Premium Content

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

18.8 C
New York

Using ES|QL in Kibana to Queries DShield Honeypot Logs

Cybersecurity

Published:

Reading time: 1 min.

With the Elastic released of version 8.17.0, it included “The technical preview of new MATCH and query string (QSTR) functions in ES|QL makes log searches easier and more intuitive.”[1] With this released, I started exploring some of the many options available with ES|QL in Kibana [2], enabled by default, to do various types of queries to quickly summarize data, outside of the default or custom dashboards.

To illustrate this, I will show two different queries, one with user.name and one with source actor IP addresses. While writing the query, you will notice after you include the pipe (|), a list of possible ES|QL field options will appear, refer to this reference for ES|QL language [4].

This is an example of a simple strategy where the only field selected is the user.name stored in the Elasticsearch [6] cowrie table. In this example, the output is limited by time and up to 1000 rows. By adding | LIMIT 10 to the end of the query, the output would only show the TOP 10 vs. up to 1000.

FROM cowrie*

| KEEP user.name

| STATS COUNT(user.name) BY user.name

| SORT `COUNT(user.name)` DESC

This second example shows the Top 10 Actor IPs over the past 7 days captured by DShield Sensor. To change the default visualization, this include changing the visualization type, axes and colors, click the pencil button (esql icon in above picture). It will open the in-line editor like this example where you can manipulate the graph to what you want.

FROM cowrie*

| KEEP related.ip

| STATS COUNT(related.ip) BY related.ip

| SORT `COUNT(related.ip)` DESC

| LIMIT 10

This is another way of working and manipulating data in Kibana with ES|QL to explore the data. You can check out this reference [2] where there are several examples of how you can start exploring the data in other fun ways.

[1] https://www.elastic.co/blog/whats-new-elastic-8-17-0

[2] https://www.elastic.co/guide/en/elasticsearch/reference/8.17/esql-kibana.html

[3] https://www.elastic.co/guide/en/elasticsearch/reference/8.17/esql-using.html

[4] https://www.elastic.co/guide/en/elasticsearch/reference/8.17/esql-functions-operators.html

[5] https://github.com/bruneaug/DShield-SIEM/tree/main

[6] https://isc.sans.edu/diary/DShield+SIEM+Docker+Updates/31680/

———–

Guy Bruneau IPSS Inc.

My GitHub Page

Twitter: GuyBruneau

gbruneau at isc dot sans dot edu



Source link

Related articles

Recent articles

127 Dewey Rd, Cheltenham, PA 19012

support@pcnewsup.com

(855) 262-0803

© 2025 pcnewsup.com