- Accessing Kibana
- Setting Up Index Patterns
- Creating Visualizations
- Building Dashboards
- Real-time Metrics to Track
- Auto-refresh Configuration
- Cloud vs Local Differences
-
Start Services:
docker-compose up -d kibana
-
Access Kibana:
- URL:
http://localhost:5601 - Wait 1-2 minutes for initial startup
- No authentication required (local setup)
- URL:
-
Get Kibana URL:
- Log into Elastic Cloud Console
- Navigate to your deployment
- Copy the Kibana endpoint (e.g.,
https://xxxxx.kb.us-east-1.aws.found.io:9243)
-
Access Kibana:
- Open the Kibana URL in your browser
- Login with your Elastic Cloud credentials
- Or use API Key authentication
-
Navigate to Index Patterns:
- Go to Stack Management → Index Patterns
- Click Create index pattern
-
Configure Pattern:
- Index pattern name:
phish-* - This matches all indices:
phish-us,phish-eu,phish-asia,phish-global - Click Next step
- Index pattern name:
-
Select Time Field:
- Time field: Select
timestamp - This enables time-based filtering and time-series visualizations
- Click Create index pattern
- Time field: Select
- You should see all matching indices listed
- Verify field mappings are correct:
url(keyword)risk_score(float)region(keyword)timestamp(date)
Purpose: Show distribution of risk scores across all reports
-
Create Visualization:
- Go to Analytics → Visualize Library
- Click Create visualization
- Select Vertical Bar chart
-
Configure:
- Data source: Select
phish-*index pattern - Y-axis:
- Aggregation: Count
- Custom label: "Number of Reports"
- X-axis:
- Aggregation: Histogram
- Field:
risk_score - Interval:
0.1(buckets of 0.1) - Custom label: "Risk Score"
- Data source: Select
-
Save:
- Click Save (top right)
- Name: "Risk Score Distribution"
Purpose: Show distribution of reports by region
-
Create Visualization:
- Create visualization → Pie chart
-
Configure:
- Data source:
phish-* - Slice by:
- Aggregation: Terms
- Field:
region.keyword - Size:
10 - Custom label: "Region"
- Data source:
-
Save:
- Name: "Regional Distribution"
Purpose: Track high-risk URLs (risk_score >= 0.7) over time
-
Create Visualization:
- Create visualization → Line chart
-
Configure:
- Data source:
phish-* - Y-axis:
- Aggregation: Count
- Custom label: "High-Risk Reports"
- X-axis:
- Aggregation: Date Histogram
- Field:
timestamp - Interval: Auto (or 1 minute for real-time)
- Custom label: "Time"
- Filters (click Add filter):
- Field:
risk_score - Operator: is greater than or equal
- Value:
0.7
- Field:
- Data source:
-
Save:
- Name: "High-Risk URLs Over Time"
Purpose: List URLs with highest risk scores
-
Create Visualization:
- Create visualization → Data Table
-
Configure:
- Data source:
phish-* - Metrics:
- Aggregation: Count
- Buckets:
- Split rows:
- Aggregation: Terms
- Field:
url.keyword - Size:
20 - Order: Top
- Order by: Count (descending)
- Split rows:
- Filters:
- Field:
risk_score - Operator: is greater than or equal
- Value:
0.8
- Field:
- Data source:
-
Save:
- Name: "Top High-Risk URLs"
Purpose: Compare report volumes across regions over time
-
Create Visualization:
- Create visualization → Area chart
-
Configure:
- Data source:
phish-* - Y-axis:
- Aggregation: Count
- Custom label: "Reports"
- X-axis:
- Aggregation: Date Histogram
- Field:
timestamp - Interval: Auto
- Split series:
- Sub aggregation: Terms
- Field:
region.keyword - Size:
10
- Data source:
-
Save:
- Name: "Reports by Region Over Time"
Purpose: Show average risk score per region
-
Create Visualization:
- Create visualization → Metric
-
Configure:
- Data source:
phish-* - Metric:
- Aggregation: Average
- Field:
risk_score - Custom label: "Average Risk Score"
- Group by:
- Aggregation: Terms
- Field:
region.keyword - Size:
10
- Data source:
-
Save:
- Name: "Average Risk Score by Region"
Purpose: Visualize risk score distribution by region and time
-
Create Visualization:
- Create visualization → Heat Map
-
Configure:
- Data source:
phish-* - Value:
- Aggregation: Average
- Field:
risk_score
- X-axis:
- Aggregation: Date Histogram
- Field:
timestamp - Interval: Auto
- Y-axis:
- Aggregation: Terms
- Field:
region.keyword
- Data source:
-
Save:
- Name: "Risk Score Heatmap by Region"
-
Navigate to Dashboards:
- Go to Analytics → Dashboards
- Click Create dashboard
-
Add Visualizations:
- Click Add → Add an existing visualization
- Select all visualizations created above:
- Risk Score Distribution
- Regional Distribution
- High-Risk URLs Over Time
- Top High-Risk URLs
- Reports by Region Over Time
- Average Risk Score by Region
- Risk Score Heatmap by Region
-
Arrange Layout:
- Drag and drop visualizations to arrange
- Resize as needed
- Recommended layout:
┌─────────────────────┬─────────────────────┐ │ Risk Score Dist. │ Regional Dist. │ ├─────────────────────┼─────────────────────┤ │ High-Risk Over Time │ Avg Risk by Region │ ├─────────────────────┴─────────────────────┤ │ Reports by Region Over Time │ ├────────────────────────────────────────────┤ │ Risk Score Heatmap │ ├────────────────────────────────────────────┤ │ Top High-Risk URLs │ └────────────────────────────────────────────┘
-
Enable Auto-Refresh:
- Click the Time picker (top right)
- Click Auto-refresh toggle
- Select interval: 30 seconds (for real-time monitoring)
- Or 1 minute (for less frequent updates)
-
Set Time Range:
- Quick: Select "Last 1 hour", "Last 24 hours", etc.
- Relative: Custom time range
- Absolute: Specific start/end times
-
Add Global Filters:
- Click Add filter (top of dashboard)
- Example filters:
risk_score >= 0.7(high-risk only)region: US(US region only)timestamp >= now-1h(last hour)
-
Save Filters:
- Filters persist when dashboard is saved
-
Save:
- Click Save (top right)
- Name: "PhishNChips Live Metrics Dashboard"
- Description: "Real-time phishing threat intelligence dashboard"
-
Share:
- Click Share → Permalink (for sharing URL)
- Or Embed (for embedding in other pages)
Visualization: Line chart showing reports per minute
- Metric: Count of documents
- Time interval: 1 minute
- Filter: None (all reports)
Kibana Query:
{
"size": 0,
"aggs": {
"reports_per_minute": {
"date_histogram": {
"field": "timestamp",
"calendar_interval": "1m"
}
}
}
}Visualization: Line chart with multiple series
- Series 1: Average risk_score (all reports)
- Series 2: Count of high-risk (risk_score >= 0.7)
- Series 3: Count of critical-risk (risk_score >= 0.9)
Visualization: Metric cards
- US Region: Count, Avg Risk Score
- EU Region: Count, Avg Risk Score
- ASIA Region: Count, Avg Risk Score
Note: Requires Elasticsearch monitoring indices
If available, create visualizations for:
- Cluster Status: Green/Yellow/Red
- Active Shards: Count over time
- Node Count: Number of nodes
- Indexing Rate: Documents/second
Visualization: Line chart
- Metric: Average query latency (if logged)
- Time interval: 1 minute
- Note: Requires custom logging/metrics
For Real-time Monitoring:
- Refresh interval: 30 seconds
- Time range: Last 1 hour
- Auto-apply: Enabled
For Historical Analysis:
- Refresh interval: 5 minutes (or disabled)
- Time range: Last 24 hours or custom
- Auto-apply: Enabled
-
In Dashboard:
- Click Time picker (top right)
- Toggle Auto-refresh ON
- Select interval (30s, 1m, 5m, etc.)
-
In Individual Visualizations:
- Some visualizations support auto-refresh independently
- Check visualization settings
Access:
- URL:
http://localhost:5601 - No authentication
- Direct connection to local ES nodes
Configuration:
- Kibana connects to:
http://elasticsearch-us:9200 - All services on same Docker network
Access:
- URL: Provided by Elastic Cloud (e.g.,
https://xxxxx.kb.us-east-1.aws.found.io:9243) - Authentication required (username/password or API key)
- HTTPS connection
Configuration:
- Kibana pre-configured to connect to cloud ES
- Managed by Elastic Cloud
- May have additional features (ML, Security, etc.)
Differences:
- Authentication: Cloud requires login
- SSL/TLS: Cloud uses HTTPS
- Features: Cloud may have additional Kibana features enabled
- Performance: Cloud may have better performance (managed infrastructure)
- Kibana is running and accessible
- Index pattern
phish-*created withtimestampas time field - At least 3-5 visualizations created
- Dashboard created with all visualizations
- Auto-refresh enabled (30 seconds recommended)
- Time range set appropriately (Last 1 hour for real-time)
- Dashboard saved and named
- Data is flowing (check Discover tab)
-
Check Index Pattern:
- Verify
phish-*pattern matches your indices - Check if indices exist:
curl http://localhost:9200/_cat/indices/phish-*
- Verify
-
Check Time Range:
- Ensure time range includes data timestamps
- Try "Last 7 days" or "All time"
-
Check Field Mappings:
- Verify fields exist in index pattern
- Check field types (keyword vs text)
-
Check Auto-refresh:
- Ensure auto-refresh is enabled
- Try manual refresh (refresh button)
-
Check Time Range:
- Ensure time range includes recent data
- Check if data is being indexed
-
Check Filters:
- Remove filters temporarily to see all data
- Verify filter logic is correct
-
Reduce Time Range:
- Use shorter time windows (Last 1 hour vs Last 7 days)
- Reduces data volume
-
Optimize Queries:
- Use filters instead of queries where possible
- Limit aggregation sizes
-
Check Cluster Health:
- Verify ES cluster is healthy
- Check for slow queries in ES logs
Example: Count of unique URLs per region
{
"size": 0,
"aggs": {
"by_region": {
"terms": {
"field": "region.keyword"
},
"aggs": {
"unique_urls": {
"cardinality": {
"field": "url.keyword"
}
}
}
}
}
}-
Create Scripted Field:
- Stack Management → Index Patterns →
phish-* - Scripted Fields → Add scripted field
- Example: Risk category based on risk_score
- Stack Management → Index Patterns →
-
Use in Visualizations:
- Select scripted field in aggregations
Document Version: 1.0
Last Updated: 2025-01-26
Author: PhishNChips Development Team