Issue Elastic _Id Field Pivot to PCAP

[shipwreck-14]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

8

RAM

32

Storage for /

100

Storage for /nsm

100

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

In earlier versions of Security Onion, users leveraging Elastic could click on the value field in _id to pivot directly to the PCAP associated with a specific event. However, I’m now unable to perform this action and was wondering if something has changed.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[ops34]

Having exactly the same issue. Same SO version, but SO has network access. ISO install method - ManagerSearch+Forward node.
Also trying to find out how to get back "Hunt and optionally pivot to PCAP/Cases" links on _id field values in Kibana(Previously had 2.3 version Standalone - links were there).
Have tried suggestions from https://docs.securityonion.net/en/2.4/kibana.html running:
so-kibana-config-load
salt-call state.apply kibana.so_savedobjects_defaults -l info queue=True
Did not help.

[cm-ops]

There is no way to link to PCAP from kibana. You must use SOC to pull it. Kibana removed scripted fields several versions ago which is how we were able to do this in the past.

[shipwreck-14]

Thanks so much.