Create a Kibana Package
DynamiteNSM ships with a simple package manager for installing and uninstalling groups Kibana objects.
Packages typically contain searches, visualizations and dashboards combined to facilitate one or more investigatory workflows.
By default, DynamiteNSM will install the dynamite-investigator package, which provides a unique blend of host centric and event/alert centric views.
ⓘ
dynamite kibana packageis still in the early stages of development, and thus likely to change in future releases.
Checkout Existing Packages
git clone https://github.com/DynamiteAI/kibana_packages.git
Package Format Guidelines
We've developed a few internal guidelines that must be followed for those wishing to submit their own package to the Dynamite package repository. They are available here.
Setting up a Working Environment
Before you can create a new Kibana package you will need to setup a working monitor and agent instance. Once the agent starts sending events Kibana's discovery view will quickly fill up, and you can begin creating new visualisations and dashboards.
The dynamite-investigator package provides some out-of-the-box saved searches, useful for filtering and
differentiating between event types. These searches can serve as a basis for creating your own visualizations and dashboards.
Creating a Visualization
Kibana provides a fairly exhaustive set of visualizations for representing both simple and complex relationships in your data.
You can create a new visualization by double-clicking the Vizualize tab in the left-hand sidebar. From there simply select the Create visualization button
to enter into the New Vizualization interface.
Adding a Visualization to a Dashboard
Dashboards serve as space to present a variety of visualizations that typically share some common theme. Kibana dashboards provide the ability to enforce certain global constraints against all visualizations within that dashboard.
For example, the time-range filter and any term filters or KQL searches can be applied consistently across all visualizations within
a dashboard.
To create a new Dashboard double-click the Dashboard tab in left-hand sidebar. You may then add any visualization or saved_search you have created.
Exporting Saved Objects
To export saved objects simply navigate to Stack Management in the left-hand sidebar. From there select Saved Objects link.
Within this UI you can export all the objects or just those of a certain type.
We suggest that objects are exported for each type and without including related objects. By doing so other developers can easily build upon the parts of your package most useful to them.
Creating the Package
Every kibana package consists of one or more saved_object.ndjson files and a manifest.json file.
The .ndjson files are the output of a Kibana export operation as outlined above. A manifest.json simply contains
some additional metadata as well as a list of files to be installed via Kibana's saved_object's API.
manifest.json
{
"name": "Baselines",
"author": "John Doe",
"author_email": "jdoe@example.com",
"description": "Includes several base-lining techniques useful for identifying anomalies on small networks",
"package_type": "saved_objects",
"file_list": ["config.ndjson", "index_patterns.ndjson", "searches.ndjson", "visualizations.ndjson", "dashboards.ndjson"]
}
Important!: The order of appearance in the file_list is important, dependencies should precede their dependants.
In the example above
searches.ndjsonrelies on or references the data fromindex_patterns.ndjsonto be available at installation time, otherwise errors and unexpected behavior may arise.
Create an Archive
tar -cvf baselines.tar.gz baselines/*