Connecting Kibana Logs and PCAPs #12871
-
|
Hello, I am doing a project for school, where we are trying to build a dataset of network traffic. We have a virtual environment with a Security Onion instance monitoring the network. I know how to export multiple logs from Kibana, and know how to obtain multiple PCAPs from SOC. If I understand how modules like Suricata and Zeek work, the information in the PCAPs gives these modules the information that we see in the logs correct? So I was wondering if there was a way to have PCAPs attached to the logs we can obtain from Kibana? Is that something that's able to be done or is there no way to attach a pcap with it's associated log within Security Onion? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
In SOC from the Alerts, Dashboards, or Hunt interfaces you can click on an event and hit 'PCAP' under the actions menu. That will take you to the PCAP interface and pull the PCAP for the particular event you selected. |
Beta Was this translation helpful? Give feedback.
-
|
Can you give a screenshot illustrating the above? The reason is that I could not find this function "PCAP" or actions menu on my Security Onion platform. |
Beta Was this translation helpful? Give feedback.
-
|
@sanba06c There is no way to link to PCAP from kibana. You must use SOC to pull it. Kibana removed scripted fields several versions ago which is how we were able to do this in the past. |
Beta Was this translation helpful? Give feedback.
-
|
@TOoSmOotH Thanks for the update! As can be seen in the documentation, it says "You can access PCAP in two different ways. The first and most common option is to pivot to PCAP from a particular event in [Alerts], [Dashboards], or [Hunt] by choosing the PCAP action on the action menu". Is it obsolete? I can pull a pcap from the alternative option "The second and less common option is to go directly to the PCAP interface, click the blue + button, and then put in your search criteria to search for a particular stream.", but not the first option. |
Beta Was this translation helpful? Give feedback.
-
|
@sanba06c The documentation is correct and you should be able to pivot to PCAP from within Security Onion Console (SOC) via the Alerts, Dashboards, or Hunt pages. Please note that this functionality is specific to SOC and not Kibana. Also note that for the PCAP action to appear on the action menu you must click on a log that contains source IP, source port, destination IP, destination port, etc. Here's an example from our SOC Dashboards page: |
Beta Was this translation helpful? Give feedback.
-
|
@dougburks , It is exactly what I need. Thanks so much for the detailed instructions! |
Beta Was this translation helpful? Give feedback.
In SOC from the Alerts, Dashboards, or Hunt interfaces you can click on an event and hit 'PCAP' under the actions menu. That will take you to the PCAP interface and pull the PCAP for the particular event you selected.