Skip to main content

Overview

SafeNetworking includes pre-configured Kibana dashboards and visualizations for analyzing threat intelligence, DNS events, IoT threats, and GTP/SCTP mobile carrier logs. These dashboards provide real-time visibility into malicious activities correlated with the Palo Alto Networks Threat Intelligence Cloud.
Kibana is part of the ElasticStack and serves as the visualization layer for all logs processed by SafeNetworking.

Accessing Kibana

Default Configuration

Kibana is accessible via web browser on port 5601: 
http://<safenetworking-ip>:5601
Replace <safenetworking-ip> with the IP address or hostname of your SafeNetworking installation.

First Time Setup

On first access, you may need to configure index patterns:
1

Access Kibana

Navigate to http://<safenetworking-ip>:5601 in your browser
2

Configure Index Patterns

If not already configured, create index patterns for:
  • threat-* - Threat logs from firewalls
  • traffic-* - Traffic logs (optional)
  • gtp-* - GTP mobile carrier logs
  • sctp-* - SCTP signaling logs
  • iot-* - External IoT threat logs
  • system-* - System logs
3

Import Dashboards

Pre-configured dashboards should be automatically loaded. If not, import from:
/path/to/safenetworking/install/kibana/export.json

Pre-configured Workspaces

SafeNetworking v4.0 includes separate workspaces for different threat categories:

DNS Threat Workspace

Visualizations for DNS-based threats, including sinkhole events and malicious domain queries

IoT Threat Workspace

IoT device threats correlated with HoneyPot DB information

GTP/SCTP Workspace

Mobile carrier GTP tunnel and SCTP signaling events with EventCode enrichment

System Logging Workspace

System-level logs and metrics from SafeNetworking infrastructure

Key Dashboards and Visualizations

DNS Threat Dashboard

The DNS Threat dashboard provides comprehensive visibility into DNS-based threats:
Key Metrics:
  • Total DNS threat events
  • Unique malicious domains
  • Top threat categories
  • Geographic distribution of threats
Visualizations:
  • Timeline of DNS threats by severity
  • Top 10 malicious domains
  • Threat distribution by category (dns, dns-cloud, dns-security)
  • Source IP geographic heatmap

IoT Threat Dashboard

New in v4.0: Full support for non-PAN-OS IoT threat events parsed through Logstash and tagged via HoneyPot DB.
Key Visualizations:
  • Top IoT malware families
  • Infected device IPs
  • Command and control (C2) destinations
  • Tag groups and classifications
  • Timeline of IoT events
Common Use Cases:
  • Identify compromised IoT devices on your network
  • Track IoT botnet activity
  • Correlate IoT threats with HoneyPot intelligence

GTP/SCTP Dashboard

New in v4.0: Full support for GTP and SCTP logs with EventCode enrichment.
Mobile Carrier Specific:
  • GTP tunnel events
  • SCTP association tracking
  • Event code breakdown
  • IMSI/IMEI tracking (with customer DB enrichment)
  • Geographic distribution of mobile events
GTP Event Codes: The dashboard includes enriched event code information: 
{
  "GTP": {
    "GTPVersion": "v2",
    "Description": "Invalid GTP Version",
    "InformationElement": "Version",
    "MessageType": "Control",
    "EventCode": "144"
  }
}

System Logging Dashboard

Monitor SafeNetworking infrastructure health: Metrics Tracked:
  • Logstash event processing rate
  • Elasticsearch indexing performance
  • Failed event logs
  • Storage utilization
  • Index shard health

Index Patterns

Available Indices

SafeNetworking uses dated indices for efficient data management:
Index PatternDescriptionExample
threat-*Threat logs (THREAT type from firewalls)threat-2026.03
traffic-*Traffic logs (TRAFFIC type, optional)traffic-2026.03
gtp-*GTP mobile carrier logsgtp-2026.03
sctp-*SCTP signaling logssctp-2026.03
iot-*External IoT threat logsiot-2026.03
system-*System configuration logssystem-2026.03
config-*Firewall configuration changesconfig-2026.03
metric-*Performance metricsmetric-2026.03
Indices are created monthly (YYYY.MM format) to facilitate data curation and retention management.

Index Field Mappings

Key fields available for searching and visualization: 
{
  "@timestamp": "2026-03-04T10:30:00.000Z",
  "SourceIP": "192.168.1.50",
  "DestinationIP": "203.0.113.100",
  "Application": "ssl",
  "RuleName": "Internet-Access",
  "Action": "alert",
  "Severity": "high",
  "SourceZone": "trust",
  "DestinationZone": "untrust"
}

{
  "ThreatID": "DNS:C2/Generic-A(52020)",
  "ThreatCategory": "dns",
  "URL_Filename": "malicious.example.com",
  "Category": "command-and-control",
  "tags": ["PAN-OS_threat", "SFN-DNS", "SFN-CONTENT"],
  "SFN": {
    "domain_name": "malicious.example.com",
    "threat_name": "C2/Generic-A",
    "sig_num": "52020",
    "processed": 0
  }
}

{
  "Type": "GTP",
  "EventCode": "100201",
  "MSISDN": "+1234567890",
  "IMSI": "310150123456789",
  "IMEI": "123456789012345",
  "APN": "internet",
  "RAT": "LTE",
  "GTP": {
    "GTPVersion": "v2",
    "Description": "Create Session Request",
    "MessageType": "Control",
    "EventCode": "100201"
  }
}

{
  "SourceIP": "10.0.50.25",
  "DestinationIP": "198.51.100.50",
  "tags": ["SFN-IOT"],
  "SFN": {
    "file_type": "PE32",
    "tag_name": "Mirai",
    "public_tag_name": "Mirai Botnet",
    "tag_description": "IoT botnet malware",
    "tag_group_name": "Botnet",
    "tag_class": "malware"
  }
}

Creating Custom Dashboards

Step 1: Create a Visualization

1

Navigate to Visualize

In Kibana, go to Visualize from the left sidebar
2

Create New Visualization

Click Create visualization and select type:
  • Area/Line Chart: Time-series trends
  • Data Table: Detailed event listings
  • Pie Chart: Distribution breakdowns
  • Heat Map: Geographic or correlation maps
  • Metric: Single value counters
3

Select Index Pattern

Choose the appropriate index pattern (e.g., threat-*)
4

Configure Metrics and Buckets

  • Metrics: What to measure (count, sum, avg)
  • Buckets: How to group (date histogram, terms, filters)
5

Save Visualization

Give it a descriptive name and save

Example: Top Malicious Domains

{
  "visualization_type": "data_table",
  "index_pattern": "threat-*",
  "metrics": {
    "metric_1": {
      "type": "count"
    }
  },
  "buckets": {
    "bucket_1": {
      "type": "terms",
      "field": "SFN.domain_name.keyword",
      "size": 10,
      "order": "desc"
    }
  },
  "filters": [
    {
      "query": "tags:SFN-DNS"
    }
  ]
}

Step 2: Build a Dashboard

1

Navigate to Dashboard

Go to Dashboard from the left sidebar
2

Create New Dashboard

Click Create new dashboard
3

Add Visualizations

Click Add and select saved visualizations or create new ones
4

Arrange Layout

Drag and resize visualizations to organize your dashboard
5

Add Filters

Add dashboard-level filters for time range, severity, zones, etc.
6

Save Dashboard

Give it a meaningful name and save

Common Queries and Filters

Query Syntax

Kibana uses Kibana Query Language (KQL) or Lucene syntax: 
# All DNS threats
tags:"SFN-DNS"

# High severity threats
Severity:"high" or Severity:"critical"

# Specific source IP
SourceIP:"192.168.1.50"

# DNS Cloud events
tags:"SFN-CLOUD"

# Threats from untrust zone
SourceZone:"untrust"

# Specific malware family
SFN.threat_name:"Mirai"

Saved Searches

Create reusable searches for common queries:
Query: tags:SFN-DNS AND SFN.processed:0Purpose: Find DNS threats awaiting AutoFocus enrichmentIndex: threat-*
Query: tags:SFN-EDLPurpose: Show threats detected via External Dynamic ListsIndex: threat-*
Query: tags:SFN-GTP AND Severity:criticalPurpose: Critical GTP tunnel eventsIndex: gtp-*
Query: tags:SFN-IOT AND _exists_:SFN.tag_namePurpose: IoT events with identified malware tagsIndex: iot-*
Query: Severity:(high OR critical) AND SourceZone:trust AND DestinationZone:untrustPurpose: Critical internal hosts reaching malicious destinationsIndex: threat-*

Filter by Time Range

Quick time range options:
  • Last 15 minutes: Real-time monitoring
  • Last 1 hour: Recent activity analysis
  • Last 24 hours: Daily threat overview
  • Last 7 days: Weekly trend analysis
  • Last 30 days: Monthly reporting
  • Custom: Specify exact date/time range
Use Auto-refresh for real-time dashboard updates (e.g., refresh every 30 seconds)

Advanced Features

Elasticsearch DSL Queries

For complex queries, use Elasticsearch Query DSL directly: 
GET threat-*/_search
{
  "size": 20,
  "query": {
    "bool": {
      "must": [
        { "match": { "tags": "SFN-DNS" }},
        { "match": { "SFN.processed": "0" }}
      ]
    }
  },
  "sort": [
    { "@timestamp": { "order": "desc" }}
  ]
}

Exporting Data

Export dashboard data for external analysis:
  1. CSV Export: From any data table visualization
  2. Screenshot: Use Kibana’s reporting feature
  3. API Export: Use Elasticsearch API for bulk exports
# Export last 1000 threat events to JSON
curl -X GET "localhost:9200/threat-*/_search?size=1000&pretty" > threats.json

# Export with specific fields only
curl -X GET "localhost:9200/threat-*/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "_source": ["@timestamp", "SourceIP", "SFN.domain_name", "Severity"],
  "size": 1000,
  "sort": [{ "@timestamp": "desc" }]
}
' > threats_summary.json

Performance Optimization

SafeNetworking uses monthly indices to balance performance and manageability:Benefits:
  • Faster searches on recent data
  • Easier data retention (delete old months)
  • Reduced shard count
Retention Strategy:
# Delete indices older than 90 days
curator_cli delete_indices --filter_list '
[
  {"filtertype":"pattern","kind":"prefix","value":"threat-"},
  {"filtertype":"age","source":"name","direction":"older","unit":"days","unit_count":90}
]'
Best Practices:
  • Use narrow time ranges when possible
  • Filter early in the query pipeline
  • Use keyword fields for exact matches
  • Avoid wildcard prefixes (e.g., *domain.com)
Example - Optimized vs Slow:
# Slow: Wildcard prefix
SFN.domain_name:*example.com

# Fast: Wildcard suffix
SFN.domain_name:example.*

# Fast: Exact match on keyword field
SFN.domain_name.keyword:"example.com"
Tips for Faster Dashboards:
  • Limit visualizations per dashboard (max 10-15)
  • Use appropriate time ranges
  • Enable dashboard caching
  • Use sampler aggregations for large datasets
  • Schedule heavy dashboards as reports

Troubleshooting

Check Elasticsearch Status:
curl -X GET "localhost:9200/_cluster/health?pretty"
Verify Kibana Service:
sudo systemctl status kibana
Check Browser Console: Look for JavaScript errors (F12 developer tools)
Verify Index Pattern:
  • Go to Stack Management > Index Patterns
  • Ensure patterns match actual indices
  • Refresh field list if needed
Check Time Range: Expand time range to ensure data existsVerify Data in Elasticsearch:
curl -X GET "localhost:9200/_cat/indices?v"
curl -X GET "localhost:9200/threat-*/_count"
Check Shard Health:
curl -X GET "localhost:9200/_cat/shards?v&h=index,shard,prirep,state,docs,store&s=index"
Monitor Search Performance:
curl -X GET "localhost:9200/_nodes/stats/indices/search?pretty"
Optimize Indices:
curl -X POST "localhost:9200/threat-*/_forcemerge?max_num_segments=1"

Next Steps

Firewall Configuration

Configure your firewall to send logs to SafeNetworking

Data Model

Learn about Elasticsearch indexes and document schemas

Monitoring

Monitor SafeNetworking system health and metrics

Troubleshooting

Common issues and solutions

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us