Follow

Recall Indices & Content For Stream in ELK v7

Recall Content can be added to any customer's Stream Elasticsearch & Kibana Index.

This guide will explain how a customer is able to quickly & easily add this data.

 

After completing these steps, the user will have these items on their ELK stack:

  • Index templates in ElasticSearch that will parse fields correctly
  • Kibana index patterns that will set the timestamp & representation of each index
  • Kibana saved searches for useful queries, such as the Vectra Security Assessment.
  • Dashboards, such as VPN overview dashboard, and the Host Dashboard.

Compressed File with Indices & Saved Searches

A zip file with relevant data is attached at the end of this page.

Last updated: 2020.07.06

Elastic templates

Install the templates on a given elastic search instance

Elasticsearch templates are contained within the ./elasticsearch-templates folder.

run HOST=localhost:9200 ./put.sh to upload all the existing templates to the local ES

OR

You can use the following curl command to install a given template:

curl -XPUT $HOST/_template/$TEMPLATE_NAME?include_type_name=true -H "Content-Type: application/json" --data-binary "@$TEMPLATE_PATH"

Be sure to populate $HOST, $TEMPLATE_NAME and $TEMPLATE_PATH with the proper data.

For instance:

curl -XPUT http://localhost:9200/_template/metadata_isession?include_type_name=true \
  -H "Content-Type: application/json" \
  --data-binary "@tpl/metadata_isession.jsonc"

More info on how to load templates can be found in the official ElasticSearch templates docs.

Kibana-state

./kibana-state/ is a store for a Kibana specific state, where the Kibana index patterns are stored.

Adding Stream index patterns

  • Before adding index patterns, ensure that index templates have been added to ES (HOST=localhost:9200 ./put.sh)
  • Go to kibana UI, Management, Saved Objects Section. /app/kibana#/management/kibana/objects
  • Click import, and select recall_kibana_indices.ndjson.

 

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.