-
Notifications
You must be signed in to change notification settings - Fork 70
Skadi Specific Kibana Dashboards, Visualizations, and Searches
There are multiple ways to interface with the data and this document will show the following pre-built items included: Searches, Visualizations and Dashboards. These were made to provide a way to easily start looking at data and maximize the data provided by CDQR and Plaso.
They were made to be hierarchical so that Searches are used to make Visualizations which are then used to make Dashboards. This means that changes to the saved searches will be automatically updated in the Visualizations and Dashboards that use them.
By default, Skadi has an index of “case_cdqr-*” and this allows for searching all data uploaded by CDQR.
To view data from just one host/collection of artifacts a new index is required. To create a new index replace the “logstash-*” in the upper white box with “case_cdqr-<index_name>*”. This must match what was used in the CDQR command line. In this example, “case_cdqr-test*” is used.
Next, the white box under the “Time-field name” entry must have “datetime” populated in it and the “Create” button turned green. If that does not happen then check the index name to ensure it is accurate.
To remove the index go to the Cerebro cluster management interface: http://<Skadi IP address or localhost>:9200
The Searches are linked to the Visualizations which are linked to the Dashboards. Changing any part of the link affects them all.
Saved Search -> Saved Visualization(s) -> Saved Dashboard