• Beitrags-Autor:
  • Beitrags-Kategorie:Nginx
  • Lesedauer:19 min Lesezeit

NGINX App Protect ist eine NGINX basierte App Sicherheitslösung für die Infrastruktur von Webanwendungen. Die Software basiert auf der marktführenden WAF (Web Application Firewall) von F5, Sicherheitskontrollen lassen sich in Apps einbeziehen und es läuft nativ auf NGINX Plus. Somit können Applikationen mit leistungsstarker, skalierbarer und bewährter Sicherheit ausgestattet und vor Angriffen und Datendiebstahl geschützt werden. Durch die Integration von NGINX App Protect in die Entwicklungspipelines ist es möglich, bereits vor der Freigabe Fehler zu entdecken und zu beheben. Dadurch lassen sich Kosten sparen und gleichzeitig die Produktivität steigern.

NGINX App Protect selbst liefert jedoch keine Möglichkeit der Visualisierung. Hierfür gibt es eine Open-Source-Implementierung, das auf Github hier gehostet wird. Dieses bereitet die Inhalte der Logdateien von NGINX App Protect auf und übersendet diese an Elasticsearch. Eigens hierfür erstellte Dashboards werten diese übermittelten Indexeinträge aus und stellen diese grafisch in folgender Form dar.

Das Dashboard erlaubt einen schnellen Überblick über die Zugriffe auf unsere Webseiten. Dabei kann u.a. schnell erkannt werden, aus welchen Regionen diese Zugriffe erfolgen und ob diese Zugriffe entsprechend der Sicherheitsbestimmungen einen versuchten Angriff auf die geschützten Webseiten darstellt. Entsprechende Gegenmaßnahmen können nun eingeleitet werden, in dem z.B. auffällige ungewünschte IP Adressen über eine entsprechende Firewall Regel bereits vorher blockiert werden.

Die Anreicherung der Logdaten von App Protect für die Indizierung in Elasticsearch erfolgt in diesem Projekt per logstash.

Aufgabenstellung

Projektvorgaben erforderten den Verzicht auf logstash. Basierend auf diesem Open-Source-Projekt sollte die Anreicherung der Logdaten für die Indizierung in Elasticsearch über eine sogenannte „ingest pipeline“ erfolgen. D.h. anstelle von logstash soll das gleiche Ergebnis mit einer derartigen Eingangspipeline erzielt werden, um eine Visualisierung der durch NGINX App Protect blockierten HTTP-Requests hinzubekommen.

Anpassung App Protect in /etc/nginx/nginx.conf

Damit NGINX App Protect ein Security-Logfile erstellt, muss in der Konfigurationsdatei nginx.conf folgender Eintrag ergänzt werden. /var/log/app_protect/security.log wird in einem zweiten Schritt von filebeat an Elastic gesendet.

				
					.......
app_protect_enable on;
app_protect_policy_file "/etc/nginx/NginxDefaultPolicy.json"; # This is a reference to the policy file to use.
app_protect_security_log_enable on; # This section enables the logging capability
app_protect_security_log "/etc/app_protect/conf/log_default.json"  /var/log/app_protect/security.log; # Configuration of security log file, which will be passed to the elastic ingest pipeline via filebeat
.......

				
			
Zuordnung der ingest-pipeline in /etc/filebeat/filebeat.yml

Damit  /var/log/app_protect/security.log der ingest-pipeline tm-waf-logs zugeordnet wird müssen folgende Änderungen in /etc/filebeat/filebeat.yml vorgenommen werden.

				
					.....
output.elasticsearch:
  hosts: ["http://localhost:9200"]
 
  # Zuordnung der ingest pipeline tm-waf-logs wenn die Zeile aus dem security logfile von NGINX App Protect stammt
  pipelines:
    - pipeline: tm-waf-logs
      when.contains:
        message: "attack_type"
  # Zuordnung eines Index für die spätere Analyse über das Dashbaord
  indices:
    - index: "waf-logs-%{+YYY.MM.dd}"
      when.contains:
        message: "attack_type"
..........

				
			
Erzeugen der ingest pipeline tm-waf-logs

Da bei ingest pipelines per default break_on_match: true ist und dies nicht geändert werden kann, ist es notwendig, die einzelnen patterns in jeweils einen eigenen grok filter zu packen.

Ansonsten würde beim ersten Treffer der Rest der pipeline übersprungen und somit nicht alle notwendigen Felder für das Dashboard zugeordnet werden.

Entsprechend der log Einträge wird der Block message in seine Einzelbestandteile “zerlegt” und einzelnen Feldern zugeordnet. Diese Felder werden später durch das entsprechende Dashboard ausgewertet .

Enthält so z.B. der http request eine ip Adresse in x_forwarded_for_header_value, dann wird diese Ip Adresse für die Auswertung der geoip verwendet. Falls diese entfällt (N/A) wird die Adresse des ip_client verwendet.

Auszug ingest-pipeline tm-waf-logs
				
					PUT _ingest/pipeline/tm-waf-logs
{
  "description": "waf-logs-ingest-pipeline",
  "processors": [
  {
    "grok": {
      "field": "message",
      "patterns": [
        "attack_type=\"%{DATA:attack_type}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        "blocking_exception_reason=\"%{DATA:blocking_exception_reason}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        "date_time=\"%{DATA:date_time}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        "dest_port=\"%{DATA:dest_port}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        "ip_client=\"%{DATA:ip_client}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",is_truncated=\"%{DATA:is_truncated}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",method=\"%{DATA:method}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",policy_name=\"%{DATA:policy_name}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",protocol=\"%{DATA:protocol}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",request_status=\"%{DATA:request_status}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",response_code=\"%{DATA:response_code}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",severity=\"%{DATA:severity}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",sig_cves=\"%{DATA:sig_cves}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",sig_ids=\"%{DATA:sig_ids}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",sig_names=\"%{DATA:sig_names}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",sig_set_names=\"%{DATA:sig_set_names}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",src_port=\"%{DATA:src_port}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",sub_violations=\"%{DATA:sub_violations}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",support_id=\"%{DATA:support_id}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",threat_campaign_names=\"%{DATA:threat_campaign_names}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",unit_hostname=\"%{DATA:unit_hostname}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",uri=\"%{DATA:uri}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",violation_rating=\"%{DATA:violation_rating}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",vs_name=\"%{DATA:vs_name}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",x_forwarded_for_header_value=\"%{DATA:x_forwarded_for_header_value}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",outcome=\"%{DATA:outcome}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",outcome_reason=\"%{DATA:outcome_reason}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",violations=\"%{DATA:violations}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",violation_details=\"%{DATA:violation_details}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",bot_signature_name=\"%{DATA:bot_signature_name}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",bot_category=\"%{DATA:bot_category}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",bot_anomalies=\"%{DATA:bot_anomalies}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",enforced_bot_anomalies=\"%{DATA:enforced_bot_anomalies}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",client_class=\"%{DATA:client_class}\""
      ]
    }
  },
  {
    "grok": {
      "field": "message",
      "patterns": [
        ",request=\"%{DATA:request}\""
      ]
    }
  },
  {
    "set": {
      "description": "If 'x_forwarded_for_header_value' is not 'N/A', set 'source_host' to 'x_forwarded_for_header_value'",
      "if": "ctx.x_forwarded_for_header_value != 'N/A'",
      "field": "source_host",
      "value": "{{x_forwarded_for_header_value}}"
    }
  },
  {
    "set": {
      "description": "If 'x_forwarded_for_header_value' is  'N/A', set 'source_host' to 'ip_client'",
      "if": "ctx.x_forwarded_for_header_value == 'N/A'",
      "field": "source_host",
      "value": "{{ip_client}}"
    }
  },
  {
    "geoip": {
      "field": "source_host"
    }
  }
  ]
}
				
			

HIER befindet sich der komplette Code zur Erzeugung der ingest-pipeline auch nochmal zum Download. 

Einspielen des Dashboards TM NGINX Waf - Overview

Als letzter Schritt muss das  Dashboard TM_NGINX_WAF_Overview.ndjson über Kibana→ Stack Management → Saved Objects importiert werden ( Elasticsearch Version 7 ).

				
					{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"title":"Requests Rate","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Requests Rate\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(split=request_status.keyword:20, index=waf-logs-*).label(\\\"Request Status: $1\\\", \\\"^.*:(.*) >.*\\\")\",\"interval\":\"auto\"},\"aggs\":[]}"},"coreMigrationVersion":"7.13.1","id":"92a3e950-3438-11ea-983a-f74b5d6c2f97","migrationVersion":{"visualization":"7.13.1"},"references":[],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDMzLDJd"}
{"attributes":{"fieldAttrs":"{\"geoip.country_iso_code\":{\"count\":1},\"geoip.region_iso_code\":{\"count\":1},\"method\":{\"count\":1}}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"waf-logs-*"},"coreMigrationVersion":"7.13.1","id":"b6896160-1ade-11ea-bb19-634fb23c25ea","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-06-09T15:01:38.941Z","version":"WzMzNDIzLDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Requests Distribution","uiStateJSON":"{\"vis\":{\"colors\":{\"Blocked\":\"#BF1B00\",\"Alarmed\":\"#EAB839\",\"Alerted\":\"#E5AC0E\"}}}","version":1,"visState":"{\"title\":\"Requests Distribution\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{},\"params\":{},\"aggType\":\"filters\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"schema\":\"segment\",\"params\":{\"filters\":[{\"input\":{\"query\":\"violations.keyword : N/A and request_status : passed\",\"language\":\"kuery\"},\"label\":\"Clean\"},{\"input\":{\"query\":\"request_status :  blocked\",\"language\":\"kuery\"},\"label\":\"Blocked\"},{\"input\":{\"query\":\"request_status :  alerted\",\"language\":\"kuery\"},\"label\":\"Alerted\"}]}}]}"},"coreMigrationVersion":"7.13.1","id":"7e5c83d0-2056-11ea-bcff-c3c564493235","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDM0LDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"title":"Response Codes Rate","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Response Codes Rate\",\"type\":\"timelion\",\"params\":{\"expression\":\".es(split=response_code.keyword:20, index=waf-logs-*).label(\\\"Response Code: $1\\\", \\\"^.*:(.*) >.*\\\")\",\"interval\":\"auto\"},\"aggs\":[]}"},"coreMigrationVersion":"7.13.1","id":"d990f700-3702-11ea-a241-09ab559b62bd","migrationVersion":{"visualization":"7.13.1"},"references":[],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDM1LDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Response Codes Distribution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Response Codes Distribution\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"response_code.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.13.1","id":"5e376660-3703-11ea-a241-09ab559b62bd","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDM2LDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Talkers","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Talkers\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":15},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#34130C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client IPs\"}}]}"},"coreMigrationVersion":"7.13.1","id":"5eee5660-366b-11ea-a241-09ab559b62bd","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDM3LDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top URLs","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URLs\",\"field\":\"uri.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":10},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\"}},\"params\":{}},\"y\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#34130C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"Top URLs\",\"type\":\"histogram\"}"},"coreMigrationVersion":"7.13.1","id":"2b7fd200-3642-11ea-983a-f74b5d6c2f97","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDM4LDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top Violator IPs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top Violator IPs\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#34130C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"y\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"}],\"series\":[{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ip_client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Violator IPs\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"violations.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"N/A\"}}]}"},"coreMigrationVersion":"7.13.1","id":"e97cb520-2053-11ea-bcff-c3c564493235","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDM5LDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Signatures Distribution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Signatures Distribution\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sig_ids.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"N/A\",\"customLabel\":\"Signature ID\"}}]}"},"coreMigrationVersion":"7.13.1","id":"8ace9ec0-2054-11ea-bcff-c3c564493235","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDQwLDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Violations Distribution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Violations Distribution\",\"type\":\"pie\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"}]},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"violations.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"N/A\",\"customLabel\":\"Violation\"}}]}"},"coreMigrationVersion":"7.13.1","id":"9b6276f0-2052-11ea-bcff-c3c564493235","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-04-23T09:21:45.628Z","version":"WzIxMDQxLDJd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"GEO","uiStateJSON":"{\"mapZoom\":1,\"mapCenter\":[64.5498936275396,0]}","version":1,"visState":"{\"title\":\"GEO\",\"type\":\"region_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Request Count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"geoip.country_iso_code.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"addTooltip\":true,\"bucket\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\"}},\"params\":{},\"aggType\":\"terms\"},\"colorSchema\":\"Green to Red\",\"emsHotLink\":\"https://maps.elastic.co/v7.4?locale=en#file/world_countries\",\"isDisplayWarning\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapZoom\":2,\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"aggType\":\"count\"},\"outlineWeight\":1,\"selectedJoinField\":{\"type\":\"id\",\"name\":\"iso2\",\"description\":\"ISO 3166-1 alpha-2 code\"},\"showAllShapes\":true,\"wms\":{\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"origin\":\"elastic_maps_service\",\"id\":\"road_map\",\"minZoom\":0,\"maxZoom\":20,\"attribution\":\"<p><a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.openstreetmap.org/copyright\\\">OpenStreetMap contributors</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://openmaptiles.org\\\">OpenMapTiles</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.maptiler.com\\\">MapTiler</a> | <a rel=\\\"noreferrer noopener\\\" href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a></p>\"}},\"selectedLayer\":{\"name\":\"World Countries\",\"origin\":\"elastic_maps_service\",\"id\":\"world_countries\",\"created_at\":\"2017-04-26T17:12:15.978370\",\"attribution\":\"<a href=\\\"http://www.naturalearthdata.com/about/terms-of-use\\\">Made with NaturalEarth</a> | <a href=\\\"https://www.elastic.co/elastic-maps-service\\\">Elastic Maps Service</a>\",\"fields\":[{\"type\":\"id\",\"name\":\"iso2\",\"description\":\"ISO 3166-1 alpha-2 code\"},{\"type\":\"id\",\"name\":\"iso3\",\"description\":\"ISO 3166-1 alpha-3 code\"},{\"type\":\"property\",\"name\":\"name\",\"description\":\"name\"}],\"format\":{\"type\":\"geojson\"},\"layerId\":\"elastic_maps_service.World Countries\",\"isEMS\":true}}}"},"coreMigrationVersion":"7.13.1","id":"d19c31a0-3666-11ea-a241-09ab559b62bd","migrationVersion":{"visualization":"7.13.1"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-06-09T14:54:02.718Z","version":"WzMyNjgxLDJd"}
{"attributes":{"columns":["method","uri","violations","response_code","request_status","ip_client"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Nginx WAF All Requests","version":1},"coreMigrationVersion":"7.13.1","id":"e3e0a060-343d-11ea-983a-f74b5d6c2f97","migrationVersion":{"search":"7.9.3"},"references":[{"id":"b6896160-1ade-11ea-bb19-634fb23c25ea","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2021-06-09T15:04:02.722Z","version":"WzMzODM1LDJd"}
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":7,\"i\":\"d7699f7c-f08d-49a6-bba4-391818076fc2\",\"w\":36,\"x\":0,\"y\":0},\"panelIndex\":\"d7699f7c-f08d-49a6-bba4-391818076fc2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d7699f7c-f08d-49a6-bba4-391818076fc2\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":7,\"i\":\"be9d107d-a926-4151-b184-cc8ce56a84f4\",\"w\":12,\"x\":36,\"y\":0},\"panelIndex\":\"be9d107d-a926-4151-b184-cc8ce56a84f4\",\"embeddableConfig\":{\"colors\":{\"Alarmed\":\"#EAB839\",\"Blocked\":\"#BF1B00\"},\"legendOpen\":false,\"vis\":{\"colors\":{\"Alarmed\":\"#EAB839\",\"Blocked\":\"#BF1B00\"},\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_be9d107d-a926-4151-b184-cc8ce56a84f4\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":7,\"i\":\"52a4031f-1321-4cf8-a649-bb3b87ee24d2\",\"w\":36,\"x\":0,\"y\":7},\"panelIndex\":\"52a4031f-1321-4cf8-a649-bb3b87ee24d2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_52a4031f-1321-4cf8-a649-bb3b87ee24d2\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":7,\"i\":\"b542bf0d-be9e-415d-bb88-5749cff274a3\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"b542bf0d-be9e-415d-bb88-5749cff274a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b542bf0d-be9e-415d-bb88-5749cff274a3\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"cceda060-776b-40cb-b045-5649ace38816\",\"w\":24,\"x\":0,\"y\":14},\"panelIndex\":\"cceda060-776b-40cb-b045-5649ace38816\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cceda060-776b-40cb-b045-5649ace38816\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"37bc87ed-cb35-48fb-84fe-1142f57de563\",\"w\":24,\"x\":24,\"y\":14},\"panelIndex\":\"37bc87ed-cb35-48fb-84fe-1142f57de563\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_37bc87ed-cb35-48fb-84fe-1142f57de563\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":10,\"i\":\"494496f1-d1fd-4ea6-abaa-69c8728c5dec\",\"w\":17,\"x\":0,\"y\":25},\"panelIndex\":\"494496f1-d1fd-4ea6-abaa-69c8728c5dec\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_494496f1-d1fd-4ea6-abaa-69c8728c5dec\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":10,\"i\":\"8ae28754-12f5-4508-85bc-c99c40f45139\",\"w\":15,\"x\":17,\"y\":25},\"panelIndex\":\"8ae28754-12f5-4508-85bc-c99c40f45139\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_8ae28754-12f5-4508-85bc-c99c40f45139\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":10,\"i\":\"c8041f88-a91e-4904-9991-6a891a4bbb2e\",\"w\":16,\"x\":32,\"y\":25},\"panelIndex\":\"c8041f88-a91e-4904-9991-6a891a4bbb2e\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_c8041f88-a91e-4904-9991-6a891a4bbb2e\"},{\"version\":\"7.13.1\",\"type\":\"visualization\",\"gridData\":{\"h\":14,\"i\":\"93ed98ec-fb4c-4171-a847-85f6a6c38e7d\",\"w\":48,\"x\":0,\"y\":35},\"panelIndex\":\"93ed98ec-fb4c-4171-a847-85f6a6c38e7d\",\"embeddableConfig\":{\"mapCenter\":null,\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_93ed98ec-fb4c-4171-a847-85f6a6c38e7d\"},{\"version\":\"7.13.1\",\"type\":\"search\",\"gridData\":{\"h\":15,\"i\":\"45501e8d-621a-4908-90b8-c2db02b3e82b\",\"w\":48,\"x\":0,\"y\":49},\"panelIndex\":\"45501e8d-621a-4908-90b8-c2db02b3e82b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_45501e8d-621a-4908-90b8-c2db02b3e82b\"}]","timeRestore":false,"title":"TM NGINX WAF - Overview","version":1},"coreMigrationVersion":"7.13.1","id":"6b701f30-c932-11eb-88d1-55a6c5eb1072","migrationVersion":{"dashboard":"7.13.1"},"references":[{"id":"92a3e950-3438-11ea-983a-f74b5d6c2f97","name":"d7699f7c-f08d-49a6-bba4-391818076fc2:panel_d7699f7c-f08d-49a6-bba4-391818076fc2","type":"visualization"},{"id":"7e5c83d0-2056-11ea-bcff-c3c564493235","name":"be9d107d-a926-4151-b184-cc8ce56a84f4:panel_be9d107d-a926-4151-b184-cc8ce56a84f4","type":"visualization"},{"id":"d990f700-3702-11ea-a241-09ab559b62bd","name":"52a4031f-1321-4cf8-a649-bb3b87ee24d2:panel_52a4031f-1321-4cf8-a649-bb3b87ee24d2","type":"visualization"},{"id":"5e376660-3703-11ea-a241-09ab559b62bd","name":"b542bf0d-be9e-415d-bb88-5749cff274a3:panel_b542bf0d-be9e-415d-bb88-5749cff274a3","type":"visualization"},{"id":"5eee5660-366b-11ea-a241-09ab559b62bd","name":"cceda060-776b-40cb-b045-5649ace38816:panel_cceda060-776b-40cb-b045-5649ace38816","type":"visualization"},{"id":"2b7fd200-3642-11ea-983a-f74b5d6c2f97","name":"37bc87ed-cb35-48fb-84fe-1142f57de563:panel_37bc87ed-cb35-48fb-84fe-1142f57de563","type":"visualization"},{"id":"e97cb520-2053-11ea-bcff-c3c564493235","name":"494496f1-d1fd-4ea6-abaa-69c8728c5dec:panel_494496f1-d1fd-4ea6-abaa-69c8728c5dec","type":"visualization"},{"id":"8ace9ec0-2054-11ea-bcff-c3c564493235","name":"8ae28754-12f5-4508-85bc-c99c40f45139:panel_8ae28754-12f5-4508-85bc-c99c40f45139","type":"visualization"},{"id":"9b6276f0-2052-11ea-bcff-c3c564493235","name":"c8041f88-a91e-4904-9991-6a891a4bbb2e:panel_c8041f88-a91e-4904-9991-6a891a4bbb2e","type":"visualization"},{"id":"d19c31a0-3666-11ea-a241-09ab559b62bd","name":"93ed98ec-fb4c-4171-a847-85f6a6c38e7d:panel_93ed98ec-fb4c-4171-a847-85f6a6c38e7d","type":"visualization"},{"id":"e3e0a060-343d-11ea-983a-f74b5d6c2f97","name":"45501e8d-621a-4908-90b8-c2db02b3e82b:panel_45501e8d-621a-4908-90b8-c2db02b3e82b","type":"search"}],"type":"dashboard","updated_at":"2021-06-09T14:54:50.572Z","version":"WzMyNzM0LDJd"}
{"exportedCount":13,"missingRefCount":0,"missingReferences":[]}
				
			

Das Dashboard kann HIER ebenfalls heruntergeladen werden.

Weitere Informationen über die Vor- und Nachteile der Gegenüberstellung von Ingest Pipeline – Logstash findet ihr in folgendem Artikel.