kibana统计数据展示demo
数据有了。想做一个报表出来,却又不知道该怎么做。恰好手头有一个合适的商业demo,扣过来学习学习借鉴借鉴
再往下:
接下来是每一个的实现部分:
主机威胁-统计:
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"date_histogram": {
"field": "timestamp",
"interval": "30m",
"time_zone": "Asia/Shanghai",
"min_doc_count": 1
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
主机威胁-源IP统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"terms": {
"field": "src_ip",
"size": 50,
"order": {
"_count": "desc"
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
主机威胁-目的IP统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"terms": {
"field": "dst_ip",
"size": 50,
"order": {
"_count": "desc"
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
威胁-类型统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"terms": {
"field": "classtype",
"size": 50,
"order": {
"_count": "desc"
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
威胁-威胁严重性统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"terms": {
"field": "severity",
"size": 10,
"order": {
"_term": "desc"
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
主机威胁-协议统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": [
{
"match": {
"proto": {
"query": "",
"type": "phrase"
}
}
}
]
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"3": {
"terms": {
"field": "proto",
"size": 10,
"order": {
"_count": "desc"
}
},
"aggs": {
"2": {
"terms": {
"field": "app_proto",
"size": 50,
"order": {
"_count": "desc"
}
}
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": [
{
"match": {
"proto": {
"query": "",
"type": "phrase"
}
}
}
]
}
}
}
},
"fragment_size": 2147483647
}
}
主机威胁-目的端口统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"2": {
"terms": {
"field": "dst_port",
"size": 50,
"order": {
"_count": "desc"
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"fragment_size": 2147483647
}
}
主机威胁-威胁说明统计
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*"
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": [
{
"match": {
"target": {
"query": "",
"type": "phrase"
}
}
}
]
}
},
"size": 0,
"_source": {
"excludes": []
},
"aggs": {
"3": {
"terms": {
"field": "target",
"size": 50,
"order": {
"_count": "desc"
}
}
}
},
"version": true,
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {
"highlight_query": {
"bool": {
"must": [
{
"query_string": {
"query": "*",
"analyze_wildcard": true,
"all_fields": true
}
},
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
},
{
"range": {
"timestamp": {
"gte": 1553011200000,
"lte": 1553097599000,
"format": "epoch_millis"
}
}
}
],
"must_not": [
{
"match": {
"target": {
"query": "",
"type": "phrase"
}
}
}
]
}
}
}
},
"fragment_size": 2147483647
}
}
最后再来一条原生的日志:
{
"_index": "host-threat-2019-03-20",
"_type": "log",
"_id": "AWmbEkhZShGDacnAdwJw",
"_version": 1,
"_score": null,
"_source": {
"conn": {
"duration": "0.315865",
"src_mac": "34:b3:54:cc:21:0c",
"resp_bytes": "4032",
"resp_pkts": "8",
"orig_bytes": "1869",
"conn_state": "Connection established and finished",
"orig_pkts": "12",
"dst_mac": "00:00:5e:00:01:10"
},
"kill_chain": "remote-control",
"dst_ip_geoloc": "22.2833,114.15",
"sub_category": "",
"src_ip_city": "Beijing",
"hostip": "10.253.1.172",
"reliability": "",
"classtype": "threat-intelligence-alarm",
"dst_ip_country_code": "HK",
"rid": "10180004",
"interface": "em4",
"uuid": "b2b12b34-abc7-40e1-b12b-34abc780e1ab",
"dst_ip": "111.221.29.254",
"src_ip": "10.253.107.70",
"dst_service": "https",
"hostname": "ATD",
"dst_ip_city": "Hong Kong",
"payload": "",
"timestamp": "1553084857504",
"severity": "4",
"src_service": "",
"dst_ip_country": "Hong Kong",
"message": "",
"app_proto": "ssl",
"target": "111.221.29.254",
"src_port": "49290",
"engine_type": "intel",
"src_ip_country_code": "CN",
"proto": "tcp",
"dst_port": "443",
"src_ip_geoloc": "39.9047,116.4072",
"src_ip_country": "China",
"family": "criticalstack (malware)",
"category": "outbound2malicious-server",
"resp_data": "",
"desc": "family:criticalstack (malware);proto:tcp;app_proto:ssl;"
},
"fields": {
"timestamp": [
1553084857504
]
},
"sort": [
1553084857504
]
}
祝好