5.3. Overview of the Kibana GUI

5.3.1. Overview of the Kibana GUI : presentation

The Kibana web interface displays the data present in the ElasticSearch indexes of the GCenter.
This data comes from different analysis engines.
Before GCenter indexing, this data can:

  • Come from analyzes on the GCap side (alerts and metadata reported by the Sigflow detection engine)

  • Come from analyzes on the GCenter side (alerts by the other detection engines)

Important

This section describes the graphic elements accessible to members of the operator group.

5.3.2. Configuration of the Kibana GUI

../_images/GCE103_KIBANA_01.PNG
The Kibana interface is fully editable by the user.
It is possible to create visualizations and dashboards.
Natively, the interface has pre-recorded dashboards to visualize the data of the different engines of the solution.
These dashboards are also editable by the user.
Different viewing rights apply to this interface:

  • Users who are members of the group operator can view the data present in the detection event dashboards

  • Users who are members of the group administrator can view the data present in the system dashboards (System logs Overview)

Note

Kibana interface access is available:

  • For members of the operator group, by clicking on the `Hunting` button on the navigation bar

  • For members of the administrator group, by clicking on the command `System logs` from the menu `Administration - Maintenance`

The `Dashboards` button (1) enables to display and to select the existing dashboards.
The `Alerts - Overview` (2) is the default dashboard for members of the operator group.

5.3.3. Main tabs

There are main tabs:

5.3.4. Native dashboards of the `Alerts` tab

../_images/GCE103_KIBANA_01.PNG

The `Alerts` information of the different engines is grouped in the Kibana interface as tabs (6):

Tab

Displays all alerts generated by the

`Overview

GCenter

`Sigflow`

Sigflow engine

`Malcore`

Malcore engine

`Malicious Powershell`

Malicious Powershell detect engine

`Shellcode`

Shellcode detect engine

`DGA`

DGA detect engine

`Beacon`

Beacon detect engine

`Ransomware`

Ransomware detect engine

`Active CTI`

Active CTI engine

`Retro hunt`

Retro hunt engine

Note

For most dashboards, the following pages are available:

  • `Overview`

  • `Messages`

Each of these tabs corresponds to a specific type of data, here is the detail:

  • a graph showing the number of alerts per engine over time

  • a counter displaying the number of alerts per engine, the number of metadata and the number of files scanned

  • a top 10 source IP addresses by type of alert

  • a top 10 destination IP addresses by type of alert

  • a graph showing the proportion of the different severity of Sigflow alerts

  • a graph showing the number of unique signatures that escalated alerts over time

  • a list of Malcore alerts identified by the solution (in the form of a message)

  • a top 10 alerts

  • a top in the distribution of DGA domain names

  • Top 10 Machine Learning Alerts

The main view `Overview` shows different graphs and statistics for the selected time slot.
../_images/GCE103_KIBANA_02.PNG
It also contains an explanatory paragraph on Malicious Powershell alerts.
Click on `Messages` to display the list of alerts.
The secondary view `Messages` shows a histogram and the list of alerts.
The histogram shows the distribution of alerts over the selected time range.
It can notably reveal a certain periodicity of alerts, or a particularly active time of day.
The list of alerts can be modified by deleting or adding certain columns.
Click on the «double arrow» icon at the beginning of the line to display all the alert fields.
It is then possible to filter on certain values for, for example:

  • Do not display healthy machines (filter false positives)

  • Show only alerts from a particular IP

  • Do not display alerts from a specific GCap

5.3.5. Native dashboards of the `Network Metadata` tab

../_images/GCE103_KIBANA_03.PNG

`Network Metadata` displays, in sub-tabs, the metadata for the different protocols analyzed by the probe:

  • Overview synthesizes all metadata

  • Relations synthesizes all metadata into visualizations in chart form

  • DHCP, DHCP metadata details

  • DNS, DNS metadata details

  • File Transaction, details of the metadata related to the file reconstructed by the probe

  • HTTP, HTTP metadata details

  • IKEv2, IKEv2 metadata details

  • KRB5, KRB5 metadata details

  • NFS, NFS protocol metadata details

  • SMB, SMB metadata details

  • SMTP, SMTP metadata details

  • SSH, SSH metadata details

  • TFTP, TFTP metadata details

  • TLS, TLS metadata details

Attention

Some protocols do not have a native dashboard despite the fact that they can generate metadata.
These metadata are still indexed and usable in Kibana.

5.3.6. Native dashboards of the `Administration` tab

../_images/GCE103_KIBANA_04.PNG

The native dashboards are grouped in the Kibana interface as tabs:

`Administration` displays, in sub-tabs, the information grouped by theme:

  • `System Logs` displays the solution’s syslog system events

  • `Users History` displays the Users history events

  • `Metrics` displays the Administration metrics

5.3.7. Data exploitation

In each dashboard, it is possible to perform a filtering to display only the desired data.
To do this, several options are possible:

  • Filter by changing the time interval (top right of page)

  • Filter by searching using the `Search` bar (top left)

  • Filter by creating a filter on a specific field of the desired events (button `+ Add filter` below the search bar)