7.7. Using of the Kibana dashboards

7.7.1. Introduction

The Kibana dashboards enable more in-depth investigation as they provide access to all events in the solution.

It is possible to trace a comprehensive attack by switching from dashboard to dashboard.

The purpose of this procedure is to present the method for tracing a specific attack.

---

7.7.2. Links associated

See the Overview of the Kibana GUI.

---

7.7.3. Prerequisites

• User : member of Operator group

---

7.7.4. Preliminary operations

• Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)

---

7.7.5. Procedure introducing the Kibana investigation method

• From the navigation bar, click on the `Hunting` button (5).

• 

  The `Hunting` window is displayed.

• Go to the `Malcore` tab.

• In the `Message` tab, locate the alert on an infected file requiring investigation.

• Scroll down this alert to display all the fields in the event.

• Find the `flow_id` field and perform a positive filter on it by pressing the +. The filter is displayed under the search bar.

• Click on this filter and then click on `Pin across all apps` to attach the filter and be able to keep it in the other dashboards.

• Browse the different "alert" dashboards to see if other alerts were generated for this flow.

• Browse the metadata dashboard to see which metadata were generated for this flow.

---