Querying, Filtering, and Visualizing Data

You can interactively explore your data source data using the Metron dashboard.

When CCP parses a telemetry, it extracts and normalizes different parts of the message into a standard Metron JSON object. Standardizing and normalizing field names and formats allows CCP to search different telemetry messages with a single query. You have access to every document in every index that matches your selected index patterns. The Metron dashboard enables you to submit search queries on the data source data, filter the search results, and view the results in a number of visualizations.

In CCP, if telemetry indexing is enabled, a rotating index for every telemetry is created. By convention this index will have a name [telemetry_name]_[timestamp]. Telemetry documents indexed into this index will by convention be called [telemetry_name]_doc. Queries reference the document type of the indexed telemetries.

For more information about exploring and analyzing your data, refer to the Kibana documentation:

Table 1. Querying, Filtering, and Visualizing Data
Task Description Where to Look
Querying your data

You can search and refine the data you receive from your data source by creating a query from the Discover page. You should create and save a query for each data source not provided by CCP.

CCP includes queries for the following telemetries:

  • YAF
  • Bro
  • Alerts (populated by Snort)

You can also add custom queries for new telemetry types.

Discovering Your Data

Filter your query results

You can use the Metron dashboard to filter your query results to further refine the information. The Metron dashboard provides two types of filters:

Time Filter

Restricts the search results to a specific time period.

Filter by Field

Filters to display only those documents that contain a particular value in a field. You can filter either from the Fields list or the Documents table.


Visualizing your data

You can filter search results to display only those documents that contain a particular value in a field. You can also create negative filters than exclude documents that contain the specified field value.