}, + maxPieSlices: 10, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let os_ver = (os_ver = null || os_ver = \"\") ? \"Unknown\" : os_ver, os_name = (os_name = null) ? \"Unknown\" : os_name\n| let os_full = (os_ver != \"Unknown\") ? os_name + \" \" + os_ver : os_name\n| group \"unique_devices\"=estimate_distinct(mac) by os_full\n| sort - unique_devices", + title: "Operating System Versions By Unique MAC Addresses", + totalNumberConfig: { + enabled: false, + label: "" + } + , + }, + { + dataLabelType: "PERCENTAGE", + description: "", + graphStyle: "donut", + layout: { + h: 16, + w: 20, + x: 40, + y: 16 +}, + maxPieSlices: 10, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let str_to_arr_sources = sources.extract_matches('[a-z]+'), is_contain_http = str_to_arr_sources.contains(\"http\"), is_contain_dhcp = str_to_arr_sources.contains(\"dhcp\"), both_arr = array(\"both\")\n| let updated_sources = (is_contain_http AND is_contain_dhcp) ? str_to_arr_sources.concat(both_arr) : str_to_arr_sources\n| let expanded_sources = updated_sources.expand()\n| group \"Devices\"=estimate_distinct(ip) by expanded_sources \n| sort - Devices\n| limit 10", + title: "Discovery Sources By Unique IP Addresses", + totalNumberConfig: { + enabled: false, + label: "" + } + , + }, + { + graphStyle: "", + query: "| join\n(metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'conn'\n| filter service != null service != \"\"\n| columns src_ip=src_endpoint.ip , app=service),\n(metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification' \n| columns ip, os_name, device_type) on src_ip = ip\n| group \"Weight\"=count() by \"OS Name\"=os_name, \"App\"=app\n| sort - Weight\n| limit 10", + title: "Top Applications by Operating System", + layout: { + h: 14, + w: 27, + x: 0, + y: 32 +}, + }, + { + graphStyle: "line", + title: "Device Types Over Time By Unique MAC Addresses", + layout: { + h: 14, + w: 33, + x: 27, + y: 32 +}, + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification' AND type_name = *\n| group \"Active Assets\"=estimate_distinct(mac) by timestamp=timebucket(\"1h\"), type_name\n| transpose type_name on timestamp", + lineSmoothing: "straightLines" + }, + { + graphStyle: "line", + layout: { + h: 13, + w: 27, + x: 0, + y: 46 +}, + lineSmoothing: "straightLines", + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification' AND model = *\n| group \"Active Assets\"=estimate_distinct(ip) by timestamp=timebucket(\"1h\"), model\n| transpose model on timestamp", + title: "Top Models Over Time By Unique IP Addresses" + }, + { + graphStyle: "", + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let type_name = (type_name = null OR type_name = \"\") ? \"Unknown\" : type_name, os_name = (os_name = null OR os_name = \"\") ? \"Unknown\" : os_name, type_group = (type_group = null OR type_group = \"\") ? \"Unknown\" : type_group\n| group \"OS Name\"=(array_agg_distinct(os_name)).to_string(), \"Type Name\"=(array_agg_distinct(type_name)).to_string(), \"Type Group\"=(array_agg_distinct(type_group)).to_string() by \"IP\"=ip\n| sort - IP\n| limit 100", + title: "Classification Details per Host", + layout: { + h: 14, + w: 33, + x: 27, + y: 59 +} + }, + { + graphStyle: "", + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let brand = (brand = null OR brand = \"\") ? \"Unknown\" : brand, model = (model = null OR model = \"\") ? \"Unknown\" : model, device_type = (device_type = null OR device_type = \"\") ? \"Unknown\" : device_type\n| filter type_group = \"Audio & Video\" OR type_group = \"Smart Home\" OR device_type = \"GAME_CONSOLE\"\n| group \"Count\"=estimate_distinct(ip) by \"Device Type\"=device_type, \"Brand\"=brand, \"Model\"=model\n| sort - Count\n| limit 100", + title: "Detected IoT (Audio, Video, Gaming)", + layout: { + h: 14, + w: 27, + x: 0, + y: 59 +} + }, + { + graphStyle: "", + query: "metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification'\n| let mac = (mac = null || mac = \"\") ? \"Unknown\" : mac, os_name = (os_name = null || os_name = \"\") ? \"Unknown\" : os_name, os_ver = (os_ver = null || os_ver = \"\") ? \"Unknown\" : os_ver, type_name = (type_name = null || type_name = \"\") ? \"Unknown\" : type_name, type_group = (type_group = null || type_group = \"\") ? \"Unknown\" : type_group, brand = (brand = null || brand = \"\") ? \"Unknown\" : brand, model = (model = null || model = \"\") ? \"Unknown\" : model, ip = (ip = null || ip = \"\") ? \"Unknown\" : ip\n| let confidence = confidence >= 40 ? \"High\" :\n(confidence >= 20 && confidence <= 39) ? \"Medium\" :\n(confidence >= 1 && confidence <= 19) ? \"Low\" : \"Unknown\"\n| let ts = strftime(timestamp, \"%Y-%m-%d %H:%M:%S\")\n| group \"Mac\"=(array_agg_distinct(mac)).to_string(), \"OS Name\"=(array_agg_distinct(os_name)).to_string(), \"OS Version\"=(array_agg_distinct(os_ver)).to_string(), \"Type Name\"=(array_agg_distinct(type_name)).to_string(), \"Type Group\"=(array_agg_distinct(type_group)).to_string(), \"Brand\"=(array_agg_distinct(brand)).to_string(), \"Model\"=(array_agg_distinct(model)).to_string(), \"Sources\"=(array_agg_distinct(sources)).to_string() by \"Time\"=ts, \"IP\"=ip, \"Confidence\"=confidence\n| limit 100", + title: "Device Inventory with Classifications", + layout: { + h: 14, + w: 60, + x: 0, + y: 73 +} + }, + { + graphStyle: "line", + layout: { + h: 13, + w: 33, + x: 27, + y: 46 +}, + lineSmoothing: "straightLines", + query: "| join\n(metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'conn'\n| let total_bytes = orig_bytes + resp_bytes\n| columns src_ip=src_endpoint.ip, total_bytes, timestamp=timestamp),\n(metadata.product.vendor_name = 'Corelight' AND metadata.log_name = 'asset_classification' \n| columns ip, device_type) on src_ip = ip\n| group \"total_bytes\"=sum(total_bytes) by timestamp=timebucket(), device_type \n| transpose device_type on timestamp", + title: "Data Transferred by Device Type By IP Addresses" + }, + ], + filters: [ + { + facet: "_system_name", + name: "Sensor" + }, + { + facet: "os_name", + name: "Operating System" + }, + { + facet: "type_group", + name: "Device Type Group" + }, + { + facet: "type_name", + name: "Device Type Name" + }, + { + facet: "ip", + name: "IP Address" + } + ], + options: {layout: {locked: 1}}, + options: {layout: {locked: 0}}, + options: {layout: {locked: 1}}, + options: {layout: {locked: 0}}, + options: {layout: {locked: 1}}, + options: {layout: {locked: 0}}, + options: {layout: {locked: 1}} +}, +{"tabName":"Connections", "parameters": [ { "name": "Show Aggregation Logs", diff --git a/parsers/corelight-asset_classification-dev b/parsers/corelight-asset_classification-dev new file mode 100644 index 0000000..ebf6eea --- /dev/null +++ b/parsers/corelight-asset_classification-dev @@ -0,0 +1,45 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "Corelight", + "dataSource.vendor": "Corelight", + "class_uid": 5001, + "category_uid": 5, + "severity_id": 1, + "class_name": "Device Inventory Info", + "category_name": "Discovery", + "metadata.product.name": "Corelight", + "metadata.product.vendor_name": "Corelight", + "metadata.version": "28.2.0", + "app_name": "Corelight" + }, + formats: [ + { + format: "${parse=dottedJson}$", + repeat: true + rewrites: [ + { + input: "_path", + output: "metadata.log_name", + match: ".*", + replace: "$0" + }, { + input: "ts", + output: "timestamp", + match: ".*", + replace: "$0" + }, { + input: "ts", + output: "time", + match: ".*", + replace: "$0" + }, { + input: "uid", + output: "metadata.uid", + match: ".*", + replace: "$0" + } + ] + } + ] + } \ No newline at end of file