Kibana PCAP

[argwfm]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

256

Storage for /nsm

256

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Looking to confirm... is there no longer the ability to pivot to PCAP export from the Kibana SO Dashboard w/ SOv2.4? SOv2.3 had the Hunt and Optionally Pivot to PCAP option w/in the Kibana results, but not seeing that as an option w/ SOv2.4. Appreciate the clarification!

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[pdwheelerjr]

Good afternoon, I have the same question. Glad I found this. I've read through what I could find and checked configuration (at least as far as where I guess it would be). The documentation seems to indicate that the hyperlinks should still be there, but I'm not seeing them nor have I found any way to re-enable this functionality.

[dougburks]

Those hyperlinks are not in 2.4 and I've updated the documentation to reflect that:
https://docs.securityonion.net/en/2.4/kibana.html

You should be able to do something similar by copying the log.id.uid field value and then searching SOC Dashboards or Hunt for it.

Most folks avoid this issue altogether by simply using SOC Dashboards as their primary dashboards interface:
https://docs.securityonion.net/en/2.4/dashboards.html

[dougburks]

@majungman Per my response above, is there some particular reason why you can't use SOC dashboards? If you absolutely have a hard requirement for Kibana, you could always create your own custom Kibana dashboards.

[pdwheelerjr]

Doug, I think everyone may use Security Onion different ways and have a different approach to how to use the tool. In most cases, I'm working from something that seems to be out of the ordinary, usually associated with a specific client or server. I will go back to the Indicator Dashboard (or one of the others depending on what I'm looking for) and then start working from there. I guess I will eventually either have to change the way I use the product or find new ways of thinking. :-) For the time being I rebuilt my home lab around 2.3 and have kept the implementation in the office on 2.3. Hard for an old dog to learn new tricks.

[dougburks]

@pdwheelerjr

In most cases, I'm working from something that seems to be out of the ordinary, usually associated with a specific client or server. I will go back to the Indicator Dashboard (or one of the others depending on what I'm looking for) and then start working from there.

First, please note that 2.4 still includes the Kibana Indicator dashboard.

Next, please note that our SOC Dashboards interface is specifically built for this kind of workflow. Simply go to SOC Dashboards and type in the IP address, hostname, or other indicator that you are interested in. It will provide a high level overview of all the data regarding that indicator (similar to what you're used to in the Kibana Indicator dashboard) and will also make it extremely easy to drill down into particular data types or pivot to new searches for any new indicators found.

For the time being I rebuilt my home lab around 2.3 and have kept the implementation in the office on 2.3.

Please keep in mind that 2.3 reaches End Of Life in less than 4 months:
https://blog.securityonion.net/2023/12/4-month-end-of-life-eol-reminder-for.html

Hard for an old dog to learn new tricks.

Take a look at our documentation:
https://docs.securityonion.net/en/2.4/dashboards.html

and our Dashboards video:
https://youtu.be/xUBhyF7se8s

If you have further questions about SOC or 2.4 in general, please start a new discussion and we'll be happy to help!

[pdwheelerjr]

Thank you, Doug. I really appreciate you taking time to respond. I love your product so nothing I say is intended as negative. I watched the video about the Dashboards and there is some amazing functionality there. I really need to invest the time into learning how to use this. It took some time for me to become productive with the earlier versions too. I still wish you had kept the hyperlinks in the Kibana views, but I guess it wasn't to be.

[TOoSmOotH]

I still wish you had kept the hyperlinks in the Kibana views, but I guess it wasn't to be.

The technical reason that it is not there is due to Kibana removing support for scripted fields. To make this work again would require someone to write a Kibana plugin.

[pdwheelerjr]

Thank you, Mike. I understand. Appreciate the feedback.

…

On Fri, Dec 15, 2023 at 3:48 PM Mike Reeves ***@***.***> wrote: I still wish you had kept the hyperlinks in the Kibana views, but I guess it wasn't to be. The technical reason that it is not there is due to Kibana removing support for scripted fields. To make this work again would require someone to write a Kibana plugin. — Reply to this email directly, view it on GitHub <#11905 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASXJQNXUX765ZA7N33PKWPLYJSZRXAVCNFSM6AAAAABAAOJ7RKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQNRXHA2TG> . You are receiving this because you were mentioned.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/11905/comments/7867853 @github.com>