work in progress on pipeline normalization

Author: mmguero

dashboards/dashboards/248cae60-eff9-11f0-b83f-8f35d6995138.json

@@ -0,0 +1,210 @@
+{
+  "objects": [
+    {
+      "attributes": {
+        "description": "",
+        "hits": 0,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+        },
+        "optionsJSON": "{\"useMargins\":true}",
+        "panelsJSON": "[{\"version\":\"3.4.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":38,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"3.4.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":7,\"h\":12,\"i\":\"43ec104c-1a98-4fd3-9bef-650531cfc571\"},\"panelIndex\":\"43ec104c-1a98-4fd3-9bef-650531cfc571\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"3.4.0\",\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":12,\"i\":\"2b13101f-b6ed-4d05-8670-93c967560fed\"},\"panelIndex\":\"2b13101f-b6ed-4d05-8670-93c967560fed\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"3.4.0\",\"gridData\":{\"x\":8,\"y\":12,\"w\":13,\"h\":16,\"i\":\"c44c352c-c532-47c8-9548-58d0289dc754\"},\"panelIndex\":\"c44c352c-c532-47c8-9548-58d0289dc754\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"3.4.0\",\"gridData\":{\"x\":0,\"y\":38,\"w\":48,\"h\":30,\"i\":\"e402ba8c-b844-49a0-85a2-b804e74626d2\"},\"panelIndex\":\"e402ba8c-b844-49a0-85a2-b804e74626d2\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]",
+        "timeRestore": false,
+        "title": "File Scanning",
+        "version": 1
+      },
+      "id": "248cae60-eff9-11f0-b83f-8f35d6995138",
+      "migrationVersion": {
+        "dashboard": "7.9.3"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+          "name": "panel_0",
+          "type": "visualization"
+        },
+        {
+          "id": "fe630f60-effb-11f0-b83f-8f35d6995138",
+          "name": "panel_1",
+          "type": "visualization"
+        },
+        {
+          "id": "3e964d40-effc-11f0-b83f-8f35d6995138",
+          "name": "panel_2",
+          "type": "visualization"
+        },
+        {
+          "id": "52eca680-f00c-11f0-a54d-0fd88ef4958b",
+          "name": "panel_3",
+          "type": "visualization"
+        },
+        {
+          "id": "fdee9820-effa-11f0-b83f-8f35d6995138",
+          "name": "panel_4",
+          "type": "search"
+        }
+      ],
+      "type": "dashboard",
+      "updated_at": "2026-01-12T23:27:48.310Z",
+      "version": "WzEyOTMsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
+        },
+        "title": "Navigation",
+        "uiStateJSON": "{}",
+        "version": 1,
+        "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"MALCOLM_NAVIGATION_MARKDOWN_REPLACER\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"
+      },
+      "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2026-01-12T23:22:04.571Z",
+      "version": "WzEyNzMsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0",
+        "title": "File Scanning - Hit Count",
+        "uiStateJSON": "{}",
+        "version": 1,
+        "visState": "{\"title\":\"File Scanning - Hit Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Files Scanned\"},\"schema\":\"metric\"},{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"event.hits\",\"customLabel\":\"Scanner Hits\"},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":32}}}}"
+      },
+      "id": "fe630f60-effb-11f0-b83f-8f35d6995138",
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "fdee9820-effa-11f0-b83f-8f35d6995138",
+          "name": "search_0",
+          "type": "search"
+        }
+      ],
+      "type": "visualization",
+      "updated_at": "2026-01-12T23:20:55.563Z",
+      "version": "WzQ0MSwxXQ=="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0",
+        "title": "File Scanning - Hits Over Time",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "version": 1,
+        "visState": "{\"title\":\"File Scanning - Hits Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"event.hits\",\"customLabel\":\"Scanner Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"timeRange\":{\"from\":\"now-24y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Scanner Hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Scanner Hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"
+      },
+      "id": "3e964d40-effc-11f0-b83f-8f35d6995138",
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "fdee9820-effa-11f0-b83f-8f35d6995138",
+          "name": "search_0",
+          "type": "search"
+        }
+      ],
+      "type": "visualization",
+      "updated_at": "2026-01-12T23:20:55.563Z",
+      "version": "WzQ0MiwxXQ=="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+        },
+        "savedSearchRefName": "search_0",
+        "title": "File Scanning - Scanners With Hits",
+        "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+        "version": 1,
+        "visState": "{\"title\":\"File Scanning - Scanners With Hits\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"filescan.hits_scanner\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scanner\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}"
+      },
+      "id": "52eca680-f00c-11f0-a54d-0fd88ef4958b",
+      "migrationVersion": {
+        "visualization": "7.10.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "fdee9820-effa-11f0-b83f-8f35d6995138",
+          "name": "search_0",
+          "type": "search"
+        }
+      ],
+      "type": "visualization",
+      "updated_at": "2026-01-12T23:20:55.563Z",
+      "version": "WzQ0MywxXQ=="
+    },
+    {
+      "attributes": {
+        "columns": [
+          "source.ip",
+          "destination.ip",
+          "file.source",
+          "file.mime_type",
+          "zeek.files.filename",
+          "zeek.files.extracted_uri",
+          "event.hits",
+          "filescan.hits_scanner",
+          "rule.name",
+          "event.id"
+        ],
+        "description": "",
+        "hits": 0,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:filescan\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+        },
+        "sort": [],
+        "title": "File Scanning - Logs",
+        "version": 1
+      },
+      "id": "fdee9820-effa-11f0-b83f-8f35d6995138",
+      "migrationVersion": {
+        "search": "7.9.3"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern"
+        }
+      ],
+      "type": "search",
+      "updated_at": "2026-01-12T23:20:55.563Z",
+      "version": "WzQ0NCwxXQ=="
+    }
+  ],
+  "version": "3.4.0"
+}

dashboards/dashboards/navigation.md

@@ -6,14 +6,15 @@
 [Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4)
 [Connections Tree](#/dashboard/89714140-a2d5-11f0-b5ae-e139a66d2205)
 [Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed)
+[Threat Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)
 [Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714)
+[File Scanning](#/dashboard/248cae60-eff9-11f0-b83f-8f35d6995138)
 [Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3)
 [Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85)
 [Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11)
 [Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b)
 [Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1)
-[Threat Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f)
-[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)
+[Zeek Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed)
 [Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5)
 [Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f)
 [Validated Architecture Design Review](#/dashboard/d16105d0-2b75-11f0-92dc-5f54cacd4f4e)

dashboards/templates/composable/component/filescan.json

@@ -6,17 +6,23 @@
           "properties": {
             "hits": {
               "type": "nested",
+              "dynamic": false,
+              "include_in_parent": false,
+              "include_in_root": false,
               "properties": {
-                "capa": {
+                "scanner": {
                   "type": "keyword"
                 },
-                "clamav": {
-                  "type": "keyword"
-                },
-                "yara": {
+                "name": {
                   "type": "keyword"
                 }
               }
+            },
+            "hits_scanner": {
+              "type": "keyword"
+            },
+            "hits_name": {
+              "type": "keyword"
             }
           }
         },

logstash/pipelines/filescan/12_normalize.conf

@@ -31,10 +31,12 @@ filter {
         # pull them out from deeper in the meantime
         code => "
             scanners = Array(event.get('[results][strelka][result][scanners]') || []).compact
+            hits = []
             scanners_to_rules = {}
             final_rules = []
 
-            Array(event.get('[results][strelka][result][rules]') || []).each do |r|
+            rules = Array(event.get('[results][strelka][result][rules]') || [])
+            rules.each do |r|
               next unless r.is_a?(Hash) && r.key?('scanner') && r.key?('name')
               scanner = r['scanner']
               name = r['name']
@@ -52,7 +54,9 @@ filter {
 
             final_rules.uniq!
 
-            event.set('[filescan][hits]', scanners_to_rules) unless scanners_to_rules.empty?
+            event.set('[filescan][hits]', rules.map { |h| h.except('provider') }) unless rules.empty?
+            event.set('[filescan][hits_scanner]', rules.map { |h| h['scanner'] }.compact.uniq) unless rules.empty?
+            event.set('[filescan][hits_name]', rules.map { |h| h['name'] }.compact.uniq) unless rules.empty?
             event.set('[event][module]', scanners) unless scanners.empty?
             event.set('[event][hits]', final_rules.length)