« ThreatConnect Thycotic Secret Server »

›

Threat Map

Version	0.1.0 [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. (View all)
Compatible Kibana version(s)	8.14.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

The Threat Map dashboard visualizes network traffic flow between regions using directed paths and animations. It includes arrows indicating direction and pulsing arcs at the destination.

The animations may increase browser CPU usage.

Prerequisites

edit

To use the Threat Map dashboard, ensure the following:

Timestamp Field: Documents must contain a @timestamp field for time-range filtering.

GeoIP Processor: Apply a GeoIP processor to the IP field. The resulting document should contain source.geo and destination.geo fields.

Here is an example of an ingest pipeline that adds the geographical information to the geo field based on the ip field.

PUT _ingest/pipeline/geoip
{
  "description" : "Add ip geolocation info",
  "processors" : [
    {
      "geoip" : {
        "field" : "source.ip",
        "target_field" : "source.geo"
      }
    },
    {
      "geoip" : {
        "field" : "destination.ip",
        "target_field" : "destination.geo"
      }
    }
  ]
}

Data View: Use documents accessible via the logs-* data view.

Data Format

edit

Data is retrieved from Elasticsearch using the _all index search endpoint. Ensure the following fields exist in each document:

Field	Description	Required/Optional	Default Value
`source.geo.location.lat`	Latitude of the source	Required
`source.geo.location.lon`	Longitude of the source	Required
`source.geo.country_name`	Country name of the source	Required
`source.ip`	IP address of the source	Required
`destination.geo.location.lat`	Latitude of the destination	Required
`destination.geo.location.lon`	Longitude of the destination	Required
`destination.geo.country_name`	Country name of the destination	Required
`destination.ip`	IP address of the destination	Required
`color`	Arc color	Optional	`"#54B399"`
`animate`	Determines if the arc is animated	Optional	`false`
`weight`	Arc line thickness	Optional	`1`
`source_label`	Label at the source location	Optional
`destination_label`	Label at the destination location	Optional
`pulse_at_source`	If true, the pulse begins at the source instead of the destination	Optional	`false`

These fields can be added or modified using Custom pipeline. Read more.

Usage

edit

The Threat Map visualization can be added to other dashboards in two ways:

1. Duplicate the Dashboard

edit

Click the Duplicate button in the top-right corner of the dashboard.
A clone of the dashboard will be created for your customization.

2. Copy Visualization to a Dashboard

edit

Click the three dots in the top-right corner of the visualization and select Copy to Dashboard.
Choose one of the following options:
- Existing Dashboard: Select an existing dashboard from the dropdown, then click Copy and Go to Dashboard.
- New Dashboard: Create a new dashboard with the visualization.

[role="screenshot"]

edit

Visualizations

edit

The Threat Map dashboard includes the following visualizations:

1. Map

edit

Framework: Utilizes Vega within Kibana.
Fields Used: source.geo.location, destination.geo.location, color, animate, weight, source_label, and destination_label.
Customization:
- Click the three dots in the top-right corner and select Maximize to enlarge.
- The map adapts to Kibana’s dark/light mode automatically. Read more.

2. Panels

edit

Includes four tables for analyzing traffic flow:

Source/Destination Countries: Shows the top 5 countries with the highest traffic flow.
Source/Destination IPs: Shows the top 5 IPs with the highest traffic flow.

Data in panels can be sorted by clicking on the Count column header.

Filtering Data

edit

Global Filters

edit

Use KQL (Kibana Query Language) in the query bar at the top of the dashboard.
Adjust the time range using the selector in the top-right corner (default: last 30 minutes).
Maximum records displayed: 10,000.

Visualization-Specific Filters

edit

Click the three dots in the top-right corner of the map and select Edit Visualization.
Apply a filter using the query bar.
Click Save and Return to apply changes.

[role="screenshot"]

edit

Customization Options

edit

The following options are available for customization:

Option	Description	Default Value
`emsTileServiceId`	Sets the EMS-layer for the map.	`"undefined"`
`Latitude`	Starting latitude of the map	`10`
`Longitude`	Starting longitude of the map	`0`
`Zoom`	Starting zoom level of the map	`1.3`
`scrollWheelZoom`	If true, disables mouse wheel zoom to avoid accidental zooming	`falses`

To customize these options, click on Edit visualization from the dropdown in the top right corner of the visualization. A Vega editor will open, where you can modify the following configurations.

For additional customization options, see the Vega Kibana Guide.

[role="screenshot"]

edit

Changelog

edit

Changelog

Version	Details	Kibana version(s)
0.1.0	Enhancement (View pull request) Initial draft of the package	—

« ThreatConnect Thycotic Secret Server »