Initial commit

dashboards/community/stamus_networks-latest/metadata.yaml

@@ -0,0 +1,9 @@
+metadata_details:
+  data_dependencies: "Stamus Networks Clear NDR data"
+  required_fields: "dataSource.vendor"
+  description: "Overview Dashboard for Stamus Networks Clear NDR logs"
+  usecase_type: "Operational"
+  usecase_action: "Dashboard"
+  tags: dashboard, stamus, stamus networks, clear ndr, ndr, network
+  version: latest
+  author: Tom Martin

dashboards/community/stamus_networks-latest/stamus_networks_overview.conf

@@ -0,0 +1,212 @@
+{
+  graphs: [
+    {
+      description: "test",
+      graphStyle: "line",
+      title: "Clear NDR Threats Over Time",
+      layout: {
+  h: 14,
+  i: "0",
+  minH: 3,
+  minW: 6,
+  w: 40,
+  x: 0,
+  y: 0
+},
+      lineSmoothing: "straightLines",
+      breakdownFacet: "stamusThreat_name",
+      filter: "stamusThreat_name != \"null\"",
+      filter: "message contains 'threat_name' AND stamusThreat_name != \"null\"",
+      plotNulls: "gaps"
+    },
+    {
+      description: "pie chart top alerts",
+      graphStyle: "",
+      query: "dataSource.vendor='Stamus Networks'  event_type='stamus' | group networks = array_agg_distinct(net_infoDest_agg) by stamusThreat_name",
+      title: "Threats By Network Name",
+      layout: {
+  h: 14,
+  i: "1",
+  minH: 3,
+  minW: 6,
+  w: 40,
+  x: 0,
+  y: 98
+}
+    },
+    {
+      graphStyle: "pie",
+      maxPieSlices: 10,
+      query: "dataSource.vendor='Stamus Networks' event_type='stamus' | group count() by stamusKill_chain",
+      title: "Kill Chain",
+      layout: {
+  h: 14,
+  i: "2",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 0,
+  y: 42
+},
+      dataLabelType: "PERCENTAGE"
+    },
+    {
+      graphStyle: "pie",
+      maxPieSlices: 10,
+      query: "dataSource.vendor='Stamus Networks' event_type='stamus' | group count() by stamusThreat_name",
+      title: "Clear NDR Threat Names",
+      layout: {
+  h: 14,
+  i: "3",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 20,
+  y: 14
+},
+      dataLabelType: "PERCENTAGE",
+    },
+    {
+      graphStyle: "pie",
+      maxPieSlices: 10,
+      query: "dataSource.vendor='Stamus Networks'  event_type='stamus' | group count() by stamusFamily_name",
+      title: "Clear NDR Threat Families",
+      layout: {
+  h: 14,
+  i: "4",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 0,
+  y: 14
+},
+      dataLabelType: "PERCENTAGE",
+    },
+    {
+      graphStyle: "pie",
+      maxPieSlices: 10,
+      query: "dataSource.vendor='Stamus Networks' event_type='flow' | group count() by app_proto\n",
+      title: "Top 10 Network Protocols",
+      layout: {
+  h: 14,
+  i: "5",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 20,
+  y: 70
+},
+      dataLabelType: "PERCENTAGE",
+    },
+    {
+      graphStyle: "",
+      title: "Impacted Assets",
+      layout: {
+  h: 14,
+  i: "6",
+  minH: 3,
+  minW: 6,
+  w: 40,
+  x: 0,
+  y: 28
+},
+      query: "dataSource.vendor='Stamus Networks'  event_type='stamus' and alertTargetIp != null| group Threats = array_agg_distinct(stamusThreat_name) by alertTargetIp"
+    ,
+    },
+    {
+      graphStyle: "pie",
+      maxPieSlices: 10,
+      query: "dataSource.vendor='Stamus Networks'  httpStatus >= 0 httpStatus <= 599 | group count() by httpStatus",
+      title: "HTTP Status",
+      layout: {
+  h: 14,
+  i: "7",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 0,
+  y: 112
+},
+      dataLabelType: "PERCENTAGE"
+    },
+    {
+      graphStyle: "pie",
+      query: "dataSource.vendor='Stamus Networks' event_type='http' | group count() by geoipRegistered_countryName",
+      title: "Country Name",
+      maxPieSlices: 10,
+      layout: {
+  h: 14,
+  i: "8",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 20,
+  y: 42
+},
+      dataLabelType: "PERCENTAGE"
+    ,
+    },
+    {
+      graphStyle: "pie",
+      query: "dataSource.vendor='Stamus Networks'  event.type='stamus' | group count() by app_proto",
+      title: "Protocols used By Threats",
+      layout: {
+  h: 14,
+  i: "9",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 20,
+  y: 112
+},
+      maxPieSlices: 10,
+      dataLabelType: "PERCENTAGE",
+    },
+    {
+      graphStyle: "pie",
+      layout: {
+  h: 14,
+  i: "10",
+  minH: 3,
+  minW: 6,
+  w: 20,
+  x: 0,
+  y: 70
+},
+      maxPieSlices: 10,
+      query: "dataSource.vendor='Stamus Networks' event_type='http' | group count() by httpServer",
+      title: "HTTP Servers",
+      dataLabelType: "PERCENTAGE"
+    },
+    {
+      graphStyle: "",
+      layout: {
+  h: 14,
+  i: "11",
+  minH: 3,
+  minW: 6,
+  w: 40,
+  x: 0,
+  y: 56
+},
+      query: "dataSource.vendor='Stamus Networks'  event_type='stamus'and alertMetadataStamus_type != '[dopv]'| group Threats = array_agg_distinct(stamusThreat_name) by timestamp, dst.ip.address, src.ip.address | columns timestamp, src.ip.address, dst.ip.address, Threats| sort +timestamp",
+      title: "Impacted Assets Timeline "
+    },
+    {
+      graphStyle: "",
+      layout: {
+  h: 14,
+  i: "12",
+  minH: 3,
+  minW: 6,
+  w: 40,
+  x: 0,
+  y: 84
+},
+      query: "dataSource.vendor='Stamus Networks'  event_type='stamus'and alertMetadataStamus_type = '[dopv]'| group Threats = array_agg_distinct(stamusThreat_name) by timestamp, dst.ip.address, src.ip.address | columns timestamp, src.ip.address, dst.ip.address, Threats| sort +timestamp",
+      title: "Impacted Assets Timeline  DoPV"
+    }
+  ],
+  description: "Clear NDR Network Data Overview",
+  options: {"layout":{"locked":0}}
+}

parsers/community/stamus_networks-latest/metadata.yaml

@@ -0,0 +1,11 @@
+metadata_details:
+  purpose: Parser for Stamus Networks Clear NDR logs
+  datasource_vendor: Stamus Networks
+  dataSource: Stamus Networks
+  format: JSON
+  ingestion_method: HEC
+  dependency_summary: Requires ingestion of the original Stamus Networks Clear NDR logs.
+  performance_impact: "Minimal"
+  tags: stamus, stamus networks, clear ndr, ndr, logs, parser
+  version: latest
+  author: Tom Martin