Recall Content can be added to any customer's Stream Elasticsearch & Kibana Index.
This guide will explain how a customer is able to quickly & easily add this data.
After completing these steps, the user will have these items on their ELK stack:
- Index templates in ElasticSearch that will parse fields correctly
- Kibana index patterns that will set the timestamp & representation of each index
- Kibana saved searches for useful queries, such as the Vectra Security Assessment.
- Dashboards, such as VPN overview dashboard, and the Host Dashboard.
Compressed File with Indices & Saved Searches
A zip file with relevant data is attached at the end of this page.
Last updated: 2020.07.06
Install the templates on a given elastic search instance
Elasticsearch templates are contained within the
HOST=localhost:9200 ./put.sh to upload all the existing templates to the local ES
You can use the following
curl command to install a given template:
curl -XPUT $HOST/_template/$TEMPLATE_NAME?include_type_name=true -H "Content-Type: application/json" --data-binary "@$TEMPLATE_PATH"
Be sure to populate
$TEMPLATE_PATH with the proper data.
curl -XPUT http://localhost:9200/_template/metadata_isession?include_type_name=true \ -H "Content-Type: application/json" \ --data-binary "@tpl/metadata_isession.jsonc"
More info on how to load templates can be found in the official ElasticSearch templates docs.
./kibana-state/ is a store for a Kibana specific state, where the Kibana index patterns are stored.
Adding Stream index patterns
- Before adding index patterns, ensure that index templates have been added to ES (
- Go to kibana UI, Management, Saved Objects Section. /app/kibana#/management/kibana/objects
- Click import, and select recall_kibana_indices.ndjson.