Once you have your ElasticSearch server running with Kibana, and it’s being fed data from Suricata installs via Filebeat, you can view the data coming in through some default dashboards. Filebeat has two suricata default dashboards, one for alerts and one for events.
I like the default Filebeat Suricata dashboards, except that the Alert one has severity 3 alerts. Often I want a report that shows only high severity items (severity 1 and 2), as severity 3 can be too noisy.
An easy way to create a new dashboard is to build from what’s already been created. If we take the default dashboard elements, and modify them a bit, we can make a high priority dashboard fairly easily.
Altering the Default Alert Dashboard
In the ELK search box at the top, enter “[Filebeat Suricata] Alert”.
Click the Alert Overview chart that appears in the results.
The default view will load similar to the above screenshot. On the top right is a table called “Top Alert Signatures” – let’s edit that. First we need to click “Edit” in the top right so we can access the elements in the dashboard.
Once in edit mode, each Dashboard component will have a settings gear icon. Click the one for the “Top Alert Signatures” widget and then click “Edit Visualization.”
Once you are editing the visualization, there will be several options to add data, or filters. We’re looking to change the filtering, as we want to display ONLY severity 1 and 2 occurrences.
Near the top left, is a link “Add Filter” – click that and you’ll get a modal window.
Available Fields
In the “Select a field first” dropdown, there are perhaps hundreds or more fields to reference. These fields are based on the data that streams via filebeat.
If you open another tab to your ELK server, and reopen the Alert Dashboard in this new tab, scroll to the bottom. There’s a table of alert events listed by date. Open one of those rows (click on it) and it will expand, showing various fields available to us:
The screenshot above is cropped off to focus on several fields starting with event.* The one event.severity has a # sign pretending it, indicating it is a numeric value. This particular line item has a value of 3.
All we need to do now, is filter for event.severity < 3 and that will restrict our chart to High Severity items.
Filtering the Chart by event.severity
Back in the other tab, where we are editing the existing visualization. Once again, click the “+ Add Filter” link. In the modal type “event.severity” – you’ll notice that it uses an “as you type” approach, filtering out available fields that match your typing. Click event.severity in the result.
Once selected, the Operator dropdown will become active. Click the dropdown and select the “Is Between” operator. Chose the values 1 and 3 (the to value not being inclusive) so we’ll only have event.severity of 1 – 2.
Click “Save” and you’ll see your results immediately filter out severity 3 items. You may have to shift your time range to where severity 1 or 2 items exist in the data. If you don’t have any results for severity 1 and 2, you can use a Nikto scan from Kali linux against a web application on your host, which will certainly create severity 1 and 2 alerts.
On the right side of the visualization is a section under the heading “Alerts [Filebeat Suricata]”, a sub heading has the values “data” and “options.” Click “options”.
By default this chart is only showing the top 10 results. I’m going to modify that to show the top 30 and I also checked “auto fit rows to content”:
Click Update, and then I’ll save the visualization under a new name. Clicking “Save As” at the top right, will open a window with several prompts. For one, I’ll rename the visualization to something more relevant, like “Alert Severity 1-2” and I will also add a unique tag. Creating a tag is useful to find your created content later through the search field.
Creating the Dashboard
Once this is saved, you’ll likely end up at the previous screen. This may be editing the default alert dashboard. Click the menu icon on the left and scroll down to the section “Analytics” and click on the “Dashboard” link.
This page lists all dashboards in the system. At the upper right side of the screen is a button to “Create Dashboard,” click that.
On the Create Dashboard page click “Add From Library,” to load the visualization we just created. This will open a menu on the right side of the screen. In the search box enter “Alert Severity 1-2” and as you type your visualization will appear. Click it and it will load into the main window as a dashboard component.
You can add additional visualizations through the “Add from Library” (i.e. Top Alerting Hosts), or create more visualizations and drop them in here.
When done, click Save, and give your Dashboard a name, like High Severity Alerts, and provide a proper tag for it, to find it easily via the main search box.