Recall indices & content for Stream in Elk v7

Recall Content can be added to any customer's Stream Elasticsearch & Kibana Index.

This guide will explain how a customer is able to quickly & easily add this data.

After completing these steps, the user will have these items on their ELK stack:

• Index templates in ElasticSearch that will parse fields correctly

• Kibana index patterns that will set the timestamp & representation of each index

• Kibana saved searches for useful queries, such as the Vectra Security Assessment.

• Dashboards, such as VPN overview dashboard, and the Host Dashboard.

Compressed File with Indices & Saved Searches

A zip file with relevant data is attached at the end of this page.

Last updated: 2020.10.26

Elastic templates

Install the templates on a given elastic search instance

Elasticsearch templates are contained within the ./elasticsearch-templates`` folder.

run HOST=localhost:9200 ./put.sh to upload all the existing templates to the local ES

OR

You can use the following curl command to install a given template:

Be sure to populate $HOST, $TEMPLATE_NAME and $TEMPLATE_PATH with the proper data.

For instance:

More info on how to load templates can be found in the official ElasticSearch templates docs.

Kibana-state

./kibana-state/ is a store for a Kibana specific state, where the Kibana index patterns are stored.

Adding Stream index patterns

• Before adding index patterns, ensure that index templates have been added to ES (HOST=localhost:9200 ./put.sh)

• Go to kibana UI, Management, Saved Objects Section. /app/kibana#/management/kibana/objects

• Click import, and select recall_kibana_indices.ndjson.

Attachments