-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Erik de Bueger
authored and
Erik de Bueger
committed
Jul 18, 2022
0 parents
commit 04002e5
Showing
6 changed files
with
1,228 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,268 @@ | ||
| { | ||
| "type": "FolderSyncDefinition", | ||
| "name": "Panda", | ||
| "description": "", | ||
| "children": [ | ||
| { | ||
| "type": "DashboardV2SyncDefinition", | ||
| "name": "Panda Overview", | ||
| "description": "", | ||
| "title": "Panda Overview", | ||
| "rootPanel": null, | ||
| "theme": "Light", | ||
| "topologyLabelMap": { | ||
| "data": {} | ||
| }, | ||
| "refreshInterval": 0, | ||
| "timeRange": { | ||
| "type": "BeginBoundedTimeRange", | ||
| "from": { | ||
| "type": "RelativeTimeRangeBoundary", | ||
| "relativeTime": "-4w2d" | ||
| }, | ||
| "to": null | ||
| }, | ||
| "layout": { | ||
| "layoutType": "Grid", | ||
| "layoutStructures": [ | ||
| { | ||
| "key": "panel465F3347940C784A", | ||
| "structure": "{\"height\":6,\"width\":5,\"x\":5,\"y\":0}" | ||
| }, | ||
| { | ||
| "key": "panel17EF4EA2BCC52847", | ||
| "structure": "{\"height\":6,\"width\":12,\"x\":12,\"y\":6}" | ||
| }, | ||
| { | ||
| "key": "panel4B6147BA8D18C848", | ||
| "structure": "{\"height\":6,\"width\":12,\"x\":0,\"y\":6}" | ||
| }, | ||
| { | ||
| "key": "panelBCE5E84D96381B40", | ||
| "structure": "{\"height\":6,\"width\":12,\"x\":12,\"y\":12}" | ||
| }, | ||
| { | ||
| "key": "panelD0FFCBC78FBECA49", | ||
| "structure": "{\"height\":6,\"width\":12,\"x\":0,\"y\":12}" | ||
| }, | ||
| { | ||
| "key": "panelCC78487E83854A45", | ||
| "structure": "{\"height\":6,\"width\":5,\"x\":0,\"y\":0}" | ||
| }, | ||
| { | ||
| "key": "panel736234CF8A5D6844", | ||
| "structure": "{\"height\":6,\"width\":5,\"x\":10,\"y\":0}" | ||
| }, | ||
| { | ||
| "key": "panelF169F427B6E37B41", | ||
| "structure": "{\"height\":6,\"width\":8,\"x\":15,\"y\":0}" | ||
| } | ||
| ] | ||
| }, | ||
| "panels": [ | ||
| { | ||
| "id": null, | ||
| "key": "panel465F3347940C784A", | ||
| "title": "Detected event types", | ||
| "visualSettings": "{\"general\":{\"mode\":\"singleValueMetrics\",\"type\":\"svp\"},\"series\":{},\"svp\":{\"label\":\"Event Types\",\"gauge\":{\"show\":true,\"max\":18},\"sparkline\":{\"show\":false}}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_sourcecategory = panda | count_distinct(eventtype)", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panel17EF4EA2BCC52847", | ||
| "title": "Event Types", | ||
| "visualSettings": "{\"general\":{\"mode\":\"distribution\",\"type\":\"pie\"}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_sourcecategory = panda | count by eventdescription", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panel4B6147BA8D18C848", | ||
| "title": "Events over time", | ||
| "visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"column\"}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_sourcecategory = panda | timeslice 1d | count by _timeslice", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panelBCE5E84D96381B40", | ||
| "title": "Top 10 event hosts", | ||
| "visualSettings": "{\"general\":{\"mode\":\"distribution\",\"type\":\"pie\"},\"series\":{}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_source=\"panda\" | count by host_name | sort by _count | limit 10", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panelD0FFCBC78FBECA49", | ||
| "title": "Detected Malware Items", | ||
| "visualSettings": "{\"general\":{\"mode\":\"distribution\",\"type\":\"table\"},\"series\":{}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_source=\"panda\" | where !isEmpty(item_name) | count by item_name", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panelCC78487E83854A45", | ||
| "title": "Hours since last event", | ||
| "visualSettings": "{\"general\":{\"mode\":\"singleValueMetrics\",\"type\":\"svp\"},\"series\":{},\"svp\":{\"label\":\"Hours\",\"gauge\":{\"show\":true,\"max\":48},\"sparkline\":{\"show\":false},\"rounding\":0}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_sourcecategory = panda | first(_messageTime) AS lasthour | now() - lasthour AS msecs | msecs/3600000 as hrs | floor(hrs) as HOURS | fields HOURS", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": { | ||
| "type": "BeginBoundedTimeRange", | ||
| "from": { | ||
| "type": "RelativeTimeRangeBoundary", | ||
| "relativeTime": "-1w" | ||
| }, | ||
| "to": null | ||
| }, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panel736234CF8A5D6844", | ||
| "title": "Total events", | ||
| "visualSettings": "{\"general\":{\"mode\":\"singleValueMetrics\",\"type\":\"svp\"},\"series\":{},\"svp\":{\"label\":\"Events\",\"gauge\":{\"show\":false,\"max\":18},\"sparkline\":{\"show\":false}}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_sourcecategory = panda | count", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| }, | ||
| { | ||
| "id": null, | ||
| "key": "panelF169F427B6E37B41", | ||
| "title": "Detected Malware Items by host", | ||
| "visualSettings": "{\"title\":{\"fontSize\":14},\"general\":{\"type\":\"honeyComb\",\"displayType\":\"default\",\"mode\":\"honeyComb\"},\"honeyComb\":{\"thresholds\":[{\"from\":null,\"to\":null,\"color\":\"#98ECA9\"},{\"from\":null,\"to\":null,\"color\":\"#F2DA73\"},{\"from\":null,\"to\":null,\"color\":\"#FFB5B5\"}],\"shape\":\"hexagon\",\"groupBy\":[],\"aggregationType\":\"count\"},\"series\":{}}", | ||
| "keepVisualSettingsConsistentWithParent": true, | ||
| "panelType": "SumoSearchPanel", | ||
| "queries": [ | ||
| { | ||
| "queryString": "_source=\"panda\" | count by host_name", | ||
| "queryType": "Logs", | ||
| "queryKey": "A", | ||
| "metricsQueryMode": null, | ||
| "metricsQueryData": null, | ||
| "tracesQueryData": null, | ||
| "parseMode": "Auto", | ||
| "timeSource": "Message" | ||
| } | ||
| ], | ||
| "description": "Events by host", | ||
| "timeRange": null, | ||
| "coloringRules": null, | ||
| "linkedDashboards": [] | ||
| } | ||
| ], | ||
| "variables": [], | ||
| "coloringRules": [] | ||
| } | ||
| ] | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| ## Table of contents | ||
| * [General info](#general-info) | ||
| * [Components](#components) | ||
| * [Setup](#setup) | ||
|
|
||
| ## General info | ||
| App: Panda - Watchguard endpoint protection | ||
| Panda is enpoint protection technology, the api is defined in: | ||
| https://www.watchguard.com/help/docs/API/Content/en-US/panda/aether_endpoint_security/v1/aether_endpoint_security.html | ||
| This app extracts the portal data on a regular basis, and ingests the data into sumo CIP. | ||
| It also provides basic dashboarding. | ||
|
|
||
| ## Components | ||
| The Sumo Logic Panda app consists of the following components: | ||
|
|
||
| * panda.py | ||
| AWS Lambda function: runs every few hours in order to check on new (not earlier collected) logs. If these are available, they are downloaded, and forwarded as JSON onto the designated sumo logic endpoint. | ||
| This function can be ran as a lambda function in an AWS account, or alternately on any system, driven by cron. | ||
| In the latter case the command has to be ran with following options: | ||
| ``` | ||
| ./panda.py -n -a <authentication url> -i <accessid> -p <passwd> -k <apikey> --endpoint https:<sumologic collector endpoint> | ||
| ``` | ||
| Example of crontab entry in /etc/crontab to regulary run the command: | ||
| ``` | ||
| 36 */2 * * * ubuntu /home/ubuntu/panda.py --n -a <authentication url> -i <accessid> -p <passwd> -k <apikey> --endpoint https:<sumologic collector endpoint | ||
| ``` | ||
| Pre-requisite is availability of python3 on host system. | ||
|
|
||
| * sumopanda.json | ||
| AWS CloudFormation template: installs the lambda function, plus additional resources required for the lambda function to properly execute (role, policies, event trigger, parameters). | ||
| Sumo Collector for panda logs: to be created in Sumo account by customer. | ||
|
|
||
| * Panda.json | ||
| json file which contains all dashboards to visualize Panda data. Needs to be imported into a folder in your Sumo Logic account. | ||
|
|
||
| * pandalambda.zip | ||
| zipped lambda function, for convenience, to be placed on S3 somehwere acessible by cloudformation script | ||
|
|
||
| ## Setup | ||
| Installation instructions: | ||
|
|
||
| In your sumo account: create hosted HTTP connector, with one HTTP source with unique URL. | ||
| Provide following parameters: | ||
| * Name: panda | ||
| * Check ‘Enable Timestamp Parsing’ | ||
| * Timestamp format: yyyy-MM-dd'T'hh:mm:ss.SSSSSSZZZZ | ||
| * Timestamp Locator: .*"TIMESTAMP"\s*:\s+"([^"]+)" | ||
| * Sourcecategory: panda | ||
|
|
||
| Make sure that the defined timezone is equal to the timezone where your script runs. | ||
|
|
||
| In your AWS account (if collection function will run as AWS lambda code) : | ||
| * Place lambda zip archive (my-deployment-package.zip) on one of your accessible S3 buckets, and remember the access URL to this file. | ||
| * Run the provided Cloud Formation template in your AWS environment, and provide it with the proper parameters (for example: panda portal URL, sumo endpoint URL, URL to lambda zip archive, earliest data for logs). | ||
|
|
||
| * Once the stack has been created, install the Panda App in your Sumo Logic account., with SourceCategory = panda. | ||
|
|
||
| Depending on the cron schedule (by default once an hour) connected with the Lambda function, data will start flowing in, and the dashboards will start populating with data. Please note it may take a bit of time for dashboards to populate (up to few hours). |
Oops, something went wrong.