Error with Painless scripted field 'doc['flow_id'].value'.

myrsecurity commented 4 years ago

Hi Ive tried to import the dashboards following the method

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:94)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:41)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"logstash-2020.04.29-000001","node":"RmOnDn2mSsWSKkNKg2bgsA","reason":{"type":"script_exception","reason":"runtime error","script_stack":["org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:94)","org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:41)","doc['flow_id'].value"," ^---- HERE"],"script":"doc['flow_id'].value","lang":"painless","caused_by":{"type":"illegal_argument_exception","reason":"No field found for [flow_id] in mapping with types []"}}}]},"status":400}

Im reading from a Remote PFSENSE via Filebeats. The logs hit Elastic after all of the filtering etc..

Thank you

pevma commented 4 years ago

How do you import the dashboards exactly ?

alphaDev23 commented 3 years ago

I'm receiving the same script exception. Dashboards, etc. are imported via the curl commands provided on the README page. The issue is preventing events in the EventsList from being displayed. I'm using the logstash filter that is linked to off the README page. The following is further information from the SN-ALL dashboard. Please advise.

script_exception at shard 0index logstash-flow-2020.11.22node VURsDiwmTnyNCTmjTmpqmQ Type script_exception Reason runtime error Script stack org.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121) org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115) 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase() ^---- HERE

Script 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()

Lang painless Position offset 73 Position start 0 Position end 232 Caused by type illegal_state_exception Caused by reason A document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field!

pevma commented 3 years ago

Was able to reproduce. Will try to cook a patch today. I think it is related to a possible fix here- https://github.com/StamusNetworks/SELKS/issues/255#issuecomment-698536769

I would like to confirm - on which dahsboars/vizs does this appear ?

alphaDev23 commented 3 years ago

I only have Elasticsearch indexes for: alert, fileinfo, flow, http, tls. The issue is only appearing on SN-ALERTS from the data I have.

As a note, I attempted to use Filebeat to send Suricata logs directly to Elasticsearch using the elasticsearch7-template.json provided template. I verified the template was loaded in Elasticsearch. However, I believe my filebeat.yml file was incorrectly configured because I was only able to get a logstash- index, by modifying 'output.elasticsearch.index' and nothing was displayed in the dashboards. I'm not a Filebeat expert. If you have a filebeat.yml that works with the the template, it will eliminate the logstash service from the solution.

pevma commented 3 years ago

Were the indexes created/existed in Kibana/Management ?

alphaDev23 commented 3 years ago

The indexes were created through the logstash template provided off the README page. It is a slight modification given that 'type' doesn't exist in 7.x. The indexes did not exist prior to instantiating the stack.

pevma commented 3 years ago

Ok - just to confirm , the issue appears only on SN-ALL or on SN-ALERTS, from the error it comes in from the logstash-flow... index which is not used i think in SN-ALERTS.

alphaDev23 commented 3 years ago

I made a mistake in my last comment. It is only appearing on SN-ALL. I do not have any data in SN-ALERTS so I'm not able to confirm whether it occurs in SN-ALERTS.

alphaDev23 commented 3 years ago

Any update on the above?

pevma commented 3 years ago

This patch fixes the issue as mentioned here - https://github.com/StamusNetworks/KTS7/issues/1#issuecomment-731723442 It is either you can patch it up manually on each scripted field for each index - aka for example logstash-alert* / logstash-http* etc in Kibana Management . Or it should also be taken care of on the next dashboards release, planned this week.
Apologies for the delay !

alphaDev23 commented 3 years ago

No worries. Thank you for fixing. Fantastic work on these dashboards, btw!

ManuelFFF commented 3 years ago

*Running SELKS 6 + ELK 7.10.0 + X-Pack enabled, so all communications are via https

I am having the same issue. So, the solution is just to enable the "community_id" in Suricata config and restart Suricata, or do I need to perform more steps?

Should I use doc['community_id.keyword'].value or doc['community_id'].value?

Thank you

pevma commented 3 years ago

It does not seem the issue is related? For enabling the community id - yest it just needs to be enabled and suricata restarted.

ManuelFFF commented 3 years ago

Hi @pevma,

Like I said, I am experiencing the same issue. When I open Discover in Kibana, there's always a pop-up warning stating there is an issue with 2/15 shards. Please see the screenshots below:

Shard error Shard error 2 Shard error 3

This issue starts as soon I enable X-Pack and all the communications turned over https protocol. We have talked about this matter and some side effects this brings to SELKS suite in other posts. I was hopping that a new SELKS release or patch would fix this and other issues, that just appears if the user enables X-Pack with basic security features in ELK. Then I saw this post and I thought that maybe there is an easy way to address this issue, since other users have seen the same error.

I tried enabling the community_id in Suricata config, then restarted Suricata and Evebox. The issue do not disappear, just mutate into a different error, as you can see here: No community_id field

It does not make any difference if I add or leave the .keyword. Maybe I am missing additional important steps. I hope you can help me to make this error go away.

Thank you

ManuelFFF commented 3 years ago

Any advise?

pevma commented 3 years ago

Think you should use it without the .keyword Before that you should make sure you see it properly in the json logs (eve.json) - there should be a community flow id key/record in the logs.

ManuelFFF commented 3 years ago

Hi,

I only tried the .keyword because of this comment https://github.com/StamusNetworks/SELKS/issues/255#issuecomment-698792496, but even that did not resolve the issue.

Checking the eve.json logs I can see flow_id field and also the community_id field:

{"timestamp":"2020-12-04T08:50:26.651146-0500","flow_id":1308048361440886,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.128","src_port":58589,"dest_ip":"239.255.255.250","dest_port":3702,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":7,"pkts_toclient":0,"bytes_toserver":4886,"bytes_toclient":0,"start":"2020-12-04T08:47:26.378486-0500","end":"2020-12-04T08:47:33.171907-0500","age":7,"state":"new","reason":"unknown","alerted":false},"community_id":"1:JJD9J+CckkTq2iKzZP6j8zVZjNY="}
{"timestamp":"2020-12-04T08:50:26.651523-0500","flow_id":1308048361440886,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.128","src_port":58589,"dest_ip":"239.255.255.250","dest_port":3702,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":7,"pkts_toclient":0,"bytes_toserver":4886,"bytes_toclient":0,"start":"2020-12-04T08:47:26.378486-0500","end":"2020-12-04T08:47:33.171907-0500","age":7,"state":"new","reason":"unknown","alerted":false},"community_id":"1:JJD9J+CckkTq2iKzZP6j8zVZjNY="}
{"timestamp":"2020-12-04T08:50:27.318169-0500","flow_id":2012176036617619,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.179","src_port":50754,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":150,"bytes_toclient":0,"start":"2020-12-04T08:47:15.613779-0500","end":"2020-12-04T08:47:16.020953-0500","age":1,"state":"new","reason":"unknown","alerted":false},"community_id":"1:eR0XiX1AMxyOvQcJd8kGHF+YIzY="}
{"timestamp":"2020-12-04T08:50:27.318319-0500","flow_id":2012176036617619,"in_iface":"enp2s0","event_type":"flow","src_ip":"192.168.1.179","src_port":50754,"dest_ip":"224.0.0.252","dest_port":5355,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":2,"pkts_toclient":0,"bytes_toserver":150,"bytes_toclient":0,"start":"2020-12-04T08:47:15.613779-0500","end":"2020-12-04T08:47:16.020953-0500","age":1,"state":"new","reason":"unknown","alerted":false},"community_id":"1:eR0XiX1AMxyOvQcJd8kGHF+YIzY="}

The above logs are from a fresh SELKS 6 install and up to date, including ELK 7.10.0. I have not enabled the community_id field in suricata.yaml, but field is enabled in SELKS custom config file that overrides Suricata basic config (/etc/suricata/selks6-addin.yaml). So, the eve.json logs is including both fields: flow_id and community_id, and yet getting the shard errors related to the flow_id.

What would you recommend me to check/try next?

Thank you

pevma commented 3 years ago

Where exactly are you making the change/addition in the scripted fields - is it in logstash-flow* index in Kibana management ? And on what discovery/viz you exactly get the error ?

ManuelFFF commented 3 years ago

Hi,

Error appears when I check app Discover/logstash-*. Error it is NOT present if I check Discover/logstash-flow-*. I tried modifications on Index Patterns/logstash-*. Index Patterns/logstash-flow-* does not have a scripted field.

pevma commented 3 years ago

Ok - so you mean if you do discovery with the index logstahs-* ? What about if you try for example logstash-dns-* or logstash-http-*

ManuelFFF commented 3 years ago

Verified one by one all logs in Discover/logstash-protocol-*. Only Discover/logstash-* it's being affected

ManuelFFF commented 3 years ago

Any thoughts?

pevma commented 3 years ago

What do you use the index logstash-service-* for ? Out of curiosity if ok to ask

Apart from that I think it is a complain message - do the logs show up or not ?

-- Regards, Peter Manev

On 9 Dec 2020, at 15:16, ManuelFFF notifications@github.com wrote:

Any thoughts?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

ManuelFFF commented 3 years ago

Hi,

I am sorry if I wasn't clear enough on my previous message, so you could be able to help me. Index logstash-service-* does not really exist. I tried to use a pattern name to refer to all the following indexes:

logstash-*
logstash-alert-*
logstash-anomaly-*
logstash-dhcp-*
logstash-dnp3-*
logstash-dns-*
logstash-fileinfo-*
logstash-flow-*
logstash-http-*
logstash-ikev2-*
logstash-krb5-*
logstash-nfs-*
logstash-rdp-*
logstash-rfb-*
logstash-sip-*
logstash-smb-*
logstash-smtp-*
logstash-snmp-*
logstash-ssh-*
logstash-tftp-*
logstash-tls-*

Perhaps I should have used logstash-[event_type]- instead or just use the exact index name like this time. What I wanted to say is that I checked all the previous indexes, one by one, and the error comes only when I check `Discover/logstash-`

pevma commented 3 years ago

I think using logstash-event_type-* is better in terms of zooming in the specific index/event_type. You can also look at any of the event types in their own dashboards including the raw events themselves at the bottom of every dashboard. So you just need to select the dashboard actually (From Kibana-> Dashboards) - for example SN-SMB will show you a dashboard with some visualizations and the raw logs of the event type SMB (or SMB protocol events).

ManuelFFF commented 3 years ago

So, there is no way to fix this error?

pevma commented 3 years ago

You should be able to import the raw API exports from here -
https://github.com/StamusNetworks/KTS7#how-to-use to fix the issue.

alphaDev23 commented 3 years ago

Was this issue resolved in the master branch? I just pulled and I'm receiving the following:

script_exception at shard 0index logstash-flow-2020.12.23node n6KVwvteRyaKlBCWbQPACwTypescript_exceptionReasonruntime errorScript stackorg.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121) org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115) 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase() ^---- HEREScript'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()LangpainlessPosition offset73Position start0Position end232Caused by typeillegal_state_exceptionCaused by reasonA document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field!

pevma commented 3 years ago

Yes it is. Besides pulling the master branch you need to reload the dashboards

The other alternative is simply to use the selks-upgrade_stamus routine - that will auto update the dashboards pkg.after which you can reset/reload it from the gui.

https://github.com/StamusNetworks/SELKS/wiki/How-to-load-or-update-dashboards#from-scirius

-- Regards, Peter Manev

On 23 Dec 2020, at 07:28, alphaDev23 notifications@github.com wrote:

Was this issue resolved in the master branch? I just pulled and I'm receiving the following:

script_exception at shard 0index logstash-flow-2020.12.23node n6KVwvteRyaKlBCWbQPACwTypescript_exceptionReasonruntime errorScript stackorg.elasticsearch.index.fielddata.ScriptDocValues$Longs.get(ScriptDocValues.java:121) org.elasticsearch.index.fielddata.ScriptDocValues$Longs.getValue(ScriptDocValues.java:115) 'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase() ^---- HEREScript'ip == ' + doc['src_ip.keyword'].value + ' && port == ' + doc['src_port'].value + ' && ip == ' + doc['dest_ip.keyword'].value + ' && port == ' + doc['dest_port'].value + ' && protocols == ' + doc['proto.keyword'].value.toLowerCase()LangpainlessPosition offset73Position start0Position end232Caused by typeillegal_state_exceptionCaused by reasonA document doesn't have a value for a field! Use doc[].size()==0 to check if a document is missing a field!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

I've recreated the entire ELK stack. Same issue. Please advise.

pevma commented 3 years ago

I don’t think it should be needed to recreate the stack.

What is the output of dpkg -l |grep stamus ?

-- Regards, Peter Manev

On 23 Dec 2020, at 20:55, alphaDev23 notifications@github.com wrote:

I've recreated the entire ELK stack. Same issue.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

I'm using suricata 1:4.1.2-2 with filebeat 7.9.1 and ELK stack 7.9.1. The following is my filebeat config. The stack can easily be recreated if needed. I've done so just to ensure that the setup was from scratch. Thoughts?

filebeat.inputs:

input_type: log enabled: true paths:
- /var/log/suricata/eve.json

output.elasticsearch: hosts: [":9200"]

pevma commented 3 years ago

If you are not using the SELKS Kibana package you can import the ndjson directly - either via the Kibana management gui

https://github.com/StamusNetworks/KTS7/tree/master/API-KIBANA7

or via the API - https://github.com/StamusNetworks/KTS7#how-to-use

Please make sure you import the latest - in some cases if you are combining different visualisations in a custom dashboard you might need to remove and then import the same viz into the dashboard in order fir the changes to be picked up(I’ve experienced that a couple of times with custom created dashboards)

-- Regards, Peter Manev

On 24 Dec 2020, at 06:39, alphaDev23 notifications@github.com wrote:

I'm using suricata 1:4.1.2-2 with filebeat 7.9.1 and ELK stack 7.9.1. The following is my filebeat config. The stack can easily be recreated if needed. I've done so just to ensure that the setup was from scratch. Thoughts?

filebeat.inputs:

input_type: log enabled: true paths: /var/log/suricata/eve.json output.elasticsearch: hosts: [":9200"]

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

I'm using the following commands to load the objects (from the API-KIBANA7) directory. This is the same thing that you mention above, correct? These were executed after a cloning anew as of my comment 2 days ago.

curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@index-pattern.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@search.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@visualization.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@dashboard.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@query.ndjson**

pevma commented 3 years ago

Yep , that should do it. Can you please share the output of those commands?

-- Regards, Peter Manev

On 24 Dec 2020, at 18:06, alphaDev23 notifications@github.com wrote:

I'm using the following commands to load the objects (from the API-KIBANA7) directory. This is the same thing that you mention above, correct? These were executed after a cloning anew as of my comment 2 days ago.

curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@index-pattern.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@search.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@visualization.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@dashboard.ndjson curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@query.ndjson**

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 487k 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 487k 0 0 100 487k 0 242k 0:00:02 0:00:02 --:--:-- 242k 100 487k 100 30 100 487k 14 235k 0:00:02 0:00:02 --:--:-- 235k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 506k 100 30 100 506k 50 851k --:--:-- --:--:-- --:--:-- 851k 100 506k 100 30 100 506k 50 846k --:--:-- --:--:-- --:--:-- 845k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 975k 0 0 100 975k 0 968k 0:00:01 0:00:01 --:--:-- 969k 100 975k 100 30 100 975k 22 716k 0:00:01 0:00:01 --:--:-- 717k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 1003k 0 0 100 1003k 0 995k 0:00:01 0:00:01 --:--:-- 996k 100 1003k 100 30 100 1003k 20 684k 0:00:01 0:00:01 --:--:-- 684k 100 1003k 100 30 100 1003k 20 684k 0:00:01 0:00:01 --:--:-- 684k

% Total % Received % Xferd Average Speed Time Time Time Current

                             Dload  Upload   Total   Spent    Left  Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 2869 100 30 100 2839 2421 223k --:--:-- --:--:-- --:--:-- 231k

alphaDev23 commented 3 years ago

After further testing, the templates appear to be designed for a version of the ELK stack < 7.9.1. Can these be upgraded? Below is the output when I run the commands separately.

{"success":true,"successCount":22}{"statusCode":422,"error":"Unprocessable Entity","message":"Document \"0e515070-731c-11ea-b5dd-05bd1e5fbf82\" has property \"search\" which belongs to a more recent version of Kibana [7.9.3].The last known version is [7.4.0]"}{"statusCode":422,"error":"Unprocessable Entity","message":"Document \"00c602c0-74de-11ea-bb42-278f04c43ada\" has property \"visualization\" which belongs to a more recent version of Kibana [7.10.0]. The last known version is [7.8.0]"}{"statusCode":422,"error":"Unprocessable Entity","message":"Document\"fab31360-c1c8-11e8-9888-3f5bc9c31629\" has property \"visualization\" which belongs to a more recent version of Kibana [7.10.0]. The last known version is [7.8.0]"}{"success":true,"successCount":4}bash-4.2$

pevma commented 3 years ago

I can not reproduce that on 7.10.x

-- Regards, Peter Manev

On 25 Dec 2020, at 04:19, alphaDev23 notifications@github.com wrote:

After further testing, the templates appear to be designed for a version of the ELK stack < 7.9.1. Can these be upgraded? Below is the output when I run the commands separately.

{"success":true,"successCount":22}{"statusCode":422,"error":"Unprocessable Entity","message":"Document "0e515070-731c-11ea-b5dd-05bd1e5fbf82" has property "search" which belongs to a more recent version of Kibana [7.9.3].The last known version is [7.4.0]"}{"statusCode":422,"error":"Unprocessable Entity","message":"Document "00c602c0-74de-11ea-bb42-278f04c43ada" has property "visualization" which belongs to a more recent version of Kibana [7.10.0]. The last known version is [7.8.0]"}{"statusCode":422,"error":"Unprocessable Entity","message":"Document"fab31360-c1c8-11e8-9888-3f5bc9c31629" has property "visualization" which belongs to a more recent version of Kibana [7.10.0]. The last known version is [7.8.0]"}{"success":true,"successCount":4}bash-4.2$

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

I upgraded to a 7.10.1 stack. Indexes (22) and queries (4) load. Others do not. After executing the following, there are no visualizations in Kibana's saved objects.

bash-4.2$ curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@visualization.ndjson

pevma commented 3 years ago

I think you cantry to load all the ndjson from the Kibana management web GUI- Saved objects - (with an option to overwrite conflicts) I think this is what could be causing some vizs not to be updated.

-- Regards, Peter Manev

On 25 Dec 2020, at 23:09, alphaDev23 notifications@github.com wrote:

I upgraded to a 7.10.1 stack. Indexes (22) and queries (4) load. Others do not. After executing the following, there are no visualizations in Kibana's saved objects.

bash-4.2$ curl -X POST "suricata_kibana:5601/api/saved_objects/_import" -H 'kbn-xsrf: true' --form file=@visualization.ndjson

{"successCount":390,"success":false,"successResults":[{"type":"visualization","id":"00c602c0-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"00dbb830-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipVersion","icon":"visualizeApp"}},{"type":"visualization","id":"01acef80-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-KerberosSnames","icon":"visualizeApp"}},{"type":"visualization","id":"02363350-c2f6-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-TFTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"03ba7ce0-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"04e045d0-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Pdu","icon":"visualizeApp"}},{"type":"visualization","id":"04e4ecd0-cb3f-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"0a54ea10-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByProcedure","icon":"visualizeApp"}},{"type":"visualization","id":"0c6f2dd0-c199-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Detailed-Type","icon":"visualizeApp"}},{"type":"visualization","id":"0de33020-74ef-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientVersion","icon":"visualizeApp"}},{"type":"visualization","id":"0e792240-c1d3-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"111b9450-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"1317e9e0-caf6-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySname","icon":"visualizeApp"}},{"type":"visualization","id":"13b4a300-c1ca-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"13c631e0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnProtoVersion","icon":"visualizeApp"}},{"type":"visualization","id":"15d06790-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipMethod","icon":"visualizeApp"}},{"type":"visualization","id":"15f78410-731d-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Layer","icon":"visualizeApp"}},{"type":"visualization","id":"18409990-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Version","icon":"visualizeApp"}},{"type":"visualization","id":"19f31700-c1d0-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"1af05bf0-cc06-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficIdOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"1dcb8bf0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"1e74daa0-c2f9-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-FILE-Total","icon":"visualizeApp"}},{"type":"visualization","id":"2013c6a0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"21b892d0-d332-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByType","icon":"visualizeApp"}},{"type":"visualization","id":"27e8ded0-c199-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-SubnetMasks-Served","icon":"visualizeApp"}},{"type":"visualization","id":"2a0d0b20-0817-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Total","icon":"visualizeApp"}},{"type":"visualization","id":"2b23dd60-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspDomain","icon":"visualizeApp"}},{"type":"visualization","id":"2c7909a0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"2cf8aef0-cb44-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-TLS-ByJa3Hash","icon":"visualizeApp"}},{"type":"visualization","id":"2e044410-3dc3-11ea-9663-b39dc1f7db8b","meta":{"title":"SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnSrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"2f7d1860-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"2f7fcdd0-707c-11e7-9d3e-29d8a1ffc52b","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"305b0610-cb3f-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"30674f90-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"32b68a80-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-FILE-Count","icon":"visualizeApp"}},{"type":"visualization","id":"3339b490-cc06-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficLabelOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"33e3d3c0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"34a287d0-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"35c3bd80-0621-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-SSH-ByServerHashByServerIPByPort","icon":"visualizeApp"}},{"type":"visualization","id":"35fe0970-76a2-11e7-8761-edc8301be2be","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"3cc02790-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnProtoString","icon":"visualizeApp"}},{"type":"visualization","id":"3ee767e0-74ef-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientCookie","icon":"visualizeApp"}},{"type":"visualization","id":"3f2fc250-06f9-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-HTTP2-RequestSettings","icon":"visualizeApp"}},{"type":"visualization","id":"3f6bdc20-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"40935fa0-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Channels","icon":"visualizeApp"}},{"type":"visualization","id":"40d1f1b0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspUser","icon":"visualizeApp"}},{"type":"visualization","id":"428c5020-38fb-11ea-9ee1-11f0d2cd99c4","meta":{"title":"SN-ThreatHunt-ALERTS-MutlipleUniqueAlertOnDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"4562de80-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"467c7160-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"48baf4f0-cb34-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"49460e90-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Dialect","icon":"visualizeApp"}},{"type":"visualization","id":"4a915930-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipUri","icon":"visualizeApp"}},{"type":"visualization","id":"4eb365b0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"50cfd230-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"54cb1bf0-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"54da3520-c193-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Role","icon":"visualizeApp"}},{"type":"visualization","id":"561165b0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-NtlmsspHost","icon":"visualizeApp"}},{"type":"visualization","id":"56f846b0-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByCname","icon":"visualizeApp"}},{"type":"visualization","id":"574dce20-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"58f30160-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"5ce42c30-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"5ec287c0-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"5f1a83f0-7d8f-11ea-af8c-954c77eacc8f","meta":{"title":"SN-ANOMALY-EventType","icon":"visualizeApp"}},{"type":"visualization","id":"5f62a330-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"6195c7f0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"640f7da0-73f5-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Community","icon":"visualizeApp"}},{"type":"visualization","id":"64d48d40-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"65d35270-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-ClientDialect","icon":"visualizeApp"}},{"type":"visualization","id":"66130c70-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByFileTx","icon":"visualizeApp"}},{"type":"visualization","id":"669c73d0-c194-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"6c617f40-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"6c626e50-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Event_Type","icon":"visualizeApp"}},{"type":"visualization","id":"6dd9b190-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-ScreenShared","icon":"visualizeApp"}},{"type":"visualization","id":"7012e330-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"70e3bf80-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7186a510-c228-11e8-9c42-9d2ae2bde3ab","meta":{"title":"SN-Timelion-Protocols","icon":"visualizeApp"}},{"type":"visualization","id":"7248b300-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"79bdb5e0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7b3bb500-7d8e-11ea-af8c-954c77eacc8f","meta":{"title":"SN-TLS-ByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"7b549170-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"7c50dd40-caf6-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByWeakEncryption","icon":"visualizeApp"}},{"type":"visualization","id":"7dbcee70-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SMB-Total","icon":"visualizeApp"}},{"type":"visualization","id":"7f717a40-0819-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"80f4d150-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Status","icon":"visualizeApp"}},{"type":"visualization","id":"812142a0-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"818e1210-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByEncryption","icon":"visualizeApp"}},{"type":"visualization","id":"836ad6e0-734b-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Type","icon":"visualizeApp"}},{"type":"visualization","id":"837522f0-cb34-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"8451e8a0-0621-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-SSH-ByClientHashByClientIPByPort","icon":"visualizeApp"}},{"type":"visualization","id":"85eddf30-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"89bd2f10-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"8c64b280-74df-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipReason","icon":"visualizeApp"}},{"type":"visualization","id":"8e02e410-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"8e299c30-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByDst","icon":"visualizeApp"}},{"type":"visualization","id":"8efad7b0-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"8f89a9e0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SMTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"8fc3c0a0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Share","icon":"visualizeApp"}},{"type":"visualization","id":"91b6dba0-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientKeyboardType","icon":"visualizeApp"}},{"type":"visualization","id":"97436e00-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"97b1cb90-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByErrCode","icon":"visualizeApp"}},{"type":"visualization","id":"9934b1a0-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"995b2750-0817-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-MqttOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"995f5e40-73f4-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Vars","icon":"visualizeApp"}},{"type":"visualization","id":"9a91f300-caf3-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"9ec0d330-cb41-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByFileName","icon":"visualizeApp"}},{"type":"visualization","id":"9ff304c0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-TLS-Total","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Bottom20Signatures","meta":{"title":"SN-Alert-Bottom20Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByExtraInfoType","meta":{"title":"SN-Alert-ByExtraInfoType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpContentType","meta":{"title":"SN-Alert-ByHttpContentType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpMethod","meta":{"title":"SN-Alert-ByHttpMethod","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByHttpProtocolByUserAgentByOS","meta":{"title":"SN-Alert-ByHttpProtocolByUserAgentByOS","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySmtpHello","meta":{"title":"SN-Alert-BySmtpHello","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySshClientProtoBySshClientSoftwareVer","meta":{"title":"SN-Alert-BySshClientProtoBySshClientSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-BySshServerProtoBySshSoftwareVer","meta":{"title":"SN-Alert-BySshServerProtoBySshSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerByTlsSniByTlsVersionNotGoogleYahooTwiter","meta":{"title":"SN-Alert-ByTlsIssuerByTlsSniByTlsVersionNotGoogleYahooTwiter","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerByTlsSniNotGoogleYahooTwiter","meta":{"title":"SN-Alert-ByTlsIssuerByTlsSniNotGoogleYahooTwiter","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsIssuerdn","meta":{"title":"SN-Alert-ByTlsIssuerdn","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByTlsSni","meta":{"title":"SN-Alert-ByTlsSni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByVLANID","meta":{"title":"SN-Alert-ByVLANID","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-ByVLANIDTop20","meta":{"title":"SN-Alert-ByVLANIDTop20","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Count","meta":{"title":"SN-Alert-Count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-GeoMap","meta":{"title":"SN-Alert-GeoMap","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Proto","meta":{"title":"SN-Alert-Proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Timeline","meta":{"title":"SN-Alert-Timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top10Signatures","meta":{"title":"SN-Alert-Top10Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20DstIP","meta":{"title":"SN-Alert-Top20DstIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20DstPorts","meta":{"title":"SN-Alert-Top20DstPorts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20Signatures","meta":{"title":"SN-ThreatHunt-ALERTS-Top100Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20SrcIP","meta":{"title":"SN-Alert-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alert-Top20SrcPorts","meta":{"title":"SN-Alert-Top20SrcPorts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-categories","meta":{"title":"SN-Alerts categories","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-count","meta":{"title":"SN-Alerts count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-details","meta":{"title":"SN-Alerts details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-locations","meta":{"title":"SN-Alerts locations","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-over-time","meta":{"title":"SN-Alerts over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-per-probes","meta":{"title":"SN-Alerts per probes","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-severity","meta":{"title":"SN-Alerts severity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Alerts-signatures","meta":{"title":"SN-Alerts signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-ApplayerProtoDestIPDestPort","meta":{"title":"SN-ApplayerProtoDestIPDestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-ApplayerProtoSrcIPSrcPort","meta":{"title":"SN-ApplayerProtoSrcIPSrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Application-protocol","meta":{"title":"SN-Application protocol","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Average-packet-size","meta":{"title":"SN-Average packet size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Browsers","meta":{"title":"SN-Browsers","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Count","meta":{"title":"SN-Count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-ByProto","meta":{"title":"SN-DNS-ByProto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-ByTtl","meta":{"title":"SN-DNS-ByTtl","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-DnsEventsOverTime","meta":{"title":"SN-DNS-DnsEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-DnsOverTime","meta":{"title":"SN-DNS-DnsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-GeoIP","meta":{"title":"SN-DNS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-NXDOMAINGeoIP","meta":{"title":"SN-DNS-NXDOMAINGeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rcode","meta":{"title":"SN-DNS-Rcode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rdata","meta":{"title":"SN-DNS-Rdata","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rrname","meta":{"title":"SN-DNS-Rrname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Rrtype","meta":{"title":"SN-DNS-Rrtype","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-SshOverTime","meta":{"title":"SN-DNS-SshOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20DestIP","meta":{"title":"SN-DNS-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20DestPort","meta":{"title":"SN-DNS-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20SrcIP","meta":{"title":"SN-DNS-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Top20SrcPort","meta":{"title":"SN-DNS-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-DNS-Type","meta":{"title":"SN-DNS-Type","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Dest_ports","meta":{"title":"SN-Dest_ports","icon":"visualizeApp"}},{"type":"visualization","id":"SN-EventTypeOverTimeAll","meta":{"title":"SN-EventTypeOverTimeAll","icon":"visualizeApp"}},{"type":"visualization","id":"SN-EventTypeOverTimeExcept-StatsAndFlow","meta":{"title":"SN-EventTypeOverTimeExcept-StatsAndFlow","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByGeoCityByType","meta":{"title":"SN-FILE-ByGeoCityByType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByProtoByHostnameServed","meta":{"title":"SN-FILE-ByProtoByHostnameServed","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-ByTypeOverTime","meta":{"title":"SN-FILE-ByTypeOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-EventsOverTime","meta":{"title":"SN-FILE-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-FileSizeByExtention","meta":{"title":"SN-FILE-FileSizeByExtention","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-GeoIP","meta":{"title":"SN-FILE-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-GeoIPPDFAndExecutables","meta":{"title":"SN-FILE-GeoIPPDFAndExecutables","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20DestIP","meta":{"title":"SN-FILE-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20DestPort","meta":{"title":"SN-FILE-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20SrcIP","meta":{"title":"SN-FILE-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-FILE-Top20SrcPort","meta":{"title":"SN-FILE-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-count","meta":{"title":"SN-Files count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-informations-details","meta":{"title":"SN-Files informations details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-informations-over-time","meta":{"title":"SN-Files informations over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Files-protocols","meta":{"title":"SN-Files protocols","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Flow-unique-count-of-src-and-dst-IP","meta":{"title":"SN-Flow unique count of src and dst IP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncoding","meta":{"title":"SN-HTTP-AcceptEncoding","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncodingByConnection","meta":{"title":"SN-HTTP-AcceptEncodingByConnection","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-AcceptEncodingByHost","meta":{"title":"SN-HTTP-AcceptEncodingByHost","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-CacheControl","meta":{"title":"SN-HTTP-CacheControl","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-ContentTypeByAplication","meta":{"title":"SN-HTTP-ContentTypeByAplication","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-EventsOverTime","meta":{"title":"SN-HTTP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-GeoIP","meta":{"title":"SN-HTTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Servers","meta":{"title":"SN-HTTP-Servers","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-StatusCode","meta":{"title":"SN-HTTP-StatusCode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Top-hostnames","meta":{"title":"SN-HTTP Top hostnames","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Top-user-agents","meta":{"title":"SN-HTTP Top user agents","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgenOSMethodContent","meta":{"title":"SN-HTTP-UserAgenOSMethodContent","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentDevices","meta":{"title":"SN-HTTP-UserAgentDevices","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentMajor","meta":{"title":"SN-HTTP-UserAgentMajor","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentMinor","meta":{"title":"SN-HTTP-UserAgentMinor","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentName","meta":{"title":"SN-HTTP-UserAgentName","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentOS","meta":{"title":"SN-HTTP-UserAgentOS","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentOSName","meta":{"title":"SN-HTTP-UserAgentOSName","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-UserAgentPatch","meta":{"title":"SN-HTTP-UserAgentPatch","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-Vary","meta":{"title":"SN-HTTP-Vary","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-bandwidth","meta":{"title":"SN-HTTP bandwidth","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-events-over-time","meta":{"title":"SN-HTTP events over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-lengths","meta":{"title":"SN-HTTP lengths","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-methods","meta":{"title":"SN-HTTP methods","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-protocols","meta":{"title":"SN-HTTP protocols","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-referrals","meta":{"title":"SN-HTTP referrals","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-response-by-hostname","meta":{"title":"SN-HTTP response by hostname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-size","meta":{"title":"SN-HTTP size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-status","meta":{"title":"SN-HTTP status","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-status-by-hostname","meta":{"title":"SN-HTTP status by hostname","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-top-referrals","meta":{"title":"SN-HTTP top referrals","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-total-size","meta":{"title":"SN-HTTP total size","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-transactions-count","meta":{"title":"SN-HTTP transactions count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-HTTP-transactions-details","meta":{"title":"SN-HTTP transactions details","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Map","meta":{"title":"SN-Map","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Mean-flow-age-and-count","meta":{"title":"SN-Mean flow age and count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-ALERTEventsOverTime","meta":{"title":"SN-PerVLAN-ALERTEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-DNSEventsOverTime","meta":{"title":"SN-PerVLAN-DNSEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-FILETransEventsOverTime","meta":{"title":"SN-PerVLAN-FILETransEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-HTTPEventsOverTime","meta":{"title":"SN-PerVLAN-HTTPEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-SMTPEventsOverTime","meta":{"title":"SN-PerVLAN-SMTPEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-SSHEventsOverTime","meta":{"title":"SN-PerVLAN-SSHEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-PerVLAN-TLSEventsOverTime","meta":{"title":"SN-PerVLAN-TLSEventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Proto-app_proto","meta":{"title":"SN-Proto-app_proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Protocol","meta":{"title":"SN-Protocol","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-AttachmentsExtension","meta":{"title":"SN-SMTP-AttachmentsExtension","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-GeoIP","meta":{"title":"SN-SMTP-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-SmtpOverTime","meta":{"title":"SN-SMTP-SmtpOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20DestIP","meta":{"title":"SN-SMTP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20DestPort","meta":{"title":"SN-SMTP-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailApplications","meta":{"title":"SN-SMTP-Top20MailApplications","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailOrganisations","meta":{"title":"SN-SMTP-Top20MailOrganisations","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20MailSendingIPs","meta":{"title":"SN-SMTP-Top20MailSendingIPs","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20SrcIP","meta":{"title":"SN-SMTP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20SrcPort","meta":{"title":"SN-SMTP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20VLAN","meta":{"title":"SN-SMTP-Top20VLAN","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20VLANsOverTime","meta":{"title":"SN-SMTP-Top20VLANsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20mail_from","meta":{"title":"SN-SMTP-Top20mail_from","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SMTP-Top20rcpt_to","meta":{"title":"SN-SMTP-Top20rcpt_to","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByClientProtoVer","meta":{"title":"SN-SSH-ByClientProtoVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByClientSoftwareVer","meta":{"title":"SN-SSH-ByClientSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByServerProtoVer","meta":{"title":"SN-SSH-ByServerProtoVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-ByServerSoftwareVer","meta":{"title":"SN-SSH-ByServerSoftwareVer","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Client-version","meta":{"title":"SN-SSH Client version","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections","meta":{"title":"SN-SSH Connections","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections-by-appliance","meta":{"title":"SN-SSH Connections by appliance","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Connections-count","meta":{"title":"SN-SSH Connections count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-EventsOverTime","meta":{"title":"SN-SSH-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-GeoIP","meta":{"title":"SN-SSH-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Server-version","meta":{"title":"SN-SSH Server version","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20DestIP","meta":{"title":"SN-SSH-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20DestPort","meta":{"title":"SN-SSH-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20SrcIP","meta":{"title":"SN-SSH-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Top20SrcPort","meta":{"title":"SN-SSH-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-Transaction-Details","meta":{"title":"SN-SSH TransactionDetails","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-count","meta":{"title":"SN-SSH count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-transactions-count","meta":{"title":"SN-SSH transactionscount","icon":"visualizeApp"}},{"type":"visualization","id":"SN-SSH-transactions-over-time","meta":{"title":"SN-SSH transactions over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Src-and-dst-IP-unique-count","meta":{"title":"SN-Src and dst IP unique count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-CapturedPktsVsGaps","meta":{"title":"SN-Stats-CapturedPktsVsGaps","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Decoder-Deltas","meta":{"title":"SN-Stats-Decoder-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderAvgMaxPktSize","meta":{"title":"SN-Stats-DecoderAvgMaxPktSize","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderBytes-Packets","meta":{"title":"SN-Stats-DecoderBytes-Packets","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-DecoderProto-Deltas","meta":{"title":"SN-Stats-DecoderProto-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-EmergencyMode","meta":{"title":"SN-Stats-EmergencyMode","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Frags","meta":{"title":"SN-Stats-Frags","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Frags-Deltas","meta":{"title":"SN-Stats-Frags-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-KernelPacketsAndDrops-Deltas","meta":{"title":"SN-Stats-KernelPacketsAndDrops-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-Memcap-Deltas","meta":{"title":"SN-Stats-Memcap-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-TotalKernelPackets","meta":{"title":"SN-Stats-TotalKernelPackets","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-ipv4-ipv6-fragments","meta":{"title":"SN-Stats-ipv4-ipv6-fragments","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Stats-memuse-Deltas","meta":{"title":"SN-Stats-memuse-Deltas","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Syn-SynAck-Rst","meta":{"title":"SN-Syn-SynAck-Rst","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-ByIssuerdn","meta":{"title":"SN-TLS-ByIssuerdn","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-BySni","meta":{"title":"SN-TLS-BySni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-BySubject","meta":{"title":"SN-TLS-BySubject","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-ByVersionBySni","meta":{"title":"SN-TLS-ByVersionBySni","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-EventsOverTime","meta":{"title":"SN-TLS-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-GeoIP","meta":{"title":"SN-TLS-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-TCP-ports","meta":{"title":"SN-TLS TCP ports","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20DestIP","meta":{"title":"SN-TLS-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20DestPort","meta":{"title":"SN-TLS-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20SrcIP","meta":{"title":"SN-TLS-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-Top20SrcPort","meta":{"title":"SN-TLS-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-certificates-issuers-and-subjects","meta":{"title":"SN-TLS certificates issuers and subjects","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-fingerprints","meta":{"title":"SN-TLS fingerprints","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-by-appliance","meta":{"title":"SN-TLS transactions byappliance","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-count","meta":{"title":"SN-TLS transactions count","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-over-time","meta":{"title":"SN-TLS transactions over time","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-transactions-table","meta":{"title":"SN-TLS transactions table","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TLS-versions","meta":{"title":"SN-TLS versions","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timeline","meta":{"title":"SN-Timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Category","meta":{"title":"SN-Timelion-Alert-Category","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Country","meta":{"title":"SN-Timelion-Alert-Country","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Alert-Severity","meta":{"title":"SN-Timelion-Alert-Severity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-NULL","meta":{"title":"SN-Timelion-DNS-NULL","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-NXDOMAIN","meta":{"title":"SN-Timelion-DNS-NXDOMAIN","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-TXT","meta":{"title":"SN-Timelion-DNS-TXT","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-DNS-slash-request-slash-reply","meta":{"title":"SN-Timelion-DNS/request/reply","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Flow-App_proto","meta":{"title":"SN-Timelion-Flow-App_proto","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-HTTP-slash-DNS-slash-SMTP","meta":{"title":"SN-Timelion-HTTP/DNS/SMTP","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-HTTP-statuscode-522-slash-523-slash-0","meta":{"title":"SN-Timelion-HTTP-statuscode-522/523/0","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-ICMP-request-reply","meta":{"title":"SN-Timelion-ICMP-request-reply","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-IPv4-slash-IPv6","meta":{"title":"SN-Timelion-IPv4/IPv6","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-PPS-slash-Alerts","meta":{"title":"SN-Timelion-PPS/Alerts","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-S-slash-SA-slash-R","meta":{"title":"SN-Timelion-S/SA/R","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-SSH-slash-TLS-slash-DNP3","meta":{"title":"SN-Timelion-SSH/TLS/DNP3","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-Signatures","meta":{"title":"SN-Timelion-Signatures","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-TCP-slash-UDP-flows","meta":{"title":"SN-Timelion-TCP/UDP-flows","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Timelion-host","meta":{"title":"SN-Timelion-host","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDestPortsByCountry","meta":{"title":"SN-TopDestPortsByCountry","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDestPortsByCountryByCity","meta":{"title":"SN-TopDestPortsByCountryByCity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopDstIPDstPort","meta":{"title":"SN-TopDstIPDstPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcIPSrcPort","meta":{"title":"SN-TopSrcIPSrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcPortsByCountry","meta":{"title":"SN-TopSrcPortsByCountry","icon":"visualizeApp"}},{"type":"visualization","id":"SN-TopSrcPortsByCountryByCity","meta":{"title":"SN-TopSrcPortsByCountryByCity","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Traffic-events-type-timeline","meta":{"title":"SN-Traffic events type timeline","icon":"visualizeApp"}},{"type":"visualization","id":"SN-Urls-visited","meta":{"title":"SN-Urls visited","icon":"visualizeApp"}},{"type":"visualization","id":"SN-VLAN-ByEventType","meta":{"title":"SN-VLAN-ByEventType","icon":"visualizeApp"}},{"type":"visualization","id":"SN-VLAN-Top20VLANsUsed","meta":{"title":"SN-VLAN-Top20VLANsUsed","icon":"visualizeApp"}},{"type":"visualization","id":"a17b9ea0-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Authentication-Sectype","icon":"visualizeApp"}},{"type":"visualization","id":"a1aa05e0-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByType","icon":"visualizeApp"}},{"type":"visualization","id":"a6376820-cb3e-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"a987de80-1cdf-11ea-9ee1-11f0d2cd99c4","meta":{"title":"SN-ThreatHunt-HTTP-PossibleC2Beacons-BySrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"aa00adb0-c191-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"aa0139c0-d333-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"ab975d80-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-DNS-Total","icon":"visualizeApp"}},{"type":"visualization","id":"acba4210-c1d6-11e8-9888-3f5bc9c31629","meta":{"title":"SN-FILE-ByAppProto","icon":"visualizeApp"}},{"type":"visualization","id":"ae49bf50-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ae4b74f0-c1cc-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Filename","icon":"visualizeApp"}},{"type":"visualization","id":"af7f6010-c1d7-11e8-9888-3f5bc9c31629","meta":{"title":"SN-FILE-ByHTTPByHostnameServed","icon":"visualizeApp"}},{"type":"visualization","id":"af89b340-734b-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-Code","icon":"visualizeApp"}},{"type":"visualization","id":"b1b33d60-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"b6471090-74d8-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"b6867ae0-c193-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-VerMajMinor","icon":"visualizeApp"}},{"type":"visualization","id":"b85da310-d332-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-Count","icon":"visualizeApp"}},{"type":"visualization","id":"b9784930-c1cb-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-ServerGUID","icon":"visualizeApp"}},{"type":"visualization","id":"bb4f69c0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-IKEv2-Total","icon":"visualizeApp"}},{"type":"visualization","id":"bbf76020-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"bd453c20-735f-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-TotalCount","icon":"visualizeApp"}},{"type":"visualization","id":"be131f50-c1d1-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"be29a460-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientBuild","icon":"visualizeApp"}},{"type":"visualization","id":"c05711b0-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-ByIndicators","icon":"visualizeApp"}},{"type":"visualization","id":"c1122430-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByFailedRequests","icon":"visualizeApp"}},{"type":"visualization","id":"c11cccc0-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Routers-Servers","icon":"visualizeApp"}},{"type":"visualization","id":"c199c3d0-734c-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"c2fc55d0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-File","icon":"visualizeApp"}},{"type":"visualization","id":"c3997530-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"c6659f50-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"c66d1450-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"c7d5e520-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-SSH-Total","icon":"visualizeApp"}},{"type":"visualization","id":"c8657640-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"cdbbf0f0-caf3-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"cf040440-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Mode","icon":"visualizeApp"}},{"type":"visualization","id":"d13dacf0-c198-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Type","icon":"visualizeApp"}},{"type":"visualization","id":"d1427890-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficID","icon":"visualizeApp"}},{"type":"visualization","id":"d2061990-7d8c-11ea-af8c-954c77eacc8f","meta":{"title":"SN-TLS-ByJa3SHash","icon":"visualizeApp"}},{"type":"visualization","id":"d294cdf0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"d39f5450-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficID","icon":"visualizeApp"}},{"type":"visualization","id":"d45f0ba0-73f2-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"d4b13740-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-DHCP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"d5843f00-c192-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-Top20DestPort","icon":"visualizeApp"}},{"type":"visualization","id":"d5c45630-74dd-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-Top100-SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"d6358e70-73f4-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-Usm","icon":"visualizeApp"}},{"type":"visualization","id":"d6720b50-c19b-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Releays","icon":"visualizeApp"}},{"type":"visualization","id":"dcd91fb0-c1d2-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Packet","icon":"visualizeApp"}},{"type":"visualization","id":"dd9b8e50-cb33-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-EventsOverTimeByVersion","icon":"visualizeApp"}},{"type":"visualization","id":"dec25e60-74ee-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-ClientName","icon":"visualizeApp"}},{"type":"visualization","id":"dfe2a9f0-c2f5-11e8-9eb1-af8fa48f4c1b","meta":{"title":"SN-HTTP-Total","icon":"visualizeApp"}},{"type":"visualization","id":"e20c8650-d331-11e8-8a07-17cc065d3fe1","meta":{"title":"SN-DNP3-BySrc","icon":"visualizeApp"}},{"type":"visualization","id":"e41ad0b0-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20SrcIP","icon":"visualizeApp"}},{"type":"visualization","id":"e4aa4cb0-081a-11eb-bd80-0b9cf2e814b3","meta":{"title":"SN-MQTT-ConnUsernames","icon":"visualizeApp"}},{"type":"visualization","id":"e67a7c10-74de-11ea-bb42-278f04c43ada","meta":{"title":"SN-SIP-SipCode","icon":"visualizeApp"}},{"type":"visualization","id":"e7337e70-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByMsgType","icon":"visualizeApp"}},{"type":"visualization","id":"e7c2b5c0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ea18f570-c1d1-11e8-9888-3f5bc9c31629","meta":{"title":"SN-TFTP-Top20DestIP","icon":"visualizeApp"}},{"type":"visualization","id":"ea8a7000-c191-11e8-9888-3f5bc9c31629","meta":{"title":"SN-IKEv2-GeoIP","icon":"visualizeApp"}},{"type":"visualization","id":"eafe1a30-73f3-11ea-abd9-295bc1fa20bb","meta":{"title":"SN-SNMP-ByVlan","icon":"visualizeApp"}},{"type":"visualization","id":"eb100030-cc04-11e8-aae9-99442e2ed6cc","meta":{"title":"SN-TrafficID-ByTrafficLabel","icon":"visualizeApp"}},{"type":"visualization","id":"ec437ac0-c1ca-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Function","icon":"visualizeApp"}},{"type":"visualization","id":"ecbb25e0-74d7-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Top100-SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"ede2f660-cb40-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByStatus","icon":"visualizeApp"}},{"type":"visualization","id":"eef848e0-cb3e-11e8-8e2b-bf314673d4bf","meta":{"title":"SN-NFS-ByDestIP","icon":"visualizeApp"}},{"type":"visualization","id":"f14a6010-74d9-11ea-bb42-278f04c43ada","meta":{"title":"SN-RFB-Server-Security-Failure","icon":"visualizeApp"}},{"type":"visualization","id":"f2024e50-74ed-11ea-bb42-278f04c43ada","meta":{"title":"SN-RDP-TotalEvents","icon":"visualizeApp"}},{"type":"visualization","id":"f87379e0-c197-11e8-9888-3f5bc9c31629","meta":{"title":"SN-DHCP-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"f9c21fc0-caf4-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"fab31360-c1c8-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-EventsOverTime","icon":"visualizeApp"}},{"type":"visualization","id":"fcae7fd0-734a-11ea-b5dd-05bd1e5fbf82","meta":{"title":"SN-ANOMALY-EventsOverTimeByAppProto","icon":"visualizeApp"}},{"type":"visualization","id":"fd1577f0-c1c9-11e8-9888-3f5bc9c31629","meta":{"title":"SN-SMB-Top20SrcPort","icon":"visualizeApp"}},{"type":"visualization","id":"fde239e0-caf5-11e8-9f69-c36de0ada098","meta":{"title":"SN-KRB5-ByRealm","icon":"visualizeApp"}}],"errors":[{"type":"index-pattern","id":"92edee20-74c4-11ea-bb42-278f04c43ada","title":"logstash-sip-","meta":{"title":"logstash-sip-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"06e1e3c0-c1c7-11e8-9888-3f5bc9c31629","title":"logstash-smb-","meta":{"title":"logstash-smb-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"770c39b0-c1c8-11e8-9888-3f5bc9c31629","title":"logstash-tftp-","meta":{"title":"logstash-tftp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"de695070-74c3-11ea-bb42-278f04c43ada","title":"logstash-rfb-","meta":{"title":"logstash-rfb-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"e2f3d2c0-73e0-11ea-abd9-295bc1fa20bb","title":"logstash-snmp-","meta":{"title":"logstash-snmp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"35f3ece0-cae5-11e8-9f69-c36de0ada098","title":"logstash-nfs-","meta":{"title":"logstash-nfs-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"84c3b570-c190-11e8-9888-3f5bc9c31629","title":"logstash-dhcp-","meta":{"title":"logstash-dhcp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"036d9030-74eb-11ea-bb42-278f04c43ada","title":"logstash-rdp-","meta":{"title":"logstash-rdp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"defa6c90-cae7-11e8-9f69-c36de0ada098","title":"logstash-krb5-","meta":{"title":"logstash-krb5-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"cc5489c0-06e2-11eb-bd80-0b9cf2e814b3","title":"logstash-mqtt-","meta":{"title":"logstash-mqtt-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"fed9ba80-7319-11ea-b5dd-05bd1e5fbf82","title":"logstash-anomaly-","meta":{"title":"logstash-anomaly-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-flow-","title":"logstash-flow-","meta":{"title":"logstash-flow-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-fileinfo-","title":"logstash-fileinfo-","meta":{"title":"logstash-fileinfo-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"699cedb0-d31b-11e8-8a07-17cc065d3fe1","title":"logstash-dnp3-","meta":{"title":"logstash-dnp3-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-tls-","title":"logstash-tls-","meta":{"title":"logstash-tls-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-alert-","title":"logstash-alert-","meta":{"title":"logstash-alert-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-ssh-","title":"logstash-ssh-","meta":{"title":"logstash-ssh-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-http-","title":"logstash-http-","meta":{"title":"logstash-http-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"769209d0-c18a-11e8-9888-3f5bc9c31629","title":"logstash-ikev2-","meta":{"title":"logstash-ikev2-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-smtp-","title":"logstash-smtp-","meta":{"title":"logstash-smtp-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-","title":"logstash-","meta":{"title":"logstash-","icon":"indexPatternApp"},"error":{"type":"conflict"}},{"type":"index-pattern","id":"logstash-dns-","title":"logstash-dns-","meta":{"title":"logstash-dns-*","icon":"indexPatternApp"},"error":{"type":"conflict"}}]

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

Is there a way to load via curl to resolve the issue? Manual loading of saved objects is less than ideal given that the stack can, and often is, be torn down and re-created. I have added the curl commands to a bootstrap in logstash where these are best located.

pevma commented 3 years ago

I meant it as a quick test to confirm if that is the case.

-- Regards, Peter Manev

On 26 Dec 2020, at 00:07, alphaDev23 notifications@github.com wrote:

Is there a way to load via curl to resolve the issue? Manual loading of saved objects is less than ideal given that the stack can, and often is, be torn down and re-created. I have added the curl commands to a bootstrap in logstash where these are best located.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

I attempted to import visualizations.ndjson...received:

Sorry, there was an error The file could not be processed due to error: "Failed to fetch"

pevma commented 3 years ago

Was that via the command line or gui ?

-- Regards, Peter Manev

On 26 Dec 2020, at 00:40, alphaDev23 notifications@github.com wrote:

I attempted to import visualizations.ndjson...received:

Sorry, there was an error The file could not be processed due to error: "Failed to fetch"

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

pevma commented 3 years ago

On the command line you can try to ever write by adding that to the command

/_import?overwrite=true

-- Regards, Peter Manev

On 26 Dec 2020, at 09:32, Peter Manev petermanev@gmail.com wrote:

Was that via the command line or gui ?

-- Regards, Peter Manev

On 26 Dec 2020, at 00:40, alphaDev23 notifications@github.com wrote:

I attempted to import visualizations.ndjson...received:

Sorry, there was an error The file could not be processed due to error: "Failed to fetch"

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

Your suggestion appeared to resolve the issue but I'm now receiving errors in the at least the following dashboards:

HTTP Could not locate that index-pattern-field (id: http.accept_encoding.keyword) Could not locate that index-pattern-field (id: http.vary.keyword)

Alerts Could not locate that index-pattern-field (id: vlan) Could not locate that index-pattern-field (id: smtp.helo.keyword)

pevma commented 3 years ago

Maybe you dont have those logs/fileds for those visualizations ? Can you share a record/log that has the fileds?

alphaDev23 commented 3 years ago

It appears that all the logs are in the logstash-flow- indexes. Is this correct or is there an issue with templates, etc?

pevma commented 3 years ago

It could be that you don’t have traffic ? It could be ES template but I don’t think it seems related to the dashboards or visualisations.

-- Regards, Peter Manev

On 7 Jan 2021, at 21:43, alphaDev23 notifications@github.com wrote:

It appears that all the logs are in the logstash-flow- indexes. Is this correct or is there an issue with templates, etc?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

alphaDev23 commented 3 years ago

I do have http traffic.

StamusNetworks / KTS7

Error with Painless scripted field 'doc['flow_id'].value'. #1