ElasticStack - PaloAltoNetworks/pan-tort GitHub Wiki

For advanced content visualization, one suggested platform is ElasticStack. This is a suite of open-source tools with ElasticSearch and Kibana used by pan-tort hash views.

Kibana dashboard

The json files for saved searches, visualizations, and the dashboard are in the hash/misc directory. These files can be imported to kibana to view the created hash_data_estack.json file using the dashboard above.

A general overview of ElasticStack can be found here:

Elastic Search overview

More detailed installation instructions can be found online along with various tutorials.

Elastic Stack installation SafeNetworking with ElasticStack step-by-step install

NOTE: The SafeNetworking application installs other components for DNS event visualization but the base ElasticSearch, Logstash, and Kibana installation are general purpose.

Once ElasticSearch is operational, you can bulk load the hash_data_estack.json using a simple curl command:

curl -s -XPOST 'http://localhost:9200/_bulk' --data-binary @hash_data_estack.json -H "Content-Type: application/x-ndjson"

This imports the data set using the index of 'hash-data' with each hash entry loaded as a unique document. This data can be viewed in Kibana using visuals and dashboards created to enrich the output.

The index can be deleted also using curl:

curl -XDELETE http://localhost:9200/hash-data

This removes the index and all associated data. This is useful when a new set of data to visualize.