7.6. Use of Kibana dashboards

7.6.1. Introduction

The Kibana dashboards enable more in-depth investigation as they provide access to all events in the solution.
It is possible to trace a comprehensive attack by switching from dashboard to dashboard.
The purpose of this procedure is to present the method for tracing a specific attack.

For

go to the

Investigation method in Kibana

Procedure introducing the Kibana investigation method

See the Overview of the Kibana GUI.


7.6.2. Prerequisites

  • User : member of Operator group


7.6.3. Preliminary operations


7.6.4. Procedure introducing the Kibana investigation method

  • From the navigation bar, click on the `Hunting` button.

../_images/elastic-01.png
  • Go to the `Malcore` tab.

  • In the `Message` tab, locate the alert on an infected file requiring investigation.

  • Scroll down this alert to display all the fields in the event.

  • Find the `flow_id` field and perform a positive filter on it by pressing the +. The filter is displayed under the search bar.

  • Click on this filter and then click on `Pin across all apps` to attach the filter and be able to keep it in the other dashboards.

  • Browse the different "alert" dashboards to see if other alerts were generated for this flow.

  • Browse the metadata dashboard to see which metadata were generated for this flow.