Install the React version

SysmonSearch/sysmon_search_r

sysmon_search_r is the React version of sysmon_search_plugin client-side JavaScript.

It can be added to the environment on which sysmon_search_plugin is installed.

How to install

Copy sysmon_search_r to $KIBANA_HOME/plugins and delete the file(s) in $KIBANA_HOME/optimize:

$ cp -r sysmon_search_r/ $KIBANA_HOME/plugins/
$ rm -rf $KIBANA_HOME/optimize/*

Modify the configuration file accordingly:

# or simply copy the conf.js in sysmon_search_plugin if already modified
$ vim $KIBANA_HOME/plugins/sysmon_search_r/conf.js

Example:
//elasticsearch server URL
"elasticsearch_url":"[Elasticsearch server IP address]"
//elasticsearch server Port
"elasticsearch_port": "9200",
//monitor rule file path
"savepath": "[path to the script]/rule_files",
//stixioc import server URL
"import_server_url": "[stixioc-import-server IP address]",
//stixioc server port
"import_server_port": "56020",
//internal time (hour)
"refine_time_range": "1",
//maximum object number
"max_object_num": "30"

Install the necessary package:

$ cd $KIBANA_HOME/plugins/sysmon_search_r
$ npm install

Restart Kibana.

Add Dashboard

SysmonSearch dashboard will be added by importing sysmon_search_r/dashboard-export.ndjson to Kibana.

How to add SysmonSearch dashboard

Go to Management -> Saved Objects -> Import and select sysmon_search_r/dashboard-export.ndjson on Kibana.

If the import is successful, the dashboard named SysmonSearch will be added to Dashboards on Kibana.

Open the dashboard. Select the time period to display and refresh the view.